diff options
25 files changed, 9605 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/VFS.sgml b/docs/docbook/projdoc/VFS.sgml new file mode 100644 index 0000000000..66b9be1dbd --- /dev/null +++ b/docs/docbook/projdoc/VFS.sgml @@ -0,0 +1,200 @@ +<chapter id="VFS"> +<chapterinfo> + <author><firstname>Jelmer</firstname><surname>Vernooij</surname></author> + <author><firstname>Alexander</firstname><surname>Bokovoy</surname></author> + <author><firstname>Tim</firstname><surname>Potter</surname></author> + <author><firstname>Simo</firstname><surname>Sorce</surname></author> +</chapterinfo> +<title>Stackable VFS modules</title> + +<sect1> +<title>Introduction and configuration</title> + +<para> +Since samba 3.0, samba supports stackable VFS(Virtual File System) modules. +Samba passes each request to access the unix file system thru the loaded VFS modules. +This chapter covers all the modules that come with the samba source and references to +some external modules. +</para> + +<para> +You may have problems to compile these modules, as shared libraries are +compiled and linked in different ways on different systems. +They currently have been tested against GNU/linux and IRIX. +</para> + +<para> +To use the VFS modules, create a share similar to the one below. The +important parameter is the <command>vfs object</command> parameter which must point to +the exact pathname of the shared library objects. For example, to log all access +to files and use a recycle bin: + +<programlisting> + [audit] + comment = Audited /data directory + path = /data + vfs object = /path/to/audit.so /path/to/recycle.so + writeable = yes + browseable = yes +</programlisting> +</para> + +<para> +The modules are used in the order they are specified. +</para> + +<para> +Further documentation on writing VFS modules for Samba can be found in +the Samba Developers Guide. +</para> + +</sect1> + +<sect1> +<title>Included modules</title> + +<sect2> +<title>audit</title> +<para>A simple module to audit file access to the syslog +facility. The following operations are logged: +<simplelist> +<member>share</member> +<member>connect/disconnect</member> +<member>directory opens/create/remove</member> +<member>file open/close/rename/unlink/chmod</member> +</simplelist> +</para> +</sect2> + +<sect2> +<title>recycle</title> +<para> +A recycle-bin like modules. When used any unlink call +will be intercepted and files moved to the recycle +directory instead of beeing deleted. +</para> + +<para>Supported options: +<variablelist> + <varlistentry> + <term>vfs_recycle_bin:repository</term> + <listitem><para>FIXME</para></listitem> + </varlistentry> + + <varlistentry> + <term>vfs_recycle_bin:keeptree</term> + <listitem><para>FIXME</para></listitem> + </varlistentry> + + <varlistentry> + <term>vfs_recycle_bin:versions</term> + <listitem><para>FIXME</para></listitem> + </varlistentry> + + <varlistentry> + <term>vfs_recycle_bin:touch</term> + <listitem><para>FIXME</para></listitem> + </varlistentry> + + <varlistentry> + <term>vfs_recycle_bin:maxsize</term> + <listitem><para>FIXME</para></listitem> + </varlistentry> + + <varlistentry> + <term>vfs_recycle_bin:exclude</term> + <listitem><para>FIXME</para></listitem> + </varlistentry> + + <varlistentry> + <term>vfs_recycle_bin:exclude_dir</term> + <listitem><para>FIXME</para></listitem> + </varlistentry> + + <varlistentry> + <term>vfs_recycle_bin:noversions</term> + <listitem><para>FIXME</para></listitem> + </varlistentry> +</variablelist> +</para> + +</sect2> + +<sect2> +<title>netatalk</title> +<para> +A netatalk module, that will ease co-existence of samba and +netatalk file sharing services. +</para> + +<para>Advantages compared to the old netatalk module: +<simplelist> +<member>it doesn't care about creating of .AppleDouble forks, just keeps ones in sync</member> +<member>if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</member> +</simplelist> +</para> + +</sect2> + +</sect1> + +<sect1> +<title>VFS modules available elsewhere</title> + +<para> +This section contains a listing of various other VFS modules that +have been posted but don't currently reside in the Samba CVS +tree for one reason ot another (e.g. it is easy for the maintainer +to have his or her own CVS tree). +</para> + +<para> +No statemets about the stability or functionality any module +should be implied due to its presence here. +</para> + +<sect2> +<title>DatabaseFS</title> + +<para> +URL: <ulink url="http://www.css.tayloru.edu/~elorimer/databasefs/index.php">http://www.css.tayloru.edu/~elorimer/databasefs/index.php</ulink> +</para> + +<para>By <ulink url="mailto:elorimer@css.tayloru.edu">Eric Lorimer</ulink>.</para> + +<para> +I have created a VFS module which implements a fairly complete read-only +filesystem. It presents information from a database as a filesystem in +a modular and generic way to allow different databases to be used +(originally designed for organizing MP3s under directories such as +"Artists," "Song Keywords," etc... I have since applied it to a student +roster database very easily). The directory structure is stored in the +database itself and the module makes no assumptions about the database +structure beyond the table it requires to run. +</para> + +<para> +Any feedback would be appreciated: comments, suggestions, patches, +etc... If nothing else, hopefully it might prove useful for someone +else who wishes to create a virtual filesystem. +</para> + +</sect2> + +<sect2> +<title>vscan</title> +<para>URL: <ulink url="http://www.openantivirus.org/">http://www.openantivirus.org/</ulink></para> + +<para> +samba-vscan is a proof-of-concept module for Samba, which +uses the VFS (virtual file system) features of Samba 2.2.x/3.0 +alphaX. Of couse, Samba has to be compiled with VFS support. +samba-vscan supports various virus scanners and is maintained +by Rainer Link. +</para> + +</sect2> + +</sect1> + +</chapter> diff --git a/docs/docbook/projdoc/pdb_mysql.sgml b/docs/docbook/projdoc/pdb_mysql.sgml new file mode 100644 index 0000000000..05262ebe10 --- /dev/null +++ b/docs/docbook/projdoc/pdb_mysql.sgml @@ -0,0 +1,138 @@ +<chapter id="pdb-mysql"> +<chapterinfo> + <author> + <firstname>Jelmer</firstname><surname>Vernooij</surname> + <affiliation> + <orgname>The Samba Team</orgname> + <address><email>jelmer@samba.org</email></address> + </affiliation> + </author> + <pubdate>November 2002</pubdate> +</chapterinfo> + +<title>Passdb MySQL plugin</title> + +<sect1> +<title>Building</title> + +<para>To build the plugin, run <command>make bin/pdb_mysql.so</command> +in the <filename>source/</filename> directory of samba distribution. +</para> + +<para>Next, copy pdb_mysql.so to any location you want. I +strongly recommend installing it in $PREFIX/lib