diff options
-rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-PAM.xml | 134 | ||||
-rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-Passdb.xml | 2 | ||||
-rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-Problems.xml | 66 | ||||
-rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml | 135 | ||||
-rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-SecureLDAP.xml | 2 | ||||
-rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-Speed.xml | 2 | ||||
-rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-Unicode.xml | 94 | ||||
-rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-Winbind.xml | 26 | ||||
-rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-glossary.xml | 2 | ||||
-rw-r--r-- | docs/Samba3-HOWTO/index.xml | 2 |
10 files changed, 359 insertions, 106 deletions
diff --git a/docs/Samba3-HOWTO/TOSHARG-PAM.xml b/docs/Samba3-HOWTO/TOSHARG-PAM.xml index dc405cd1a9..024a2f3ef8 100644 --- a/docs/Samba3-HOWTO/TOSHARG-PAM.xml +++ b/docs/Samba3-HOWTO/TOSHARG-PAM.xml @@ -15,6 +15,10 @@ <title>PAM-Based Distributed Authentication</title> <para> +<indexterm><primary>PAM-enabled</primary></indexterm> +<indexterm><primary>Winbind</primary></indexterm> +<indexterm><primary>ADS</primary></indexterm> +<indexterm><primary>Winbind-based authentication</primary></indexterm> This chapter should help you to deploy Winbind-based authentication on any PAM-enabled UNIX/Linux system. Winbind can be used to enable user-level application access authentication from any MS Windows NT domain, MS Windows 200x Active Directory-based @@ -23,6 +27,8 @@ controls that are appropriate to your Samba configuration. </para> <para> +<indexterm><primary>PAM management</primary></indexterm> +<indexterm><primary>pam_smbpass.so</primary></indexterm> In addition to knowing how to configure Winbind into PAM, you will learn generic PAM management possibilities and in particular how to deploy tools like <filename>pam_smbpass.so</filename> to your advantage. </para> @@ -36,6 +42,14 @@ Please refer to <link linkend="winbind">Winbind: Use of Domain Accounts</link>, <title>Features and Benefits</title> <para> +<indexterm><primary>Sun Solaris</primary></indexterm> +<indexterm><primary>xxxxBSD</primary></indexterm> +<indexterm><primary>Linux</primary></indexterm> +<indexterm><primary>Pluggable Authentication Modules</primary><see>PAM</see></indexterm> +<indexterm><primary>/etc/passwd</primary></indexterm> +<indexterm><primary>login</primary></indexterm> +<indexterm><primary>passwd</primary></indexterm> +<indexterm><primary>chown</primary></indexterm> A number of UNIX systems (e.g., Sun Solaris), as well as the xxxxBSD family and Linux, now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication, authorization, and resource control services. Prior to the introduction of PAM, a decision @@ -46,6 +60,10 @@ Such a choice would involve provision of alternatives to programs such as <comma </para> <para> +<indexterm><primary>PAM</primary></indexterm> +<indexterm><primary>/etc/pam.conf</primary></indexterm> +<indexterm><primary>Solaris</primary></indexterm> +<indexterm><primary>/etc/pam.d</primary></indexterm> PAM provides a mechanism that disconnects these security programs from the underlying authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file, <filename>/etc/pam.conf</filename> (Solaris), or by editing individual control files that are @@ -53,6 +71,8 @@ located in <filename>/etc/pam.d</filename>. </para> <para> +<indexterm><primary>PAM-enabled</primary></indexterm> +<indexterm><primary>dynamically loadable library modules</primary></indexterm> On PAM-enabled UNIX/Linux systems, it is an easy matter to configure the system to use any authentication backend so long as the appropriate dynamically loadable library modules are available for it. The backend may be local to the system or may be centralized on a @@ -66,14 +86,25 @@ PAM support modules are available for: <variablelist> <varlistentry><term><filename>/etc/passwd</filename></term><listitem> <para> - There are several PAM modules that interact with this standard UNIX user - database. The most common are called <filename>pam_unix.so</filename>, <filename>pam_unix2.so</filename>, <filename>pam_pwdb.so</filename> - and <filename>pam_userdb.so</filename>. +<indexterm><primary>/etc/passwd</primary></indexterm> +<indexterm><primary>PAM modules</primary></indexterm> +<indexterm><primary>pam_unix.so</primary></indexterm> +<indexterm><primary>pam_unix2.so</primary></indexterm> +<indexterm><primary>pam_pwdb.so</primary></indexterm> +<indexterm><primary>pam_userdb.so</primary></indexterm> + There are several PAM modules that interact with this standard UNIX user database. The most common are called + <filename>pam_unix.so</filename>, <filename>pam_unix2.so</filename>, <filename>pam_pwdb.so</filename> and + <filename>pam_userdb.so</filename>. </para> </listitem></varlistentry> <varlistentry><term>Kerberos</term><listitem> <para> +<indexterm><primary>pam_krb5.so</primary></indexterm> +<indexterm><primary>Kerberos</primary></indexterm> +<indexterm><primary>Heimdal</primary></indexterm> +<indexterm><primary>MIT Kerberos</primary></indexterm> +<indexterm><primary>ADS</primary></indexterm> The <filename>pam_krb5.so</filename> module allows the use of any Kerberos-compliant server. This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially Microsoft Active Directory (if enabled). @@ -82,6 +113,12 @@ PAM support modules are available for: <varlistentry><term>LDAP</term><listitem> <para> +<indexterm><primary>LDAP</primary></indexterm> +<indexterm><primary>pam_ldap.so</primary></indexterm> +<indexterm><primary>OpenLDAP</primary></indexterm> +<indexterm><primary>Sun ONE iDentity server</primary></indexterm> +<indexterm><primary>Novell eDirectory server</primary></indexterm> +<indexterm><primary>Microsoft Active Directory</primary></indexterm> The <filename>pam_ldap.so</filename> module allows the use of any LDAP v2- or v3-compatible backend server. Commonly used LDAP backend servers include OpenLDAP v2.0 and v2.1, Sun ONE iDentity server, Novell eDirectory server, and Microsoft Active Directory. @@ -90,6 +127,10 @@ PAM support modules are available for: <varlistentry><term>NetWare Bindery</term><listitem> <para> +<indexterm><primary>NetWare Bindery</primary></indexterm> +<indexterm><primary>pam_ncp_auth.so</primary></indexterm> +<indexterm><primary>bindery-enabled</primary></indexterm> +<indexterm><primary>NetWare Core Protocol-based server</primary></indexterm> The <filename>pam_ncp_auth.so</filename> module allows authentication off any bindery-enabled NetWare Core Protocol-based server. </para> @@ -97,6 +138,9 @@ PAM support modules are available for: <varlistentry><term>SMB Password</term><listitem> <para> +<indexterm><primary>SMB Password</primary></indexterm> +<indexterm><primary>pam_smbpass.so</primary></indexterm> +<indexterm><primary>passdb backend</primary></indexterm> This module, called <filename>pam_smbpass.so</filename>, allows user authentication of the passdb backend that is configured in the Samba &smb.conf; file. </para> @@ -104,6 +148,8 @@ PAM support modules are available for: <varlistentry><term>SMB Server</term><listitem> <para> +<indexterm><primary>SMB Server</primary></indexterm> +<indexterm><primary>pam_smb_auth.so</primary></indexterm> The <filename>pam_smb_auth.so</filename> module is the original MS Windows networking authentication tool. This module has been somewhat outdated by the Winbind module. </para> @@ -111,6 +157,10 @@ PAM support modules are available for: <varlistentry><term>Winbind</term><listitem> <para> +<indexterm><primary>Winbind</primary></indexterm> +<indexterm><primary>pam_winbind.so</primary></indexterm> +<indexterm><primary>domain controller</primary></indexterm> +<indexterm><primary>authentication</primary></indexterm> The <filename>pam_winbind.so</filename> module allows Samba to obtain authentication from any MS Windows domain controller. It can just as easily be used to authenticate users for access to any PAM-enabled application. @@ -119,6 +169,7 @@ PAM support modules are available for: <varlistentry><term>RADIUS</term><listitem> <para> +<indexterm><primary>Remote Access Dial-In User Service</primary><see>RADIUS</see></indexterm> There is a PAM RADIUS (Remote Access Dial-In User Service) authentication module. In most cases, administrators need to locate the source code for this tool and compile and install it themselves. RADIUS protocols are @@ -128,10 +179,17 @@ PAM support modules are available for: </variablelist> <para> -Of the modules listed, Samba provides the <filename>pam_smbpasswd.so</filename> and the <filename>pam_winbind.so</filename> modules alone. +<indexterm><primary>pam_smbpasswd.so</primary></indexterm> +<indexterm><primary>pam_winbind.so</primary></indexterm> +Of the modules listed, Samba provides the <filename>pam_smbpasswd.so</filename> and the +<filename>pam_winbind.so</filename> modules alone. </para> <para> +<indexterm><primary>wide-area network bandwidth</primary></indexterm> +<indexterm><primary>efficient authentication</primary></indexterm> +<indexterm><primary>PAM-capable</primary></indexterm> +<indexterm><primary>centrally managed</primary></indexterm> Once configured, these permit a remarkable level of flexibility in the location and use of distributed Samba domain controllers that can provide wide-area network bandwidth, efficient authentication services for PAM-capable systems. In effect, this allows the @@ -145,6 +203,10 @@ single-user account database. <title>Technical Discussion</title> <para> +<indexterm><primary>PAM</primary></indexterm> +<indexterm><primary>privilege-granting applications</primary></indexterm> +<indexterm><primary>/etc/pam.conf</primary></indexterm> +<indexterm><primary>/etc/pam.d/</primary></indexterm> PAM is designed to provide system administrators with a great deal of flexibility in configuration of the privilege-granting applications of their system. The local configuration of system security controlled by PAM is contained in one of two places: @@ -156,11 +218,12 @@ either the single system file <filename>/etc/pam.conf</filename> or the <title>PAM Configuration Syntax</title> <para> +<indexterm><primary>PAM-specific tokens</primary></indexterm> +<indexterm><primary>case sensitivity</primary></indexterm> In this section we discuss the correct syntax of and generic options respected by entries to these files. PAM-specific tokens in the configuration file are case insensitive. The module paths, however, are case -sensitive, since they indicate a file's name and reflect the case -dependence of typical file systems. -The case sensitivity of the arguments to any given module is defined for each module in turn. +sensitive, since they indicate a file's name and reflect the case dependence of typical file systems. The +case sensitivity of the arguments to any given module is defined for each module in turn. </para> <para> @@ -170,13 +233,12 @@ module specification lines may be extended with a <quote>\</quote>-escaped newli </para> <para> +<indexterm><primary>PAM authentication module</primary></indexterm> +<indexterm><primary>/lib/security</primary></indexterm> If the PAM authentication module (loadable link library file) is located in the default location, then it is not necessary to specify the path. In the case of Linux, the default location is <filename>/lib/security</filename>. If the module is located outside the default, then the path must be specified as: -</para> - -<para> <programlisting> auth required /other_path/pam_strange_module.so </programlisting> @@ -192,10 +254,8 @@ project. For more information on PAM, see </para> <para> +<indexterm><primary>/etc/pam.conf</primary></indexterm> A general configuration line of the <filename>/etc/pam.conf</filename> file has the following form: -</para> - -<para> <programlisting> service-name module-type control-flag module-path args </programlisting> @@ -210,6 +270,9 @@ Once we have explained the meaning of the tokens, we describe this method. <variablelist> <varlistentry><term>service-name</term><listitem> <para> +<indexterm><primary>ftpd</primary></indexterm> +<indexterm><primary>rlogind</primary></indexterm> +<indexterm><primary>su</primary></indexterm> The name of the service associated with this entry. Frequently, the service-name is the conventional name of the given application &smbmdash; for example, <command>ftpd</command>, <command>rlogind</command> and <command>su</command>, and so on. @@ -231,6 +294,8 @@ Once we have explained the meaning of the tokens, we describe this method. <itemizedlist> <listitem><para> +<indexterm><primary>auth</primary></indexterm> +<indexterm><primary>/etc/groups</primary></indexterm> <parameter>auth:</parameter> This module type provides two aspects of authenticating the user. It establishes that the user is who he or she claims to be by instructing the application to prompt the user for a password or other means of identification. Second, the module can @@ -239,6 +304,8 @@ Once we have explained the meaning of the tokens, we describe this method. </para></listitem> <listitem><para> +<indexterm><primary>account</primary></indexterm> +<indexterm><primary>non-authentication-based account management</primary></indexterm> <parameter>account:</parameter> This module performs non-authentication-based account management. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users), or perhaps the location of the user @@ -246,6 +313,7 @@ Once we have explained the meaning of the tokens, we describe this method. </para></listitem> <listitem><para> +<indexterm><primary>session</primary></indexterm> <parameter>session:</parameter> Primarily, this module is associated with doing things that need to be done for the user before and after he or she can be given service. Such things include logging information concerning the opening and closing of some data exchange with a user, mounting @@ -253,6 +321,7 @@ Once we have explained the meaning of the tokens, we describe this method. </para></listitem> <listitem><para> +<indexterm><primary>password</primary></indexterm> <parameter>password:</parameter> This last module type is required for updating the authentication token associated with the user. Typically, there is one module for each <quote>challenge/response</quote>-based authentication <parameter>(auth)</parameter> module type. @@ -262,7 +331,7 @@ Once we have explained the meaning of the tokens, we describe this method. </varlistentry> <varlistentry><term>control-flag</term><listitem> - <para> + <para> The control-flag is used to indicate how the PAM library will react to the success or failure of the module it is associated with. Since modules can be stacked (modules of the same type execute in series, one after another), the control-flags determine the relative importance of each module. The application @@ -274,6 +343,10 @@ Once we have explained the meaning of the tokens, we describe this method. </para> <para> +<indexterm><primary>required</primary></indexterm> +<indexterm><primary>requisite</primary></indexterm> +<indexterm><primary>sufficient</primary></indexterm> +<indexterm><primary>optional</primary></indexterm> The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the severity of concern associated with the success or failure of a specific module. There are four such keywords: <parameter>required</parameter>, <parameter>requisite</parameter>, @@ -301,16 +374,16 @@ Once we have explained the meaning of the tokens, we describe this method. password in a hostile environment. </para></listitem> - <listitem><para> - <parameter>sufficient:</parameter> The success of this module is deemed <parameter>sufficient</parameter> to satisfy + <listitem><para> + <parameter>sufficient:</parameter> The success of this module is deemed <parameter>sufficient</parameter> to satisfy the Linux-PAM library that this module-type has succeeded in its purpose. In the event that no previous required module has failed, no more <quote>stacked</quote> modules of this type are invoked. (In this case, subsequent required modules are not invoked). A failure of this module is not deemed as fatal to satisfying the application that this module-type has succeeded. </para></listitem> - <listitem><para> - <parameter>optional:</parameter> As its name suggests, this control-flag marks the module as not + <listitem><para> + <parameter>optional:</parameter> As its name suggests, this control-flag marks the module as not being critical to the success or failure of the user's application for service. In general, Linux-PAM ignores such a module when determining if the module stack will succeed or fail. However, in the absence of any definite successes or failures of previous or subsequent stacked @@ -363,38 +436,39 @@ Once we have explained the meaning of the tokens, we describe this method. </para></listitem> <listitem><para> - <parameter>bad:</parameter> This action indicates that the return code should be thought of as indicative + <parameter>bad:</parameter> This action indicates that the return code should be thought of as indicative of the module failing. If this module is the first in the stack to fail, its status value will be used for that of the whole stack. </para></listitem> - <listitem><para> - <parameter>die:</parameter> Equivalent to bad with the side effect of terminating the module stack and + <listitem><para> + <parameter>die:</parameter> Equivalent to bad with the side effect of terminating the module stack and PAM immediately returning to the application. </para></listitem> - <listitem><para> - <parameter>ok:</parameter> This tells PAM that the administrator thinks this return code should + <listitem><para> + <parameter>ok:</parameter> This tells PAM that the administrator thinks this return code should contribute directly to