or /usr/lib/samba/</para> + +</sect1> + +<sect1> +<title>Configuring</title> + +<para>This plugin lacks some good documentation, but here is some short info:</para> + +<para>Add a the following to the <command>passdb backend</command> variable in your <filename>smb.conf</filename>: +<programlisting> +passdb backend = [other-plugins] plugin:/location/to/pdb_mysql.so:identifier [other-plugins] +</programlisting> +</para> + +<para>The identifier can be any string you like, as long as it doesn't collide with +the identifiers of other plugins or other instances of pdb_mysql. If you +specify multiple pdb_mysql.so entries in 'passdb backend', you also need to +use different identifiers! +</para> + +<para> +Additional options can be given thru the smb.conf file in the [global] section. +</para> + +<para><programlisting> +identifier:mysql host - host name, defaults to 'localhost' +identifier:mysql password +identifier:mysql user - defaults to 'samba' +identifier:mysql database - defaults to 'samba' +identifier:mysql port - defaults to 3306 +identifier:table - Name of the table containing users +</programlisting></para> + +<para>Names of the columns in this table(I've added column types those columns should have first):</para> + +<para><programlisting> +identifier:logon time column - int(9) +identifier:logoff time column - int(9) +identifier:kickoff time column - int(9) +identifier:pass last set time column - int(9) +identifier:pass can change time column - int(9) +identifier:pass must change time column - int(9) +identifier:username column - varchar(255) - unix username +identifier:domain column - varchar(255) - NT domain user is part of +identifier:nt username column - varchar(255) - NT username +identifier:fullname column - varchar(255) - Full name of user +identifier:home dir column - varchar(255) - Unix homedir path +identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:') +identifier:logon script column - varchar(255) - Batch file to run on client side when logging on +identifier:profile path column - varchar(255) - Path of profile +identifier:acct desc column - varchar(255) - Some ASCII NT user data +identifier:workstations column - varchar(255) - Workstations user can logon to (or NULL for all) +identifier:unknown string column - varchar(255) - unknown string +identifier:munged dial column - varchar(255) - ? +identifier:uid column - int(9) - Unix user ID (uid) +identifier:gid column - int(9) - Unix user group (gid) +identifier:user sid column - varchar(255) - NT user SID +identifier:group sid column - varchar(255) - NT group ID +identifier:lanman pass column - varchar(255) - encrypted lanman password +identifier:nt pass column - varchar(255) - encrypted nt passwd +identifier:plain pass column - varchar(255) - plaintext password +identifier:acct control column - int(9) - nt user data +identifier:unknown 3 column - int(9) - unknown +identifier:logon divs column - int(9) - ? +identifier:hours len column - int(9) - ? +identifier:unknown 5 column - int(9) - unknown +identifier:unknown 6 column - int(9) - unknown +</programlisting></para> + +<para> +Eventually, you can put a colon (:) after the name of each column, which +should specify the column to update when updating the table. You can also +specify nothing behind the colon - then the data from the field will not be +updated. +</para> + +</sect1> + +<sect1> +<title>Using plaintext passwords or encrypted password</title> + +<para> +I strongly discourage the use of plaintext passwords, however, you can use them: +</para> + +<para> +If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords. +</para> + +<para> +If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default. +</para> + +</sect1> + +<sect1> +<title>Getting non-column data from the table</title> + +<para> +It is possible to have not all data in the database and making some 'constant'. +</para> + +<para> +For example, you can set 'identifier:fullname column' to : +<command>CONCAT(First_name,' ',Sur_name)</command> +</para> + +<para> +Or, set 'identifier:workstations column' to : +<command>NULL</command></para> + +<para>See the MySQL documentation for more language constructs.</para> + +</sect1> +</chapter> diff --git a/docs/htmldocs/ads.html b/docs/htmldocs/ads.html new file mode 100644 index 0000000000..49345be2c0 --- /dev/null +++ b/docs/htmldocs/ads.html @@ -0,0 +1,423 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Samba as a ADS domain member</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Type of installation" +HREF="type.html"><LINK +REL="PREVIOUS" +TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain" +HREF="samba-bdc.html"><LINK +REL="NEXT" +TITLE="Samba as a NT4 domain member" +HREF="domain-security.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="samba-bdc.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="domain-security.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="ADS" +></A +>Chapter 9. Samba as a ADS domain member</H1 +><P +>This is a VERY ROUGH guide to setting up the current (November 2001) +pre-alpha version of Samba 3.0 with kerberos authentication against a +Windows2000 KDC. The procedures listed here are likely to change as +the code develops.</P +><P +>Pieces you need before you begin: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>a Windows 2000 server.</TD +></TR +><TR +><TD +>samba 3.0 or higher.</TD +></TR +><TR +><TD +>the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</TD +></TR +><TR +><TD +>the OpenLDAP development libraries.</TD +></TR +></TBODY +></TABLE +><P +></P +></P +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1203" +></A +>9.1. Installing the required packages for Debian</H1 +><P +>On Debian you need to install the following packages: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>libkrb5-dev</TD +></TR +><TR +><TD +>krb5-user</TD +></TR +></TBODY +></TABLE +><P +></P +></P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1209" +></A +>9.2. Installing the required packages for RedHat</H1 +><P +>On RedHat this means you should have at least: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>krb5-workstation (for kinit)</TD +></TR +><TR +><TD +>krb5-libs (for linking with)</TD +></TR +><TR +><TD +>krb5-devel (because you are compiling from source)</TD +></TR +></TBODY +></TABLE +><P +></P +></P +><P +>in addition to the standard development environment.</P +><P +>Note that these are not standard on a RedHat install, and you may need +to get them off CD2.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1218" +></A +>9.3. Compile Samba</H1 +><P +>If your kerberos libraries are in a non-standard location then + remember to add the configure option --with-krb5=DIR.</P +><P +>After you run configure make sure that include/config.h contains + lines like this:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>#define HAVE_KRB5 1 +#define HAVE_LDAP 1</PRE +></P +><P +>If it doesn't then configure did not find your krb5 libraries or + your ldap libraries. Look in config.log to figure out why and fix + it.</P +><P +>Then compile and install Samba as usual. You must use at least the + following 3 options in smb.conf:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> realm = YOUR.KERBEROS.REALM + ads server = your.kerberos.server + security = ADS + encrypt passwords = yes</PRE +></P +><P +>Strictly speaking, you can omit the realm name and you can use an IP + address for the ads server. In that case Samba will auto-detect these.</P +><P +>You do *not* need a smbpasswd file, although it won't do any harm + and if you have one then Samba will be able to fall back to normal + password security for older clients. I expect that the above + required options will change soon when we get better active + directory integration.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1230" +></A +>9.4. Setup your /etc/krb5.conf</H1 +><P +>The minimal configuration for krb5.conf is:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> [realms] + YOUR.KERBEROS.REALM = { + kdc = your.kerberos.server + }</PRE +></P +><P +>Test your config by doing a "kinit USERNAME@REALM" and making sure that + your password is accepted by the Win2000 KDC. </P +><P +>NOTE: The realm must be uppercase. </P +><P +>You also must ensure that you can do a reverse DNS lookup on the IP +address of your KDC. Also, the name that this reverse lookup maps to +must either be the netbios name of the KDC (ie. the hostname with no +domain attached) or it can alternatively be the netbios name +followed by the realm. </P +><P +>The easiest way to ensure you get this right is to add a /etc/hosts +entry mapping the IP address of your KDC to its netbios name. If you +don't get this right then you will get a "local error" when you try +to join the realm.</P +><P +>If all you want is kerberos support in smbclient then you can skip +straight to step 5 now. Step 3 is only needed if you want kerberos +support in smbd.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1240" +></A +>9.5. Create the computer account</H1 +><P +>Do a "kinit" as a user that has authority to change arbitrary +passwords on the KDC ("Administrator" is a good choice). Then as a +user that has write permission on the Samba private directory +(usually root) run: +<B +CLASS="COMMAND" +>net ads join</B +></P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN1244" +></A +>9.5.1. Possible errors</H2 +><P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>"bash: kinit: command not found"</DT +><DD +><P +>kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</P +></DD +><DT +>"ADS support not compiled in"</DT +><DD +><P +>Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</P +></DD +></DL +></DIV +></P +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1256" +></A +>9.6. Test your server setup</H1 +><P +>On a Windows 2000 client try <B +CLASS="COMMAND" +>net use * \\server\share</B +>. You should +be logged in with kerberos without needing to know a password. If +this fails then run <B +CLASS="COMMAND" +>klist tickets</B +>. Did you get a ticket for the +server? Does it have an encoding type of DES-CBC-MD5 ? </P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1261" +></A +>9.7. Testing with smbclient</H1 +><P +>On your Samba server try to login to a Win2000 server or your Samba +server using smbclient and kerberos. Use smbclient as usual, but +specify the -k option to choose kerberos authentication.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1264" +></A +>9.8. Notes</H1 +><P +>You must change administrator password at least once after DC install, + to create the right encoding types</P +><P +>w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in + their defaults DNS setup. Maybe fixed in service packs?</P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="samba-bdc.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="domain-security.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="type.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Samba as a NT4 domain member</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/appendixes.html b/docs/htmldocs/appendixes.html new file mode 100644 index 0000000000..49242c6554 --- /dev/null +++ b/docs/htmldocs/appendixes.html @@ -0,0 +1,391 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Appendixes</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="PREVIOUS" +TITLE="Samba performance issues" +HREF="speed.html"><LINK +REL="NEXT" +TITLE="Portability" +HREF="portability.html"></HEAD +><BODY +CLASS="PART" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="speed.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="portability.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="PART" +><A +NAME="APPENDIXES" +></A +><DIV +CLASS="TITLEPAGE" +><H1 +CLASS="TITLE" +>IV. Appendixes</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>24. <A +HREF="portability.html" +>Portability</A +></DT +><DD +><DL +><DT +>24.1. <A +HREF="portability.html#AEN3198" +>HPUX</A +></DT +><DT +>24.2. <A +HREF="portability.html#AEN3204" +>SCO Unix</A +></DT +><DT +>24.3. <A +HREF="portability.html#AEN3208" +>DNIX</A +></DT +><DT +>24.4. <A +HREF="portability.html#AEN3237" +>RedHat Linux Rembrandt-II</A +></DT +></DL +></DD +><DT +>25. <A +HREF="other-clients.html" +>Samba and other CIFS clients</A +></DT +><DD +><DL +><DT +>25.1. <A +HREF="other-clients.html#AEN3258" +>Macintosh clients?</A +></DT +><DT +>25.2. <A +HREF="other-clients.html#AEN3267" +>OS2 Client</A +></DT +><DD +><DL +><DT +>25.2.1. <A +HREF="other-clients.html#AEN3269" +>How can I configure OS/2 Warp Connect or + OS/2 Warp 4 as a client for Samba?</A +></DT +><DT +>25.2.2. <A +HREF="other-clients.html#AEN3284" +>How can I configure OS/2 Warp 3 (not Connect), + OS/2 1.2, 1.3 or 2.x for Samba?</A +></DT +><DT +>25.2.3. <A +HREF="other-clients.html#AEN3293" +>Are there any other issues when OS/2 (any version) + is used as a client?</A +></DT +><DT +>25.2.4. <A +HREF="other-clients.html#AEN3297" +>How do I get printer driver download working + for OS/2 clients?