the return code of the full stack of modules. In other words, if the former state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override this value. Note, if the former state of the stack holds some value that is indicative of a module's failure, this <parameter>ok</parameter> value will not be used to override that value. </para></listitem> - <listitem><para> - <parameter>done:</parameter> Equivalent to <parameter>ok</parameter> with the side effect of terminating the module stack and + <listitem><para> + <parameter>done:</parameter> Equivalent to <parameter>ok</parameter> with the side effect of terminating the module stack and PAM immediately returning to the application. </para></listitem> - <listitem><para> - <parameter>reset:</parameter> Clears all memory of the state of the module stack and starts again with + <listitem><para> + <parameter>reset:</parameter> Clears all memory of the state of the module stack and starts again with the next stacked module. </para></listitem> </itemizedlist> <para> - Each of the four keywords, <parameter>required</parameter>; <parameter>requisite</parameter>; <parameter>sufficient</parameter>; and <parameter>optional</parameter>, - have an equivalent expression in terms of the [...] syntax. They are as follows: + Each of the four keywords, <parameter>required</parameter>; <parameter>requisite</parameter>; + <parameter>sufficient</parameter>; and <parameter>optional</parameter>, have an equivalent expression in terms + of the [...] syntax. They are as follows: </para> <para> @@ -408,7 +482,7 @@ Once we have explained the meaning of the tokens, we describe this method. </para></listitem> <listitem><para> - <parameter>sufficient</parameter> is equivalent to <parameter>[success=done new_authtok_reqd=done<?latex \linebreak ?> default=ignore]</parameter>. + <parameter>sufficient</parameter> is equivalent to <parameter>[success=done new_authtok_reqd=done default=ignore]</parameter>. </para></listitem> <listitem><para> diff --git a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml index 1065d55421..66cba2a9c0 100644 --- a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml +++ b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml @@ -2238,7 +2238,7 @@ sambaNTPassword: 878D8014606CDA29677A44EFA1353FC7 <para> For example, you can set `identifier:fullname column' to - something like <?latex \linebreak ?><command>CONCAT(Firstname,' ',Surname)</command> + something like <command>CONCAT(Firstname,' ',Surname)</command> </para> <para> diff --git a/docs/Samba3-HOWTO/TOSHARG-Problems.xml b/docs/Samba3-HOWTO/TOSHARG-Problems.xml index 6b5e232af0..8f1d3c1849 100644 --- a/docs/Samba3-HOWTO/TOSHARG-Problems.xml +++ b/docs/Samba3-HOWTO/TOSHARG-Problems.xml @@ -13,15 +13,23 @@ <title>Analyzing and Solving Samba Problems</title> <para> -There are many sources of information available in the form -of mailing lists, RFCs, and documentation. The documentation that comes -with the Samba distribution contains good explanations of -general SMB topics such as browsing.</para> +<indexterm><primary>RFCs</primary></indexterm> +<indexterm><primary>SMB</primary></indexterm> +<indexterm><primary>documentation</primary></indexterm> +There are many sources of information available in the form of mailing lists, RFCs, and documentation. The +documentation that comes with the Samba distribution contains good explanations of general SMB topics such as +browsing. +</para> <sect1> <title>Diagnostics Tools</title> <para> +<indexterm><primary>sniffer</primary></indexterm> +<indexterm><primary>LAN</primary></indexterm> +<indexterm><primary>analyzes data</primary></indexterm> +<indexterm><primary>SMB networking</primary></indexterm> +<indexterm><primary>network analyzer</primary></indexterm> With SMB networking, it is often not immediately clear what the cause is of a certain problem. Samba itself provides rather useful information, but in some cases you might have to fall back to using a <emphasis>sniffer</emphasis>. A sniffer is a program that listens on your LAN, analyzes the data sent on it, @@ -32,15 +40,29 @@ and displays it on the screen. <title>Debugging with Samba Itself</title> <para> +<indexterm><primary>diagnostic tools</primary></indexterm> +<indexterm><primary>debugging problems</primary></indexterm> +<indexterm><primary>smbd</primary></indexterm> +<indexterm><primary>nmbd</primary></indexterm> +<indexterm><primary>debugging passwords</primary></indexterm> +<indexterm><primary>debug level</primary></indexterm> +<indexterm><primary>log level</primary></indexterm> One of the best diagnostic tools for debugging problems is Samba itself. You can use the <option>-d option</option> for both &smbd; and &nmbd; to specify the <smbconfoption name="debug level"/> at which to run. See the man pages for <command>smbd, nmbd</command>, and &smb.conf; for more information regarding debugging -options. The debug level can range from 1 (the default) to 10 (100 for debugging passwords). +options. The debug level (log level) can range from 1 (the default) to 10 (100 for debugging passwords). </para> <para> +<indexterm><primary>debugging</primary></indexterm> +<indexterm><primary>gcc</primary></indexterm> +<indexterm><primary>gdb</primary></indexterm> +<indexterm><primary>smbd</primary></indexterm> +<indexterm><primary>nmbd</primary></indexterm> +<indexterm><primary>LsaEnumTrustedDomains</primary></indexterm> +<indexterm><primary>attach gdb</primary></indexterm> Another helpful method of debugging is to compile Samba using the <command>gcc -g </command> flag. This will -include debug information in the binaries and allow you to attach gdb to the running +include debug information in the binaries and allow you to attach <command>gdb</command> to the running <command>smbd/nmbd</command> process. To attach <command>gdb</command> to an <command>smbd</command> process for an NT workstation, first get the workstation to make the connection. Pressing ctrl-alt-delete and going down to the domain box is sufficient (at least, the first time you join the domain) to generate a @@ -52,12 +74,13 @@ between pressing <command>ctrl-alt-delete</command> and actually typing in your <para> Some useful Samba commands worth investigating are: -</para> - +<indexterm><primary>testparm</primary></indexterm> +<indexterm><primary>smbclient</primary></indexterm> <screen> &prompt;<userinput>testparm | more</userinput> &prompt;<userinput>smbclient -L //{netbios name of server}</userinput> </screen> +</para> </sect2> @@ -65,6 +88,9 @@ Some useful Samba commands worth investigating are: <title>Tcpdump</title> <para> +<indexterm><primary>tcpdump</primary></indexterm> +<indexterm><primary>tethereal</primary></indexterm> +<indexterm><primary>ethereal</primary></indexterm> <ulink url="http://www.tcpdump.org/">Tcpdump</ulink> was the first UNIX sniffer with SMB support. It is a command-line utility and now, its SMB support is somewhat lagging that of <command>ethereal</command> @@ -77,6 +103,7 @@ and <command>tethereal</command>. <title>Ethereal</title> <para> +<indexterm><primary>ethereal</primary></indexterm> <ulink url="http://www.ethereal.com/">Ethereal</ulink> is a graphical sniffer, available for both UNIX (Gtk) and Windows. Ethereal's SMB support is quite good. For details on the use of <command>ethereal</command>, read the well-written Ethereal User Guide. @@ -85,6 +112,7 @@ the well-written Ethereal User Guide. <figure id="ethereal1"><title>Starting a Capture.</title><imagefile>ethereal1</imagefile></figure> <para> +<indexterm><primary>ports</primary></indexterm> Listen for data on ports 137, 138, 139, and 445. For example, use the filter <userinput>port 137, port 138, port 139, or port 445</userinput> as seen in <link linkend="ethereal1">Starting a Capture</link> snapshot. </para> @@ -101,6 +129,12 @@ A console version of ethereal is available as well and is called <command>tether <title>The Windows Network Monitor</title> <para> +<indexterm><primary>Network Monitor</primary></indexterm> +<indexterm><primary>Netmon</primary></indexterm> +<indexterm><primary>Microsoft Developer Network CDs</primary></indexterm> +<indexterm><primary>SMS</primary></indexterm> +<indexterm><primary>promiscuous mode</primary></indexterm> +<indexterm><primary>ethereal</primary></indexterm> For tracing things on Microsoft Windows NT, Network Monitor (aka Netmon) is available on Microsoft Developer Network CDs, the Windows NT Server install CD, and the SMS CDs. The version of Netmon that ships with SMS allows for dumping packets between any two computers (i.e., placing the network interface in promiscuous @@ -113,6 +147,7 @@ files. <title>Installing Network Monitor on an NT Workstation</title> <para> +<indexterm><primary>Netmon.