</A +></DT +></DL +></DD +><DT +>25.3. <A +HREF="other-clients.html#AEN3307" +>Windows for Workgroups</A +></DT +><DD +><DL +><DT +>25.3.1. <A +HREF="other-clients.html#AEN3309" +>Use latest TCP/IP stack from Microsoft</A +></DT +><DT +>25.3.2. <A +HREF="other-clients.html#AEN3314" +>Delete .pwl files after password change</A +></DT +><DT +>25.3.3. <A +HREF="other-clients.html#AEN3319" +>Configure WfW password handling</A +></DT +><DT +>25.3.4. <A +HREF="other-clients.html#AEN3323" +>Case handling of passwords</A +></DT +></DL +></DD +><DT +>25.4. <A +HREF="other-clients.html#AEN3328" +>Windows '95/'98</A +></DT +><DT +>25.5. <A +HREF="other-clients.html#AEN3344" +>Windows 2000 Service Pack 2</A +></DT +></DL +></DD +><DT +>26. <A +HREF="bugreport.html" +>Reporting Bugs</A +></DT +><DD +><DL +><DT +>26.1. <A +HREF="bugreport.html#AEN3368" +>Introduction</A +></DT +><DT +>26.2. <A +HREF="bugreport.html#AEN3378" +>General info</A +></DT +><DT +>26.3. <A +HREF="bugreport.html#AEN3384" +>Debug levels</A +></DT +><DT +>26.4. <A +HREF="bugreport.html#AEN3401" +>Internal errors</A +></DT +><DT +>26.5. <A +HREF="bugreport.html#AEN3411" +>Attaching to a running process</A +></DT +><DT +>26.6. <A +HREF="bugreport.html#AEN3414" +>Patches</A +></DT +></DL +></DD +><DT +>27. <A +HREF="diagnosis.html" +>Diagnosing your samba server</A +></DT +><DD +><DL +><DT +>27.1. <A +HREF="diagnosis.html#AEN3437" +>Introduction</A +></DT +><DT +>27.2. <A +HREF="diagnosis.html#AEN3442" +>Assumptions</A +></DT +><DT +>27.3. <A +HREF="diagnosis.html#AEN3452" +>Tests</A +></DT +><DD +><DL +><DT +>27.3.1. <A +HREF="diagnosis.html#AEN3454" +>Test 1</A +></DT +><DT +>27.3.2. <A +HREF="diagnosis.html#AEN3460" +>Test 2</A +></DT +><DT +>27.3.3. <A +HREF="diagnosis.html#AEN3466" +>Test 3</A +></DT +><DT +>27.3.4. <A +HREF="diagnosis.html#AEN3481" +>Test 4</A +></DT +><DT +>27.3.5. <A +HREF="diagnosis.html#AEN3486" +>Test 5</A +></DT +><DT +>27.3.6. <A +HREF="diagnosis.html#AEN3492" +>Test 6</A +></DT +><DT +>27.3.7. <A +HREF="diagnosis.html#AEN3500" +>Test 7</A +></DT +><DT +>27.3.8. <A +HREF="diagnosis.html#AEN3526" +>Test 8</A +></DT +><DT +>27.3.9. <A +HREF="diagnosis.html#AEN3543" +>Test 9</A +></DT +><DT +>27.3.10. <A +HREF="diagnosis.html#AEN3551" +>Test 10</A +></DT +><DT +>27.3.11. <A +HREF="diagnosis.html#AEN3557" +>Test 11</A +></DT +></DL +></DD +><DT +>27.4. <A +HREF="diagnosis.html#AEN3562" +>Still having troubles?</A +></DT +></DL +></DD +></DL +></DIV +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="speed.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="portability.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Samba performance issues</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +> </TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Portability</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/introduction.html b/docs/htmldocs/introduction.html new file mode 100644 index 0000000000..581687e8ab --- /dev/null +++ b/docs/htmldocs/introduction.html @@ -0,0 +1,438 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>General installation</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="PREVIOUS" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="NEXT" +TITLE="How to Install and Test SAMBA" +HREF="install.html"></HEAD +><BODY +CLASS="PART" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="install.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="PART" +><A +NAME="INTRODUCTION" +></A +><DIV +CLASS="TITLEPAGE" +><H1 +CLASS="TITLE" +>I. General installation</H1 +><DIV +CLASS="PARTINTRO" +><A +NAME="AEN21" +></A +><H1 +>Introduction</H1 +><P +>This part contains general info on how to install samba +and how to configure the parts of samba you will most likely need. +PLEASE read this.</P +></DIV +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>1. <A +HREF="install.html" +>How to Install and Test SAMBA</A +></DT +><DD +><DL +><DT +>1.1. <A +HREF="install.html#AEN26" +>Read the man pages</A +></DT +><DT +>1.2. <A +HREF="install.html#AEN36" +>Building the Binaries</A +></DT +><DT +>1.3. <A +HREF="install.html#AEN64" +>The all important step</A +></DT +><DT +>1.4. <A +HREF="install.html#AEN68" +>Create the smb configuration file.</A +></DT +><DT +>1.5. <A +HREF="install.html#AEN82" +>Test your config file with + <B +CLASS="COMMAND" +>testparm</B +></A +></DT +><DT +>1.6. <A +HREF="install.html#AEN90" +>Starting the smbd and nmbd</A +></DT +><DD +><DL +><DT +>1.6.1. <A +HREF="install.html#AEN100" +>Starting from inetd.conf</A +></DT +><DT +>1.6.2. <A +HREF="install.html#AEN129" +>Alternative: starting it as a daemon</A +></DT +></DL +></DD +><DT +>1.7. <A +HREF="install.html#AEN145" +>Try listing the shares available on your + server</A +></DT +><DT +>1.8. <A +HREF="install.html#AEN154" +>Try connecting with the unix client</A +></DT +><DT +>1.9. <A +HREF="install.html#AEN170" +>Try connecting from a DOS, WfWg, Win9x, WinNT, + Win2k, OS/2, etc... client</A +></DT +><DT +>1.10. <A +HREF="install.html#AEN184" +>What If Things Don't Work?</A +></DT +><DD +><DL +><DT +>1.10.1. <A +HREF="install.html#AEN189" +>Diagnosing Problems</A +></DT +><DT +>1.10.2. <A +HREF="install.html#AEN193" +>Scope IDs</A +></DT +><DT +>1.10.3. <A +HREF="install.html#AEN196" +>Choosing the Protocol Level</A +></DT +><DT +>1.10.4. <A +HREF="install.html#AEN205" +>Printing from UNIX to a Client PC</A +></DT +><DT +>1.10.5. <A +HREF="install.html#AEN210" +>Locking</A +></DT +><DT +>1.10.6. <A +HREF="install.html#AEN219" +>Mapping Usernames</A +></DT +></DL +></DD +></DL +></DD +><DT +>2. <A +HREF="improved-browsing.html" +>Improved browsing in samba</A +></DT +><DD +><DL +><DT +>2.1. <A +HREF="improved-browsing.html#AEN229" +>Overview of browsing</A +></DT +><DT +>2.2. <A +HREF="improved-browsing.html#AEN233" +>Browsing support in samba</A +></DT +><DT +>2.3. <A +HREF="improved-browsing.html#AEN242" +>Problem resolution</A +></DT +><DT +>2.4. <A +HREF="improved-browsing.html#AEN249" +>Browsing across subnets</A +></DT +><DD +><DL +><DT +>2.4.1. <A +HREF="improved-browsing.html#AEN254" +>How does cross subnet browsing work ?</A +></DT +></DL +></DD +><DT +>2.5. <A +HREF="improved-browsing.html#AEN289" +>Setting up a WINS server</A +></DT +><DT +>2.6. <A +HREF="improved-browsing.html#AEN308" +>Setting up Browsing in a WORKGROUP</A +></DT +><DT +>2.7. <A +HREF="improved-browsing.html#AEN326" +>Setting up Browsing in a DOMAIN</A +></DT +><DT +>2.8. <A +HREF="improved-browsing.html#AEN336" +>Forcing samba to be the master</A +></DT +><DT +>2.9. <A +HREF="improved-browsing.html#AEN345" +>Making samba the domain master</A +></DT +><DT +>2.10. <A +HREF="improved-browsing.html#AEN363" +>Note about broadcast addresses</A +></DT +><DT +>2.11. <A +HREF="improved-browsing.html#AEN366" +>Multiple interfaces</A +></DT +></DL +></DD +><DT +>3. <A +HREF="oplocks.html" +>Oplocks</A +></DT +><DD +><DL +><DT +>3.1. <A +HREF="oplocks.html#AEN378" +>What are oplocks?