</primary></indexterm> Installing Netmon on an NT workstation requires a couple of steps. The following are instructions for installing Netmon V4.00.349, which comes with Microsoft Windows NT Server 4.0, on Microsoft Windows NT Workstation 4.0. The process should be similar for other versions of Windows NT version of Netmon. You will @@ -120,6 +155,7 @@ need both the Microsoft Windows NT Server 4.0 Install CD and the Workstation 4.0 </para> <para> +<indexterm><primary>Network Monitor Tools and Agent</primary></indexterm> Initially you will need to install <application>Network Monitor Tools and Agent</application> on the NT Server to do this: </para> @@ -217,12 +253,16 @@ If you do post a message to one of the lists, please observe the following guide <itemizedlist> - <listitem><para>Always remember that the developers are volunteers; they are + <listitem><para> +<indexterm><primary>volunteers</primary></indexterm> + Always remember that the developers are volunteers; they are not paid and they never guarantee to produce a particular feature at a particular time. Any timelines are <quote>best guess,</quote> and nothing more. </para></listitem> - <listitem><para>Always mention what version of Samba you are using and what + <listitem><para> +<indexterm><primary>PDC</primary></indexterm> + Always mention what version of Samba you are using and what operating system it's running under. You should list the relevant sections of your &smb.conf; file, at least the options in <smbconfsection name="[global]"/> that affect PDC support. @@ -243,7 +283,9 @@ If you do post a message to one of the lists, please observe the following guide with such bad netiquet bahavior. </para></listitem> - <listitem><para>Don't cross post. Work out which is the best list to post to + <listitem><para> +<indexterm><primary>cross post</primary></indexterm> + Don't cross post. Work out which is the best list to post to and see what happens. Do not post to both samba-ntdom and samba-technical. Many people active on the lists subscribe to more than one list and get annoyed to see the same message two or more times. @@ -251,7 +293,7 @@ If you do post a message to one of the lists, please observe the following guide with on another list will forward it on for you.</para></listitem> <listitem><para>You might include <emphasis>partial</emphasis> - log files written at a debug level set to as much as 20. + log files written at a log level set to as much as 20. Please do not send the entire log but just enough to give the context of the error messages.</para></listitem> diff --git a/docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml b/docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml index 6cdf87b54f..d5cc6e93aa 100644 --- a/docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml +++ b/docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml @@ -12,17 +12,20 @@ <title>Features and Benefits</title> <para> +<indexterm><primary>roaming profiles</primary></indexterm> Roaming profiles are feared by some, hated by a few, loved by many, and a godsend for some administrators. </para> <para> +<indexterm><primary>manage roaming profiles</primary></indexterm> Roaming profiles allow an administrator to make available a consistent user desktop as the user moves from one machine to another. This chapter provides much information regarding how to configure and manage roaming profiles. </para> <para> +<indexterm><primary>local profiles</primary></indexterm> While roaming profiles might sound like nirvana to some, they are a real and tangible problem to others. In particular, users of mobile computing tools, where often there may not be a sustained network connection, are often better served by purely local profiles. @@ -47,6 +50,7 @@ Windows 9x/Me and Windows NT4/200x clients implement these features. </para> <para> +<indexterm><primary>NetUserGetInfo</primary></indexterm> Windows 9x/Me clients send a NetUserGetInfo request to the server to get the user's profiles location. However, the response does not have room for a separate profiles location field, only the user's home share. This means that Windows 9x/Me @@ -55,6 +59,8 @@ profiles are restricted to being stored in the user's home directory. <para> +<indexterm><primary>NetSAMLogon</primary></indexterm> +<indexterm><primary>RPC</primary></indexterm> Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields including a separate field for the location of the user's profiles. </para> @@ -94,6 +100,8 @@ semantics of <quote>%L</quote> and <quote>%N</quote>, as well as <quote>%U</quot </para> <note><para> +<indexterm><primary>logons</primary></indexterm> +<indexterm><primary>disconnect a connection</primary></indexterm> MS Windows NT/200x clients at times do not disconnect a connection to a server between logons. It is recommended to not use the <smbconfsection name="homes"/> metaservice name as part of the profile share path. </para></note> @@ -103,26 +111,29 @@ to not use the <smbconfsection name="homes"/> metaservice name as part of the pr <title>Windows 9x/Me User Profiles</title> <para> +<indexterm><primary>net use /home</primary></indexterm> +<indexterm><primary>logon home</primary></indexterm> To support Windows 9x/Me clients, you must use the <smbconfoption name="logon home"/> parameter. Samba has been fixed so <userinput>net use /home</userinput> now works as well and it, too, relies -on the <command>logon home</command> parameter. +on the <parameter>logon home</parameter> parameter. </para> <para> -By using the logon home parameter, you are restricted to putting Windows 9x/Me profiles in the user's home -directory. But wait! There is a trick you can use. If you set the following in the +<indexterm><primary>logon home</primary></indexterm> +<indexterm><primary>\\%L\%U\.profiles</primary></indexterm> +<indexterm><primary>.profiles</primary></indexterm> +By using the <parameter>logon home</parameter> parameter, you are restricted to putting Windows 9x/Me profiles +in the user's home directory. But wait! There is a trick you can use. If you set the following in the <smbconfsection name="[global]"/> section of your &smb.conf; file: -</para> -<para><smbconfblock> +<smbconfblock> <smbconfoption name="logon home">\\%L\%U\.profiles</smbconfoption> -</smbconfblock></para> - -<para> +</smbconfblock> then your Windows 9x/Me clients will dutifully put their clients in a subdirectory of your home directory called <filename>.profiles</filename> (making them hidden). </para> <para> +<indexterm><primary>net use /home</primary></indexterm> Not only that, but <userinput>net use /home</userinput> will also work because of a feature in Windows 9x/Me. It removes any directory stuff off the end of the home directory area and only uses the server and share portion. That is, it looks like you @@ -139,11 +150,12 @@ You can support profiles for Windows 9x and Windows NT clients by setting both t </para> <para><smbconfblock> -<smbconfoption name="logon home">\\%L\%u\.profiles</smbconfoption> -<smbconfoption name="logon path">\\%L\profiles\%u</smbconfoption> +<smbconfoption name="logon home">\\%L\%U\.profiles</smbconfoption> +<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption> </smbconfblock></para> <para> +<indexterm><primary>mixed profile</primary></indexterm> Windows 9x/Me and NT4 and later profiles should not be stored in the same location because Windows NT4 and later will experience problems with mixed profile environments. </para> @@ -153,6 +165,7 @@ Windows NT4 and later will experience problems with mixed profile environments. <title>Disabling Roaming Profile Support</title> <para> +<indexterm><primary>disable roaming profiles</primary></indexterm> The question often asked is, <quote>How may I enforce use of local profiles?</quote> or <quote>How do I disable roaming profiles?</quote> </para> @@ -160,9 +173,10 @@ The question often asked is, <quote>How may I enforce use of local profiles?