</A +></DT +></DL +></DD +><DT +>4. <A +HREF="browsing-quick.html" +>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</A +></DT +><DD +><DL +><DT +>4.1. <A +HREF="browsing-quick.html#AEN393" +>Discussion</A +></DT +><DT +>4.2. <A +HREF="browsing-quick.html#AEN401" +>Use of the "Remote Announce" parameter</A +></DT +><DT +>4.3. <A +HREF="browsing-quick.html#AEN415" +>Use of the "Remote Browse Sync" parameter</A +></DT +><DT +>4.4. <A +HREF="browsing-quick.html#AEN420" +>Use of WINS</A +></DT +><DT +>4.5. <A +HREF="browsing-quick.html#AEN431" +>Do NOT use more than one (1) protocol on MS Windows machines</A +></DT +><DT +>4.6. <A +HREF="browsing-quick.html#AEN437" +>Name Resolution Order</A +></DT +></DL +></DD +><DT +>5. <A +HREF="pwencrypt.html" +>LanMan and NT Password Encryption in Samba</A +></DT +><DD +><DL +><DT +>5.1. <A +HREF="pwencrypt.html#AEN473" +>Introduction</A +></DT +><DT +>5.2. <A +HREF="pwencrypt.html#AEN478" +>Important Notes About Security</A +></DT +><DD +><DL +><DT +>5.2.1. <A +HREF="pwencrypt.html#AEN497" +>Advantages of SMB Encryption</A +></DT +><DT +>5.2.2. <A +HREF="pwencrypt.html#AEN504" +>Advantages of non-encrypted passwords</A +></DT +></DL +></DD +><DT +>5.3. <A +HREF="pwencrypt.html#AEN513" +>The smbpasswd Command</A +></DT +></DL +></DD +></DL +></DIV +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="install.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>SAMBA Project Documentation</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +> </TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>How to Install and Test SAMBA</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/oplocks.html b/docs/htmldocs/oplocks.html new file mode 100644 index 0000000000..6aa91fb17f --- /dev/null +++ b/docs/htmldocs/oplocks.html @@ -0,0 +1,208 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Oplocks</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="General installation" +HREF="introduction.html"><LINK +REL="PREVIOUS" +TITLE="Improved browsing in samba" +HREF="improved-browsing.html"><LINK +REL="NEXT" +TITLE="Quick Cross Subnet Browsing / Cross Workgroup Browsing guide" +HREF="browsing-quick.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="improved-browsing.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="browsing-quick.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="OPLOCKS" +></A +>Chapter 3. Oplocks</H1 +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN378" +></A +>3.1. What are oplocks?</H1 +><P +>When a client opens a file it can request an "oplock" or file +lease. This is (to simplify a bit) a guarentee that no one else +has the file open simultaneously. It allows the client to not +send any updates on the file to the server, thus reducing a +network file access to local access (once the file is in +client cache). An "oplock break" is when the server sends +a request to the client to flush all its changes back to +the server, so the file is in a consistent state for other +opens to succeed. If a client fails to respond to this +asynchronous request then the file can be corrupted. Hence +the "turn off oplocks" answer if people are having multi-user +file access problems.</P +><P +>Unless the kernel is "oplock aware" (SGI IRIX and Linux are +the only two UNIXes that are at the moment) then if a local +UNIX process accesses the file simultaneously then Samba +has no way of telling this is occuring, so the guarentee +to the client is broken. This can corrupt the file. Short +answer - it you have UNIX clients accessing the same file +as smbd locally or via NFS and you're not running Linux or +IRIX then turn off oplocks for that file or share.</P +><P +>"Share modes". These are modes of opening a file, that +guarentee an invarient - such as DENY_WRITE - which means +that if any other opens are requested with write access after +this current open has succeeded then they should be denied +with a "sharing violation" error message. Samba handles these +internally inside smbd. UNIX clients accessing the same file +ignore these invarients. Just proving that if you need simultaneous +file access from a Windows and UNIX client you *must* have an +application that is written to lock records correctly on both +sides. Few applications are written like this, and even fewer +are cross platform (UNIX and Windows) so in practice this isn't +much of a problem.</P +><P +>"Locking". This really means "byte range locking" - such as +lock 10 bytes at file offset 24 for write access. This is the +area in which well written UNIX and Windows apps will cooperate. +Windows locks (at least from NT or above) are 64-bit unsigned +offsets. UNIX locks are either 31 bit or 63 bit and are signed +(the top bit is used for the sign). Samba handles these by +first ensuring that all the Windows locks don't conflict (ie. +if other Windows clients have competing locks then just reject +immediately) - this allows us to support 64-bit Windows locks +on 32-bit filesystems. Secondly any locks that are valid are +then mapped onto UNIX fcntl byte range locks. These are the +locks that will be seen by UNIX processes. If there is a conflict +here the lock is rejected.</P +><P +>Note that if a client has an oplock then it "knows" that no +other client can have the file open so usually doesn't bother +to send to lock request to the server - this means once again +if you need to share files between UNIX and Windows processes +either use IRIX or Linux, or turn off oplocks for these +files/shares.</P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="improved-browsing.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="browsing-quick.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Improved browsing in samba</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="introduction.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/optional.html b/docs/htmldocs/optional.html new file mode 100644 index 0000000000..da152ea1ca --- /dev/null +++ b/docs/htmldocs/optional.html @@ -0,0 +1,955 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Optional configuration</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="PREVIOUS" +TITLE="Samba as a NT4 domain member" +HREF="domain-security.html"><LINK +REL="NEXT" +TITLE="Integrating MS Windows networks with Samba" +HREF="integrate-ms-networks.html"></HEAD +><BODY +CLASS="PART" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="domain-security.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="integrate-ms-networks.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="PART" +><A +NAME="OPTIONAL" +></A +><DIV +CLASS="TITLEPAGE" +><H1 +CLASS="TITLE" +>III. Optional configuration</H1 +><DIV +CLASS="PARTINTRO" +><A +NAME="AEN1373" +></A +><H1 +>Introduction</H1 +><P +>Samba has several features that you might want or might not want to use. The chapters in this +part each cover one specific feature.