</qu <para> <indexterm><primary>roaming profiles</primary></indexterm> There are three ways of doing this: -<indexterm><primary>windows registry settings</primary><secondary>roaming profiles</secondary></indexterm> </para> +<indexterm><primary>windows registry settings</primary><secondary>roaming profiles</secondary></indexterm> + <variablelist> <varlistentry> <term>In &smb.conf;</term>: @@ -180,7 +194,9 @@ There are three ways of doing this: <varlistentry> <term>MS Windows Registry:</term> <listitem><para> - Use the Microsoft Management Console (MMC) gpedit.msc to instruct your MS Windows XP +<indexterm><primary>MMC</primary></indexterm> +<indexterm><primary>local profile</primary></indexterm> + Use the Microsoft Management Console (MMC) <command>gpedit.msc</command> to instruct your MS Windows XP machine to use only a local profile. This, of course, modifies registry settings. The full path to the option is: <screen> @@ -193,11 +209,12 @@ Local Computer Policy\ Disable: Only Allow Local User Profiles Disable: Prevent Roaming Profile Change from Propagating to the Server </screen> - </para> </listitem> + </para></listitem> </varlistentry> <varlistentry> <term>Change of Profile Type:</term> +<indexterm><primary>Profile Type</primary></indexterm> <listitem><para>From the start menu right-click on the <guiicon>My Computer</guiicon> icon, select <guimenuitem>Properties</guimenuitem>, click on the <guilabel>User Profiles</guilabel> tab, select the profile you wish to change from @@ -213,6 +230,7 @@ about which registry keys to change to enforce use of only local user profiles. </para> <note><para> +<indexterm><primary>Windows Resource Kit</primary></indexterm> The specifics of how to convert a local profile to a roaming profile, or a roaming profile to a local one, vary according to the version of MS Windows you are running. Consult the Microsoft MS Windows Resource Kit for your version of Windows for specific information. @@ -239,6 +257,8 @@ profile folders. </para> <para> +<indexterm><primary>user.DAT</primary></indexterm> +<indexterm><primary>user.MAN</primary></indexterm> The <filename>user.DAT</filename> file contains all the user's preferences. If you wish to enforce a set of preferences, rename their <filename>user.DAT</filename> file to <filename>user.MAN</filename>, and deny them write access to this file. </para> @@ -261,6 +281,10 @@ rename their <filename>user.DAT</filename> file to <filename>user.MAN</filename> </orderedlist> <para> +<indexterm><primary>Primary Logon</primary></indexterm> +<indexterm><primary>Client for Novell Networks</primary></indexterm> +<indexterm><primary>Novell</primary></indexterm> +<indexterm><primary>Windows Logon</primary></indexterm> Under Windows 9x/Me, profiles are downloaded from the Primary Logon. If you have the Primary Logon as <quote>Client for Novell Networks</quote>, then the profiles and logon script will be downloaded from your Novell server. If you have the Primary Logon as <quote>Windows Logon</quote>, then the profiles will @@ -268,6 +292,7 @@ be loaded from the local machine &smbmdash; a bit against the concept of roaming </para> <para> +<indexterm><primary>domain logon server</primary></indexterm> You will now find that the Microsoft Networks Login box contains <constant>[user, password, domain]</constant> instead of just <constant>[user, password]</constant>. Type in the Samba server's domain name (or any other domain known to exist, but bear in mind that the user will be authenticated against this domain and profiles downloaded from it @@ -288,6 +313,9 @@ the Samba server and verify that the <filename>Desktop</filename>, <filename>Sta </para> <para> +<indexterm><primary>cached locally</primary></indexterm> +<indexterm><primary>shortcuts</primary></indexterm> +<indexterm><primary>profile directory</primary></indexterm> These folders will be cached locally on the client and updated when the user logs off (if you haven't made them read-only by then). You will find that if the user creates further folders or shortcuts, the client will merge the profile contents downloaded with the contents of the profile @@ -295,6 +323,10 @@ directory already on the local client, taking the newest folders and shortcut fr </para> <para> +<indexterm><primary>local profile</primary></indexterm> +<indexterm><primary>remote profile</primary></indexterm> +<indexterm><primary>ownership rights</primary></indexterm> +<indexterm><primary>profile directory</primary></indexterm> If you have made the folders/files read-only on the Samba server, then you will get errors from the Windows 9x/Me machine on logon and logout as it attempts to merge the local and remote profile. Basically, if you have any errors reported by the Windows 9x/Me machine, check the UNIX file permissions @@ -302,6 +334,10 @@ and ownership rights on the profile directory contents, on the Samba server. </para> <para> +<indexterm><primary>windows registry settings</primary></indexterm> +<indexterm><primary>profile path</primary></indexterm> +<indexterm><primary>user profiles</primary></indexterm> +<indexterm><primary>desktop cache</primary></indexterm> <indexterm><primary>windows registry settings</primary><secondary>profile path</secondary></indexterm> If you have problems creating user profiles, you can reset the user's local desktop cache, as shown below. When this user next logs in, the user will be told that he/she is logging in <quote>for the first @@ -348,6 +384,7 @@ time</quote>. </orderedlist> <warning><para> +<indexterm><primary>ProfilePath</primary></indexterm> Before deleting the contents of the directory listed in the <parameter>ProfilePath</parameter> (this is likely to be <filename>c:\windows\profiles\username)</filename>, ask whether the owner has any important files stored on his or her desktop or start menu. Delete the contents of the @@ -361,11 +398,18 @@ in their profile directory, as well as the local <quote>desktop,</quote> <quote> </para></warning> <para> +<indexterm><primary>log level</primary></indexterm> +<indexterm><primary>packet sniffer</primary></indexterm> +<indexterm><primary>ethereal</primary></indexterm> +<indexterm><primary>netmon.exe</primary></indexterm> If all else fails, increase Samba's debug log levels to between 3 and 10, and/or run a packet sniffer program such as ethereal or <command>netmon.exe</command>, and look for error messages. </para> -<para> If you have access to an Windows NT4/200x server, then first set up roaming profiles and/or +<para> +<indexterm><primary>roaming profiles</primary></indexterm> +<indexterm><primary>packet trace</primary></indexterm> +If you have access to an Windows NT4/200x server, then first set up roaming profiles and/or netlogons on the Windows NT4/200x server. Make a packet trace, or examine the example packet traces provided with Windows NT4/200x server, and see what the differences are with the equivalent Samba trace. </para> @@ -387,6 +431,8 @@ the new <smbconfoption name="logon home"/> parameter. </para> <para> +<indexterm><primary>.PDS extension</primary></indexterm> +<indexterm><primary>profile path</primary></indexterm> The entry for the NT4 profile is a directory, not a file. The NT help on profiles mentions that a directory is also created with a .PDS extension. The user, while logging in, must have write permission to create the full profile path (and the folder with the .PDS extension for those situations where it @@ -394,6 +440,7 @@ might be created). </para> <para> +<indexterm><primary>NTuser.DAT</primary></indexterm> In the profile directory, Windows NT4 creates more folders than Windows 9x/Me. It creates <filename>Application Data</filename> and others, as well as <filename>Desktop</filename>, <filename>Nethood</filename>, <filename>Start Menu,</filename> and <filename>Programs</filename>. @@ -402,6 +449,8 @@ in the .PDS directory, and its purpose is currently unknown. </para> <para> +<indexterm><primary>NTuser.DAT</primary></indexterm> +<indexterm><primary>NTuser.MAN</primary></indexterm> You can use the <application>System Control Panel</application> to copy a local profile onto a Samba server (see NT help on profiles; it is also capable of firing up the correct location in the <application>System Control Panel</application> for you). The NT help file also mentions that renaming @@ -531,6 +580,8 @@ The UPHClean software package can be downloaded from <ulink url="http://www.micr <title>Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</title> <para> +<indexterm><primary>profile sharing</primary></indexterm> +<indexterm><primary>profile contents</primary></indexterm> Sharing of desktop profiles between Windows versions is not recommended. Desktop profiles are an evolving phenomenon, and profiles for later versions of MS Windows clients add features that may interfere with earlier versions of MS Windows clients. Probably the more salient reason to not mix profiles is @@ -546,6 +597,8 @@ location for the profiles. The &smb.conf; parameters that need to be common are </para> <para> +<indexterm><primary>user.DAT</primary></indexterm> +<indexterm><primary>NTuser.DAT</primary></indexterm> If you have this set up correctly, you will find separate <filename>user.DAT</filename> and <filename>NTuser.DAT</filename> files in the same profile directory. </para> @@ -556,6 +609,7 @@ If you have this set up correctly, you will find separate <filename>user.DAT</fi <title>Profile Migration from Windows NT4/200x Server to Samba</title> <para> +<indexterm><primary>encrypted passwords</primary></indexterm> There is nothing to stop you from specifying any path that you like for the location of users' profiles. Therefore, you could specify that the profile be stored on a Samba server or any other SMB server, as long as that SMB server supports encrypted passwords. @@ -565,6 +619,7 @@ as long as that SMB server supports encrypted passwords. <title>Windows NT4 Profile Management Tools</title> <para> +<indexterm><primary>resource kit</primary></indexterm> Unfortunately, the resource kit information is specific to the version of MS Windows NT4/200x. The correct resource kit is required for each platform. </para> @@ -609,6 +664,7 @@ Follow these steps for every profile you need to migrate. <para> <indexterm><primary>SID</primary></indexterm> +<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>info</tertiary></indexterm> You should obtain the SID of your NT4 domain. You can use the <command>net rpc info</command> to do this. See <link linkend="NetCommand">The Net Command Chapter</link>, <link linkend="netmisc1">Other Miscellaneous Operations</link> for more information. </para> @@ -619,8 +675,10 @@ See <link linkend="NetCommand">The Net Command Chapter</link>, <link linkend="ne <title>moveuser.exe</title> <para> -The Windows 200x professional resource kit has <command>moveuser.exe</command>. <command>moveuser.exe</command> changes the security of a profile -from one user to another. This allows the account domain to change and/or the username to change. +<indexterm><primary>moveuser.exe</primary></indexterm> +The Windows 200x professional resource kit has <command>moveuser.exe</command>. +<command>moveuser.exe</command> changes the security of a profile from one user to another. This allows the +account domain to change and/or the username to change. </para> <para> @@ -634,6 +692,7 @@ This command is like the Samba <command>profiles</command> tool. <para> <indexterm><primary>SID</primary></indexterm> +<indexterm><primary>GetSID.exe</primary></indexterm> You can identify the SID by using <command>GetSID.exe</command> from the Windows NT Server 4.0 Resource Kit. </para> @@ -665,17 +724,20 @@ then this must be done through policy settings. See <link linkend="PolicyMgmt">S Policies</link>. </para> -<note><para> - Under NO circumstances should the profile directory (or its -contents) be made read-only because this may render the profile unusable. -Where it is essential to make a profile read-only within the UNIX file -system, this can be done, but then you absolutely must use the -<command>fake-permissions</command> VFS module to instruct MS Windows -NT/200x/XP clients that the Profile has write permission for the user. -See <link linkend="fakeperms">fake_perms VFS module</link>. +<note><para> +<indexterm><primary>fake-permissions module</primary></indexterm> +<indexterm><primary>VFS module</primary></indexterm> +<indexterm><primary>fake_perms</primary></indexterm> +Under NO circumstances should the profile directory (or its contents) be made read-only because this may +render the profile unusable. Where it is essential to make a profile read-only within the UNIX file system, +this can be done, but then you absolutely must use the <command>fake-permissions</command> VFS module to +instruct MS Windows NT/200x/XP clients that the Profile has write permission for the user. See <link +linkend="fakeperms">fake_perms VFS module</link>. </para></note> <para> +<indexterm><primary>NTUser.MAN</primary></indexterm> +<indexterm><primary>NTUser.DAT</primary></indexterm> For MS Windows NT4/200x/XP, the procedure shown in <link linkend="profilemigrn">Profile Migration from Windows NT4/200x Server to Samba</link> can also be used to create mandatory profiles. To convert a group profile into a mandatory profile, simply locate the <filename>NTUser.DAT</filename> file in the copied profile and rename @@ -683,6 +745,7 @@ it to <filename>NTUser.MAN</filename>. </para> <para> +<indexterm><primary>User.MAN</primary></indexterm> For MS Windows 9x/Me, it is the <filename>User.DAT</filename> file that must be renamed to <filename>User.MAN</filename> to effect a mandatory profile. </para> @@ -694,6 +757,9 @@ For MS Windows 9x/Me, it is the <filename>User.DAT</filename> file that must be <para> <indexterm><primary>group profiles</primary></indexterm> +<indexterm><primary>template</primary></indexterm> +<indexterm><primary>profile migration tool</primary></indexterm> +<indexterm><primary>profile access rights</primary></indexterm> Most organizations are arranged into departments. There is a nice benefit in this fact, since usually most users in a department require the same desktop applications and the same desktop layout. MS Windows NT4/200x/XP will allow the use of group profiles. A group profile is a profile that is created @@ -702,6 +768,7 @@ assigned access rights for the user group that needs to be given access to the g </para> <para> +<indexterm><primary>User Manager</primary></indexterm> The next step is rather important. Instead of assigning a group profile to users (Using User Manager) on a <quote>per-user</quote> basis, the group itself is assigned the now modified profile. </para> @@ -718,6 +785,7 @@ profile, then the result will be a fusion (merge) of the two. <para> <indexterm><primary>default profile</primary></indexterm> +<indexterm><primary>registry keys</primary></indexterm> MS Windows 9x/Me and NT4/200x/XP will use a default profile for any user for whom a profile does not already exist. Armed with a knowledge of where the default profile is located on the Windows workstation, and knowing which registry keys affect the path from which the default profile is created, @@ -729,6 +797,8 @@ significant administrative advantages. <title>MS Windows 9x/Me</title> <para> +<indexterm><primary>System Policy Editor</primary></indexterm> +<indexterm><primary>registry</primary></indexterm> To enable default per-use profiles in Windows 9x/Me, you can either use the <application>Windows 98 System Policy Editor</application> or change the registry directly. </para> @@ -742,6 +812,7 @@ changes. </para> <para> +<indexterm><primary>regedit.exe</primary></indexterm> To modify the registry directly, launch the <application>Registry Editor</application> (<command>regedit.exe</command>) and select the hive <filename>HKEY_LOCAL_MACHINE\Network\Logon</filename>. Now add a DWORD type key with the name <quote>User Profiles.</quote> To enable user profiles to set the value @@ -822,7 +893,13 @@ the following steps are followed for profile handling: exist, then a new profile is created in the <filename>%SystemRoot%\Profiles\%USERNAME%</filename> directory from reading the <filename>Default User</filename> profile. </para> </step> - <step> <para> If the NETLOGON share on the authenticating server (logon server) contains + <step> <para> +<indexterm><primary>NTConfig.POL</primary></indexterm> +<indexterm><primary>NETLOGON</primary></indexterm> +<indexterm><primary>authenticating server</primary></indexterm> +<indexterm><primary>logon server</primary></indexterm> +<indexterm><primary>HKEY_CURRENT_USER</primary></indexterm> + If the NETLOGON share on the authenticating server (logon server) contains a policy file (<filename>NTConfig.POL</filename>), then its contents are applied to the <filename>NTUser.DAT</filename>, which is applied to the <filename>HKEY_CURRENT_USER</filename> part of the registry. @@ -850,6 +927,7 @@ on logout. </para> <para> +<indexterm><primary>regedt32</primary></indexterm> Under MS Windows NT4, default locations for common resources like <filename>My Documents</filename> may be redirected to a network share by modifying the following registry keys. These changes may be made via use of the System Policy Editor. To do so may require that you create your own template @@ -932,6 +1010,9 @@ The default entries are shown in <link linkend="regkeys">Defaults of Profile Set <note><para> <indexterm><primary>GPOs</primary></indexterm> +<indexterm><primary>Windows XP Home Edition</primary></indexterm> +<indexterm><primary>ADS</primary></indexterm> +<indexterm><primary>domain security</primary></indexterm> MS Windows XP Home Edition does use default per-user profiles, but cannot participate in domain security, cannot log onto an NT/ADS-style domain, and thus can obtain the profile only from itself. While there are benefits in doing this, the beauty of those MS Windows clients that @@ -940,6 +1021,7 @@ profile and enforce it through the use of Group Policy Objects (GPOs). </para></note> <para> +<indexterm><primary>Default User</primary></indexterm> When a new user first logs onto an MS Windows 200x/XP machine, the default profile is obtained from <filename>C:\Documents and Settings\Default User</filename>. The administrator can modify or change the contents of this location, and MS Windows 200x/XP will gladly use it. This is far from the optimum arrangement, @@ -947,9 +1029,10 @@ since it will involve copying a new default profile to every MS Windows 200x/XP </para> <para> +<indexterm><primary>NETLOGON</primary></indexterm> When MS Windows 200x/XP participates in a domain security context, and if the default user profile is not found, then the client will search for a default profile in the NETLOGON share of the authenticating server. -In MS Windows parlance, it is <?latex \linebreak ?