</P +></DIV +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>11. <A +HREF="integrate-ms-networks.html" +>Integrating MS Windows networks with Samba</A +></DT +><DD +><DL +><DT +>11.1. <A +HREF="integrate-ms-networks.html#AEN1387" +>Agenda</A +></DT +><DT +>11.2. <A +HREF="integrate-ms-networks.html#AEN1409" +>Name Resolution in a pure Unix/Linux world</A +></DT +><DD +><DL +><DT +>11.2.1. <A +HREF="integrate-ms-networks.html#AEN1425" +><TT +CLASS="FILENAME" +>/etc/hosts</TT +></A +></DT +><DT +>11.2.2. <A +HREF="integrate-ms-networks.html#AEN1441" +><TT +CLASS="FILENAME" +>/etc/resolv.conf</TT +></A +></DT +><DT +>11.2.3. <A +HREF="integrate-ms-networks.html#AEN1452" +><TT +CLASS="FILENAME" +>/etc/host.conf</TT +></A +></DT +><DT +>11.2.4. <A +HREF="integrate-ms-networks.html#AEN1460" +><TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +></A +></DT +></DL +></DD +><DT +>11.3. <A +HREF="integrate-ms-networks.html#AEN1472" +>Name resolution as used within MS Windows networking</A +></DT +><DD +><DL +><DT +>11.3.1. <A +HREF="integrate-ms-networks.html#AEN1484" +>The NetBIOS Name Cache</A +></DT +><DT +>11.3.2. <A +HREF="integrate-ms-networks.html#AEN1489" +>The LMHOSTS file</A +></DT +><DT +>11.3.3. <A +HREF="integrate-ms-networks.html#AEN1497" +>HOSTS file</A +></DT +><DT +>11.3.4. <A +HREF="integrate-ms-networks.html#AEN1502" +>DNS Lookup</A +></DT +><DT +>11.3.5. <A +HREF="integrate-ms-networks.html#AEN1505" +>WINS Lookup</A +></DT +></DL +></DD +><DT +>11.4. <A +HREF="integrate-ms-networks.html#AEN1517" +>How browsing functions and how to deploy stable and +dependable browsing using Samba</A +></DT +><DT +>11.5. <A +HREF="integrate-ms-networks.html#AEN1527" +>MS Windows security options and how to configure +Samba for seemless integration</A +></DT +><DD +><DL +><DT +>11.5.1. <A +HREF="integrate-ms-networks.html#AEN1555" +>Use MS Windows NT as an authentication server</A +></DT +><DT +>11.5.2. <A +HREF="integrate-ms-networks.html#AEN1563" +>Make Samba a member of an MS Windows NT security domain</A +></DT +><DT +>11.5.3. <A +HREF="integrate-ms-networks.html#AEN1580" +>Configure Samba as an authentication server</A +></DT +></DL +></DD +><DT +>11.6. <A +HREF="integrate-ms-networks.html#AEN1597" +>Conclusions</A +></DT +></DL +></DD +><DT +>12. <A +HREF="unix-permissions.html" +>UNIX Permission Bits and Windows NT Access Control Lists</A +></DT +><DD +><DL +><DT +>12.1. <A +HREF="unix-permissions.html#AEN1618" +>Viewing and changing UNIX permissions using the NT + security dialogs</A +></DT +><DT +>12.2. <A +HREF="unix-permissions.html#AEN1627" +>How to view file security on a Samba share</A +></DT +><DT +>12.3. <A +HREF="unix-permissions.html#AEN1638" +>Viewing file ownership</A +></DT +><DT +>12.4. <A +HREF="unix-permissions.html#AEN1658" +>Viewing file or directory permissions</A +></DT +><DD +><DL +><DT +>12.4.1. <A +HREF="unix-permissions.html#AEN1673" +>File Permissions</A +></DT +><DT +>12.4.2. <A +HREF="unix-permissions.html#AEN1687" +>Directory Permissions</A +></DT +></DL +></DD +><DT +>12.5. <A +HREF="unix-permissions.html#AEN1694" +>Modifying file or directory permissions</A +></DT +><DT +>12.6. <A +HREF="unix-permissions.html#AEN1716" +>Interaction with the standard Samba create mask + parameters</A +></DT +><DT +>12.7. <A +HREF="unix-permissions.html#AEN1780" +>Interaction with the standard Samba file attribute + mapping</A +></DT +></DL +></DD +><DT +>13. <A +HREF="pam.html" +>Configuring PAM for distributed but centrally +managed authentication</A +></DT +><DD +><DL +><DT +>13.1. <A +HREF="pam.html#AEN1801" +>Samba and PAM</A +></DT +><DT +>13.2. <A +HREF="pam.html#AEN1845" +>Distributed Authentication</A +></DT +><DT +>13.3. <A +HREF="pam.html#AEN1852" +>PAM Configuration in smb.conf</A +></DT +></DL +></DD +><DT +>14. <A +HREF="msdfs.html" +>Hosting a Microsoft Distributed File System tree on Samba</A +></DT +><DD +><DL +><DT +>14.1. <A +HREF="msdfs.html#AEN1872" +>Instructions</A +></DT +><DD +><DL +><DT +>14.1.1. <A +HREF="msdfs.html#AEN1907" +>Notes</A +></DT +></DL +></DD +></DL +></DD +><DT +>15. <A +HREF="printing.html" +>Printing Support</A +></DT +><DD +><DL +><DT +>15.1. <A +HREF="printing.html#AEN1933" +>Introduction</A +></DT +><DT +>15.2. <A +HREF="printing.html#AEN1955" +>Configuration</A +></DT +><DD +><DL +><DT +>15.2.1. <A +HREF="printing.html#AEN1963" +>Creating [print$]</A +></DT +><DT +>15.2.2. <A +HREF="printing.html#AEN1998" +>Setting Drivers for Existing Printers</A +></DT +><DT +>15.2.3. <A +HREF="printing.html#AEN2014" +>Support a large number of printers</A +></DT +><DT +>15.2.4. <A +HREF="printing.html#AEN2025" +>Adding New Printers via the Windows NT APW</A +></DT +><DT +>15.2.5. <A +HREF="printing.html#AEN2055" +>Samba and Printer Ports</A +></DT +></DL +></DD +><DT +>15.3. <A +HREF="printing.html#AEN2063" +>The Imprints Toolset</A +></DT +><DD +><DL +><DT +>15.3.1. <A +HREF="printing.html#AEN2067" +>What is Imprints?</A +></DT +><DT +>15.3.2. <A +HREF="printing.html#AEN2077" +>Creating Printer Driver Packages</A +></DT +><DT +>15.3.3. <A +HREF="printing.html#AEN2080" +>The Imprints server</A +></DT +><DT +>15.3.4. <A +HREF="printing.html#AEN2084" +>The Installation Client</A +></DT +></DL +></DD +><DT +>15.4. <A +HREF="printing.html#AEN2106" +>Diagnosis</A +></DT +><DD +><DL +><DT +>15.4.1. <A +HREF="printing.html#AEN2108" +>Introduction</A +></DT +><DT +>15.4.2. <A +HREF="printing.html#AEN2124" +>Debugging printer problems</A +></DT +><DT +>15.4.3. <A +HREF="printing.html#AEN2133" +>What printers do I have?</A +></DT +><DT +>15.4.4. <A +HREF="printing.html#AEN2141" +>Setting up printcap and print servers</A +></DT +><DT +>15.4.5. <A +HREF="printing.html#AEN2169" +>Job sent, no output</A +></DT +><DT +>15.4.6. <A +HREF="printing.html#AEN2180" +>Job sent, strange output</A +></DT +><DT +>15.4.7. <A +HREF="printing.html#AEN2192" +>Raw PostScript printed</A +></DT +><DT +>15.4.8. <A +HREF="printing.html#AEN2195" +>Advanced Printing</A +></DT +><DT +>15.4.9. <A +HREF="printing.html#AEN2198" +>Real debugging</A +></DT +></DL +></DD +></DL +></DD +><DT +>16. <A +HREF="winbind.html" +>Unified Logons between Windows NT and UNIX using Winbind</A +></DT +><DD +><DL +><DT +>16.1. <A +HREF="winbind.html#AEN2238" +>Abstract</A +></DT +><DT +>16.2. <A +HREF="winbind.html#AEN2242" +>Introduction</A +></DT +><DT +>16.3. <A +HREF="winbind.html#AEN2255" +>What Winbind Provides</A +></DT +><DD +><DL +><DT +>16.3.1. <A +HREF="winbind.html#AEN2262" +>Target Uses</A +></DT +></DL +></DD +><DT +>16.4. <A +HREF="winbind.html#AEN2266" +>How Winbind Works</A +></DT +><DD +><DL +><DT +>16.4.1. <A +HREF="winbind.html#AEN2271" +>Microsoft Remote Procedure Calls</A +></DT +><DT +>16.4.2. <A +HREF="winbind.html#AEN2275" +>Name Service Switch</A +></DT +><DT +>16.4.3. <A +HREF="winbind.html#AEN2291" +>Pluggable Authentication Modules</A +></DT +><DT +>16.4.4. <A +HREF="winbind.html#AEN2299" +>User and Group ID Allocation</A +></DT +><DT +>16.4.5. <A +HREF="winbind.html#AEN2303" +>Result Caching</A +></DT +></DL +></DD +><DT +>16.5. <A +HREF="winbind.html#AEN2306" +>Installation and Configuration</A +></DT +><DD +><DL +><DT +>16.5.1. <A +HREF="winbind.html#AEN2313" +>Introduction</A +></DT +><DT +>16.5.2. <A +HREF="winbind.html#AEN2326" +>Requirements</A +></DT +><DT +>16.5.3. <A +HREF="winbind.html#AEN2340" +>Testing Things Out</A +></DT +></DL +></DD +><DT +>16.6. <A +HREF="winbind.html#AEN2555" +>Limitations</A +></DT +><DT +>16.7. <A +HREF="winbind.html#AEN2565" +>Conclusion</A +></DT +></DL +></DD +><DT +>17. <A +HREF="pdb-mysql.html" +>Passdb MySQL plugin</A +></DT +><DD +><DL +><DT +>17.1. <A +HREF="pdb-mysql.html#AEN2579" +>Building</A +></DT +><DT +>17.2. <A +HREF="pdb-mysql.html#AEN2585" +>Configuring</A +></DT +><DT +>17.3. <A +HREF="pdb-mysql.html#AEN2600" +>Using plaintext passwords or encrypted password</A +></DT +><DT +>17.4. <A +HREF="pdb-mysql.html#AEN2605" +>Getting non-column data from the table</A +></DT +></DL +></DD +><DT +>18. <A +HREF="pdb-xml.html" +>Passdb XML plugin</A +></DT +><DD +><DL +><DT +>18.1. <A +HREF="pdb-xml.html#AEN2624" +>Building</A +></DT +><DT +>18.2. <A +HREF="pdb-xml.html#AEN2630" +>Usage</A +></DT +></DL +></DD +><DT +>19. <A +HREF="vfs.html" +>Stackable VFS modules</A +></DT +><DD +><DL +><DT +>19.1. <A +HREF="vfs.html#AEN2651" +>Introduction and configuration</A +></DT +><DT +>19.2. <A +HREF="vfs.html#AEN2659" +>Included modules</A +></DT +><DD +><DL +><DT +>19.2.1. <A +HREF="vfs.html#AEN2661" +>audit</A +></DT +><DT +>19.2.2. <A +HREF="vfs.html#AEN2669" +>recycle</A +></DT +><DT +>19.2.3. <A +HREF="vfs.html#AEN2706" +>netatalk</A +></DT +></DL +></DD +><DT +>19.3. <A +HREF="vfs.html#AEN2713" +>VFS modules available elsewhere</A +></DT +><DD +><DL +><DT +>19.3.1. <A +HREF="vfs.html#AEN2717" +>DatabaseFS</A +></DT +><DT +>19.3.2. <A +HREF="vfs.html#AEN2725" +>vscan</A +></DT +></DL +></DD +></DL +></DD +><DT +>20. <A +HREF="samba-ldap-howto.html" +>Storing Samba's User/Machine Account information in an LDAP Directory</A +></DT +><DD +><DL +><DT +>20.1. <A +HREF="samba-ldap-howto.html#AEN2747" +>Purpose</A +></DT +><DT +>20.2. <A +HREF="samba-ldap-howto.html#AEN2767" +>Introduction</A +></DT +><DT +>20.3. <A +HREF="samba-ldap-howto.html#AEN2796" +>Supported LDAP Servers</A +></DT +><DT +>20.4. <A +HREF="samba-ldap-howto.html#AEN2801" +>Schema and Relationship to the RFC 2307 posixAccount</A +></DT +><DT +>20.5. <A +HREF="samba-ldap-howto.html#AEN2813" +>Configuring Samba with LDAP</A +></DT +><DD +><DL +><DT +>20.5.1. <A +HREF="samba-ldap-howto.html#AEN2815" +>OpenLDAP configuration</A +></DT +><DT +>20.5.2. <A +HREF="samba-ldap-howto.html#AEN2832" +>Configuring Samba</A +></DT +></DL +></DD +><DT +>20.6. <A +HREF="samba-ldap-howto.html#AEN2860" +>Accounts and Groups management</A +></DT +><DT +>20.7. <A +HREF="samba-ldap-howto.html#AEN2865" +>Security and sambaAccount</A +></DT +><DT +>20.8. <A +HREF="samba-ldap-howto.html#AEN2885" +>LDAP specials attributes for sambaAccounts</A +></DT +><DT +>20.9. <A +HREF="samba-ldap-howto.html#AEN2955" +>Example LDIF Entries for a sambaAccount</A +></DT +><DT +>20.10. <A +HREF="samba-ldap-howto.html#AEN2963" +>Comments</A +></DT +></DL +></DD +><DT +>21. <A +HREF="cvs-access.html" +>HOWTO Access Samba source code via CVS</A +></DT +><DD +><DL +><DT +>21.1. <A +HREF="cvs-access.html#AEN2974" +>Introduction</A +></DT +><DT +>21.2. <A +HREF="cvs-access.html#AEN2979" +>CVS Access to samba.org</A +></DT +><DD +><DL +><DT +>21.2.1. <A +HREF="cvs-access.html#AEN2982" +>Access via CVSweb</A +></DT +><DT +>21.2.2. <A +HREF="cvs-access.html#AEN2987" +>Access via cvs</A +></DT +></DL +></DD +></DL +></DD +><DT +>22. <A +HREF="groupmapping.html" +>Group mapping HOWTO</A +></DT +><DT +>23. <A +HREF="speed.html" +>Samba performance issues</A +></DT +><DD +><DL +><DT +>23.1. <A +HREF="speed.html#AEN3065" +>Comparisons</A +></DT +><DT +>23.2. <A +HREF="speed.html#AEN3071" +>Oplocks</A +></DT +><DD +><DL +><DT +>23.2.1. <A +HREF="speed.html#AEN3073" +>Overview</A +></DT +><DT +>23.2.2. <A +HREF="speed.html#AEN3081" +>Level2 Oplocks</A +></DT +><DT +>23.2.3. <A +HREF="speed.html#AEN3087" +>Old 'fake oplocks' option - deprecated</A +></DT +></DL +></DD +><DT +>23.3. <A +HREF="speed.html#AEN3091" +>Socket options</A +></DT +><DT +>23.4. <A +HREF="speed.html#AEN3098" +>Read size</A +></DT +><DT +>23.5. <A +HREF="speed.html#AEN3103" +>Max xmit</A +></DT +><DT +>23.6. <A +HREF="speed.html#AEN3108" +>Locking</A +></DT +><DT +>23.7. <A +HREF="speed.html#AEN3112" +>Share modes</A +></DT +><DT +>23.8. <A +HREF="speed.html#AEN3117" +>Log level</A +></DT +><DT +>23.9. <A +HREF="speed.html#AEN3120" +>Wide lines</A +></DT +><DT +>23.10. <A +HREF="speed.html#AEN3123" +>Read raw</A +></DT +><DT +>23.11. <A +HREF="speed.html#AEN3128" +>Write raw</A +></DT +><DT +>23.12. <A +HREF="speed.html#AEN3132" +>Read prediction</A +></DT +><DT +>23.13. <A +HREF="speed.html#AEN3139" +>Memory mapping</A +></DT +><DT +>23.14. <A +HREF="speed.html#AEN3144" +>Slow Clients</A +></DT +><DT +>23.15. <A +HREF="speed.html#AEN3148" +>Slow Logins</A +></DT +><DT +>23.16. <A +HREF="speed.html#AEN3151" +>Client tuning</A +></DT +><DT +>23.17. <A +HREF="speed.html#AEN3183" +>My Results</A +></DT +></DL +></DD +></DL +></DIV +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="domain-security.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="integrate-ms-networks.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Samba as a NT4 domain member</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +> </TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Integrating MS Windows networks with Samba</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/pdb-mysql.html b/docs/htmldocs/pdb-mysql.html new file mode 100644 index 0000000000..fc5dff85f5 --- /dev/null +++ b/docs/htmldocs/pdb-mysql.html @@ -0,0 +1,286 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Passdb MySQL plugin</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Optional configuration" +HREF="optional.html"><LINK +REL="PREVIOUS" +TITLE="Unified Logons between Windows NT and UNIX using Winbind" +HREF="winbind.html"><LINK +REL="NEXT" +TITLE="Passdb XML plugin" +HREF="pdb-xml.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="winbind.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="pdb-xml.