><filename>%LOGONSERVER%\NETLOGON\Default User,</filename> +In MS Windows parlance, it is <filename>%LOGONSERVER%\NETLOGON\Default User,</filename> and if one exists there, it will copy this to the workstation in the <filename>C:\Documents and Settings\</filename> under the Windows login name of the use. </para> diff --git a/docs/Samba3-HOWTO/TOSHARG-SecureLDAP.xml b/docs/Samba3-HOWTO/TOSHARG-SecureLDAP.xml index 2fa4423d37..a288167ea2 100644 --- a/docs/Samba3-HOWTO/TOSHARG-SecureLDAP.xml +++ b/docs/Samba3-HOWTO/TOSHARG-SecureLDAP.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> <chapter id="ch-ldap-tls"> -<title>Transport Layer Security</title> +<title>LDAP and Transport Layer Security</title> <sect1 id="s1-intro-ldap-tls"> <title>Introduction</title> diff --git a/docs/Samba3-HOWTO/TOSHARG-Speed.xml b/docs/Samba3-HOWTO/TOSHARG-Speed.xml index 1221eedfb4..4ad59eacdc 100644 --- a/docs/Samba3-HOWTO/TOSHARG-Speed.xml +++ b/docs/Samba3-HOWTO/TOSHARG-Speed.xml @@ -78,7 +78,7 @@ much. The correct settings are very dependent on your local network. <para> The socket option TCP_NODELAY is the one that seems to make the biggest single difference for most networks. Many people report that adding -<?latex \linebreak ?><smbconfoption name="socket options">TCP_NODELAY</smbconfoption> +<smbconfoption name="socket options">TCP_NODELAY</smbconfoption> doubles the read performance of a Samba drive. The best explanation I have seen for this is that the Microsoft TCP/IP stack is slow in sending TCP ACKs. </para> diff --git a/docs/Samba3-HOWTO/TOSHARG-Unicode.xml b/docs/Samba3-HOWTO/TOSHARG-Unicode.xml index c1d8fc1611..d4318995a1 100644 --- a/docs/Samba3-HOWTO/TOSHARG-Unicode.xml +++ b/docs/Samba3-HOWTO/TOSHARG-Unicode.xml @@ -20,6 +20,7 @@ <title>Features and Benefits</title> <para> +<indexterm><primary>use computer anywhere</primary></indexterm> Every industry eventually matures. One of the great areas of maturation is in the focus that has been given over the past decade to make it possible for anyone anywhere to use a computer. It has not always been that way. In fact, not so long @@ -35,6 +36,7 @@ is deserving of special mention. </para> <para> +<indexterm><primary>codepages</primary></indexterm> Samba-2.x supported a single locale through a mechanism called <emphasis>codepages</emphasis>. Samba-3 is destined to become a truly transglobal file- and printer-sharing platform. @@ -46,6 +48,7 @@ file- and printer-sharing platform. <title>What Are Charsets and Unicode?</title> <para> +<indexterm><primary>character set</primary></indexterm> Computers communicate in numbers. In texts, each number is translated to a corresponding letter. The meaning that will be assigned to a certain number depends on the <emphasis>character set (charset) @@ -53,6 +56,8 @@ to a certain number depends on the <emphasis>character set (charset) </para> <para> +<indexterm><primary>charset</primary></indexterm> +<indexterm><primary>ASCII</primary></indexterm> A charset can be seen as a table that is used to translate numbers to letters. Not all computers use the same charset (there are charsets with German umlauts, Japanese characters, and so on). The American Standard Code @@ -62,6 +67,8 @@ encoding scheme used by computers to date. This employs a charset that contains </para> <para> +<indexterm><primary>multibyte charsets</primary></indexterm> +<indexterm><primary>extended characters</primary></indexterm> There are also charsets that support extended characters, but those need at least twice as much storage space as does ASCII encoding. Such charsets can contain <command>256 * 256 = 65536</command> characters, which is more than all possible @@ -70,13 +77,18 @@ more then one byte to store one character. </para> <para> +<indexterm><primary>unicode</primary></indexterm> One standardized multibyte charset encoding scheme is known as <ulink url="http://www.unicode.org/">unicode</ulink>. A big advantage of using a multibyte charset is that you only need one. There is no need to make sure two computers use the same charset when they are communicating. </para> -<para>Old Windows clients use single-byte charsets, named +<para> +<indexterm><primary>single-byte charsets</primary></indexterm> +<indexterm><primary>SMB/CIFS</primary></indexterm> +<indexterm><primary>negotiating the charset</primary></indexterm> +Old Windows clients use single-byte charsets, named <parameter>codepages</parameter>, by Microsoft. However, there is no support for negotiating the charset to be used in the SMB/CIFS protocol. Thus, you have to make sure you are using the same charset when talking to an older client. @@ -88,6 +100,8 @@ Newer clients (Windows NT, 200x, XP) talk Unicode over the wire. <title>Samba and Charsets</title> <para> +<indexterm><primary>Unicode</primary></indexterm> +<indexterm><primary>character sets</primary></indexterm> As of Samba-3, Samba can (and will) talk Unicode over the wire. Internally, Samba knows of three kinds of character sets: </para> @@ -96,11 +110,13 @@ Samba knows of three kinds of character sets: <varlistentry> <term><smbconfoption name="unix charset"/></term> <listitem><para> +<indexterm><primary>UTF-8</primary></indexterm> +<indexterm><primary>CP850</primary></indexterm> This is the charset used internally by your operating system. The default is <constant>UTF-8</constant>, which is fine for most systems and covers all characters in all languages. The default in previous Samba releases was to save filenames in the encoding of the - clients &smbmdash; for example, cp850 for Western European countries. + clients &smbmdash; for example, CP850 for Western European countries. </para></listitem> </varlistentry> @@ -127,9 +143,12 @@ Samba knows of three kinds of character sets: <sect1> <title>Conversion from Old Names</title> -<para>Because previous Samba versions did not do any charset conversion, +<para> +<indexterm><primary>charset conversion</primary></indexterm> +Because previous Samba versions did not do any charset conversion, characters in filenames are usually not correct in the UNIX charset but only -for the local charset used by the DOS/Windows clients.</para> +for the local charset used by the DOS/Windows clients. +</para> <para>Bjoern Jacke has written a utility named <ulink url="http://j3e.de/linux/convmv/">convmv</ulink> that can convert whole directory structures to different charsets with one single command. @@ -145,12 +164,20 @@ Setting up Japanese charsets is quite difficult. This is mainly because: </para> <itemizedlist> - <listitem><para>The Windows character set is extended from the original legacy Japanese + <listitem><para> +<indexterm><primary>JIS X 0208</primary></indexterm> + The Windows character set is extended from the original legacy Japanese standard (JIS X 0208) and is not standardized. This means that the strictly standardized implementation cannot support the full Windows character set. </para></listitem> - <listitem><para> Mainly for historical reasons, there are several encoding methods in + <listitem><para> +<indexterm><primary>Shift_JIS</primary></indexterm> +<indexterm><primary>EUC-JP</primary></indexterm> +<indexterm><primary>CAP</primary></indexterm> +<indexterm><primary>HEX</primary></indexterm> +<indexterm><primary>Japanese</primary></indexterm> + Mainly for historical reasons, there are several encoding methods in Japanese, which are not fully compatible with each other. There are two major encoding methods. One is the Shift_JIS series used in Windows and some UNIXes. The other is the EUC-JP series used in most UNIXes @@ -174,7 +201,12 @@ Setting up Japanese charsets is quite difficult. This is mainly because: the charset parameters depends on the implementation of iconv() you are using. </para> - <para>Though 2-byte fixed UCS-2 encoding is used in Windows internally, + <para> +<indexterm><primary>UCS-2</primary></indexterm> +<indexterm><primary>Shift_JIS</primary></indexterm> +<indexterm><primary>ASCII</primary></indexterm> +<indexterm><primary>English</primary></indexterm> + Though 2-byte fixed UCS-2 encoding is used in Windows internally, Shift_JIS series encoding is usually used in Japanese environments as ASCII encoding is in English environments. </para></listitem> @@ -183,6 +215,7 @@ Setting up Japanese charsets is quite difficult. This is mainly because: <sect2><title>Basic Parameter Setting</title> <para> +<indexterm><primary>CP932</primary></indexterm> The <smbconfoption name="dos charset"/> and <smbconfoption name="display charset"/> should be set to the locale compatible with the character set @@ -191,6 +224,9 @@ Setting up Japanese charsets is quite difficult. This is mainly because: </para> <para> +<indexterm><primary>Shift_JIS</primary></indexterm> +<indexterm><primary>UTF-8</primary></indexterm> +<indexterm><primary>EUC-JP</primary></indexterm> The <smbconfoption name="unix charset"/> can be either Shift_JIS series, EUC-JP series, or UTF-8. UTF-8 is always available, but the availability of other locales and the name itself depends on the system. @@ -246,6 +282,8 @@ Setting up Japanese charsets is quite difficult. This is mainly because: <varlistentry><term>EUC-JP series</term> <listitem><para> +<indexterm><primary>EUC-JP</primary></indexterm> +<indexterm><primary>Japanese UNIX</primary></indexterm> EUC-JP series means a locale that is equivalent to the industry standard called EUC-JP, widely used in Japanese UNIX (although EUC contains specifications for languages other than Japanese, such as @@ -256,10 +294,20 @@ Setting up Japanese charsets is quite difficult. This is mainly because: </para> <para> +<indexterm><primary>EUC-JP</primary></indexterm> +<indexterm><primary>UNIX</primary></indexterm> +<indexterm><primary>Linux</primary></indexterm> +<indexterm><primary>FreeBSD</primary></indexterm> +<indexterm><primary>Solaris</primary></indexterm> +<indexterm><primary>IRIX</primary></indexterm> +<indexterm><primary>Tru64 UNIX</primary></indexterm> +<indexterm><primary>Japanese locale</primary></indexterm> +<indexterm><primary>Shift_JIS</primary></indexterm> +<indexterm><primary>UTF-8</primary></indexterm> Since EUC-JP is usually used on open source UNIX, Linux, and FreeBSD, and on commercial-based UNIX, Solaris, IRIX, and Tru64 UNIX as Japanese locale (however, it is also possible on Solaris to use Shift_JIS and UTF-8, and on Tru64 UNIX it is possible to use Shift_JIS). To use EUC-JP series, most Japanese filenames created from - Windows can be referred to also on UNIX. Also, most Japanized free software work mainly with EUC-JP only. + Windows can be referred to also on UNIX. Also, most Japanized free software works mainly with EUC-JP only. </para> <para> @@ -274,6 +322,7 @@ Setting up Japanese charsets is quite difficult. This is mainly because: </para> <para> +<indexterm><primary>eucJP-ms locale</primary></indexterm> Moreover, if you built Samba using differently installed libiconv, the eucJP-ms locale included in libiconv and EUC-JP series locale included in the operating system may not be compatible. In this case, you may need to @@ -311,6 +360,9 @@ Setting up Japanese charsets is quite difficult. This is mainly because: </para> <para> +<indexterm><primary>Windows</primary></indexterm> +<indexterm><primary>Java</primary></indexterm> +<indexterm><primary>Unicode UTF-8</primary></indexterm> In addition, although it is not directly concerned with Samba, since there is a delicate difference between the iconv() function, which is generally used on UNIX, and the functions used on other platforms, @@ -320,6 +372,7 @@ Setting up Japanese charsets is quite difficult. This is mainly because: </para> <para> +<indexterm><primary>Mac OS X </primary></indexterm> Although Mac OS X uses UTF-8 as its encoding method for filenames, it uses an extended UTF-8 specification that Samba cannot handle, so UTF-8 locale is not available for Mac OS X. @@ -329,6 +382,9 @@ Setting up Japanese charsets is quite difficult. This is mainly because: <varlistentry><term>Shift_JIS series + vfs_cap (CAP encoding)</term> <listitem><para> +<indexterm><primary>CAP</primary></indexterm> +<indexterm><primary>NetAtalk</primary></indexterm> +<indexterm><primary>Macintosh</primary></indexterm> CAP encoding means a specification used in CAP and NetAtalk, file server software for Macintosh. In the case of CAP encoding, for example, if a Japanese filename consists of 0x8ba4 and 0x974c, and @@ -366,10 +422,11 @@ Setting up Japanese charsets is quite difficult. This is mainly because: <para> To use CAP encoding on Samba-3, you should use the unix charset parameter and VFS - as in Example 29.5.1: + as in <link linkend="vfscap-intl">the VFS CAP smb.conf file</link>. </para> -<example><title>VFS CAP</title> +<example id="vfscap-intl"> +<title>VFS CAP</title> <smbconfblock> <smbconfsection name="[global]"/> <smbconfcomment>the locale name "CP932" may be different</smbconfcomment> @@ -382,6 +439,10 @@ Setting up Japanese charsets is quite difficult. This is mainly because: </example> <para> +<indexterm><primary>CP932</primary></indexterm> +<indexterm><primary>libiconv</primary></indexterm> +<indexterm><primary>unix charset</primary></indexterm> +<indexterm><primary>cap-share</primary></indexterm> You should set CP932 if using GNU libiconv for unix charset. With this setting, filenames in the <quote>cap-share</quote> share are written with CAP encoding. </para> @@ -409,8 +470,6 @@ Here is some additional information regarding individual implementations: Using the patched libiconv-1.8, these settings are available: </para> - -<!-- FIXME: Convert to diagram ? --> <programlisting> dos charset = CP932 unix charset = CP932 / eucJP-ms / UTF-8 @@ -435,14 +494,13 @@ display charset = CP932 <para> Using the above glibc, these setting are available: + <smbconfblock> + <smbconfoption name="dos charset">CP932</smbconfoption> + <smbconfoption name="unix charset">CP932 / eucJP-ms / UTF-8</smbconfoption> + <smbconfoption name="display charset">CP932</smbconfoption> + </smbconfblock> </para> -<smbconfblock> -<smbconfoption name="dos charset">CP932</smbconfoption> -<smbconfoption name="unix charset">CP932 / eucJP-ms / UTF-8</smbconfoption> -<smbconfoption name="display charset">CP932</smbconfoption> -</smbconfblock> - <para> Other Japanese locales (for example, Shift_JIS and EUC-JP) should not be used because of the lack of the compatibility with Windows. diff --git a/docs/Samba3-HOWTO/TOSHARG-Winbind.xml b/docs/Samba3-HOWTO/TOSHARG-Winbind.xml index ace368ec2d..af2e3d9af3 100644 --- a/docs/Samba3-HOWTO/TOSHARG-Winbind.xml +++ b/docs/Samba3-HOWTO/TOSHARG-Winbind.xml @@ -333,26 +333,22 @@ <indexterm><primary>remote management</primary></indexterm> <indexterm><primary>user authentication</primary></indexterm> <indexterm><primary>print spooling</primary></indexterm> - Over the last few years, efforts have been underway - by various Samba Team members to decode various aspects of - the Microsoft Remote Procedure Call (MSRPC) system. This - system is used for most network-related operations between - Windows NT machines, including remote management, user authentication, - and print spooling. Although initially this work was done - to aid the implementation of Primary Domain Controller (PDC) - functionality in Samba, it has also yielded a body of code that - can be used for other purposes.</para> + Over the last few years, efforts have been underway by various Samba Team members to implement various aspects of + the Microsoft Remote Procedure Call (MSRPC) system. This system is used for most network-related operations + between Windows NT machines, including remote management, user authentication, and print spooling. Although + initially this work was done to aid the implementation of Primary Domain Controller (PDC) functionality in + Samba, it has also yielded a body of code that can be used for other purposes. + </para> <para> <indexterm><primary>MSRPC</primary></indexterm> <indexterm><primary>enumerate domain users</primary></indexterm> <indexterm><primary>enumerate domain groups</primary></indexterm> - Winbind uses various MSRPC calls to enumerate domain users - and groups and to obtain detailed information about individual - users or groups. Other MSRPC calls can be used to authenticate - NT domain users and to change user passwords. By directly querying - a Windows PDC for user and group information, Winbind maps the - NT account information onto UNIX user and group names.</para> + Winbind uses various MSRPC calls to enumerate domain users and groups and to obtain detailed information about + individual users or groups. Other MSRPC calls can be used to authenticate NT domain users and to change user + passwords. By directly querying a Windows PDC for user and group information, Winbind maps the NT account + information onto UNIX user and group names. + </para> </sect2> <sect2> diff --git a/docs/Samba3-HOWTO/TOSHARG-glossary.xml b/docs/Samba3-HOWTO/TOSHARG-glossary.xml index aa069864cf..34b15ee21b 100644 --- a/docs/Samba3-HOWTO/TOSHARG-glossary.xml +++ b/docs/Samba3-HOWTO/TOSHARG-glossary.xml @@ -82,7 +82,7 @@ <acronym>EMF</acronym> <glossdef> <para> - An intermediate file format used by Microsoft <?latex \linebreak ?>Windows-based servers and clients. EMF files may be + An intermediate file format used by Microsoft Windows-based servers and clients. EMF files may be rendered into a page description language by a print processor. </para> </glossdef> diff --git a/docs/Samba3-HOWTO/index.xml b/docs/Samba3-HOWTO/index.xml index c9949704e9..3976afb2ae 100644 --- a/docs/Samba3-HOWTO/index.xml +++ b/docs/Samba3-HOWTO/index.xml @@ -162,7 +162,7 @@ The chapters in this part each cover specific Samba features. <!-- Comment out the following line to include the manpages. *Please* do not commit with the line below enabled! --> <!-- <xi:include href="manpages.xml"/> --> - <!-- <xi:include href="manpages.xml"/> --> + <xi:include href="manpages.xml"/> <xi:include href="http://www.gnu.org/licenses/gpl.xml"/> <xi:include href="TOSHARG-glossary.xml"/> |