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="PDB-MYSQL" +></A +>Chapter 17. Passdb MySQL plugin</H1 +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2579" +></A +>17.1. Building</H1 +><P +>To build the plugin, run <B +CLASS="COMMAND" +>make bin/pdb_mysql.so</B +> +in the <TT +CLASS="FILENAME" +>source/</TT +> directory of samba distribution. </P +><P +>Next, copy pdb_mysql.so to any location you want. I +strongly recommend installing it in $PREFIX/lib or /usr/lib/samba/</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2585" +></A +>17.2. Configuring</H1 +><P +>This plugin lacks some good documentation, but here is some short info:</P +><P +>Add a the following to the <B +CLASS="COMMAND" +>passdb backend</B +> variable in your <TT +CLASS="FILENAME" +>smb.conf</TT +>: +<PRE +CLASS="PROGRAMLISTING" +>passdb backend = [other-plugins] plugin:/location/to/pdb_mysql.so:identifier [other-plugins]</PRE +></P +><P +>The identifier can be any string you like, as long as it doesn't collide with +the identifiers of other plugins or other instances of pdb_mysql. If you +specify multiple pdb_mysql.so entries in 'passdb backend', you also need to +use different identifiers!</P +><P +>Additional options can be given thru the smb.conf file in the [global] section.</P +><P +><PRE +CLASS="PROGRAMLISTING" +>identifier:mysql host - host name, defaults to 'localhost' +identifier:mysql password +identifier:mysql user - defaults to 'samba' +identifier:mysql database - defaults to 'samba' +identifier:mysql port - defaults to 3306 +identifier:table - Name of the table containing users</PRE +></P +><P +>Names of the columns in this table(I've added column types those columns should have first):</P +><P +><PRE +CLASS="PROGRAMLISTING" +>identifier:logon time column - int(9) +identifier:logoff time column - int(9) +identifier:kickoff time column - int(9) +identifier:pass last set time column - int(9) +identifier:pass can change time column - int(9) +identifier:pass must change time column - int(9) +identifier:username column - varchar(255) - unix username +identifier:domain column - varchar(255) - NT domain user is part of +identifier:nt username column - varchar(255) - NT username +identifier:fullname column - varchar(255) - Full name of user +identifier:home dir column - varchar(255) - Unix homedir path +identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:') +identifier:logon script column - varchar(255) - Batch file to run on client side when logging on +identifier:profile path column - varchar(255) - Path of profile +identifier:acct desc column - varchar(255) - Some ASCII NT user data +identifier:workstations column - varchar(255) - Workstations user can logon to (or NULL for all) +identifier:unknown string column - varchar(255) - unknown string +identifier:munged dial column - varchar(255) - ? +identifier:uid column - int(9) - Unix user ID (uid) +identifier:gid column - int(9) - Unix user group (gid) +identifier:user sid column - varchar(255) - NT user SID +identifier:group sid column - varchar(255) - NT group ID +identifier:lanman pass column - varchar(255) - encrypted lanman password +identifier:nt pass column - varchar(255) - encrypted nt passwd +identifier:plain pass column - varchar(255) - plaintext password +identifier:acct control column - int(9) - nt user data +identifier:unknown 3 column - int(9) - unknown +identifier:logon divs column - int(9) - ? +identifier:hours len column - int(9) - ? +identifier:unknown 5 column - int(9) - unknown +identifier:unknown 6 column - int(9) - unknown</PRE +></P +><P +>Eventually, you can put a colon (:) after the name of each column, which +should specify the column to update when updating the table. You can also +specify nothing behind the colon - then the data from the field will not be +updated. </P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2600" +></A +>17.3. Using plaintext passwords or encrypted password</H1 +><P +>I strongly discourage the use of plaintext passwords, however, you can use them:</P +><P +>If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords. </P +><P +>If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2605" +></A +>17.4. Getting non-column data from the table</H1 +><P +>It is possible to have not all data in the database and making some 'constant'.</P +><P +>For example, you can set 'identifier:fullname column' to : +<B +CLASS="COMMAND" +>CONCAT(First_name,' ',Sur_name)</B +></P +><P +>Or, set 'identifier:workstations column' to : +<B +CLASS="COMMAND" +>NULL</B +></P +><P +>See the MySQL documentation for more language constructs.</P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="winbind.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="pdb-xml.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Unified Logons between Windows NT and UNIX using Winbind</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="optional.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Passdb XML plugin</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/pdb-xml.html b/docs/htmldocs/pdb-xml.html new file mode 100644 index 0000000000..221e51d5b7 --- /dev/null +++ b/docs/htmldocs/pdb-xml.html @@ -0,0 +1,189 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Passdb XML plugin</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Optional configuration" +HREF="optional.html"><LINK +REL="PREVIOUS" +TITLE="Passdb MySQL plugin" +HREF="pdb-mysql.html"><LINK +REL="NEXT" +TITLE="Stackable VFS modules" +HREF="vfs.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="pdb-mysql.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="vfs.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="PDB-XML" +></A +>Chapter 18. Passdb XML plugin</H1 +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2624" +></A +>18.1. Building</H1 +><P +>This module requires libxml2 to be installed.</P +><P +>To build pdb_xml, run: <B +CLASS="COMMAND" +>make bin/pdb_xml.so</B +> in +the directory <TT +CLASS="FILENAME" +>source/</TT +>. </P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2630" +></A +>18.2. Usage</H1 +><P +>The usage of pdb_xml is pretty straightforward. To export data, use: + +<B +CLASS="COMMAND" +>pdbedit -e plugin:/usr/lib/samba/pdb_xml.so:filename</B +> + +(where filename is the name of the file to put the data in)</P +><P +>To import data, use: +<B +CLASS="COMMAND" +>pdbedit -i plugin:/usr/lib/samba/pdb_xml.so:filename -e current-pdb</B +> + +Where filename is the name to read the data from and current-pdb to put it in.</P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="pdb-mysql.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="vfs.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Passdb MySQL plugin</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="optional.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Stackable VFS modules</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/pwencrypt.html b/docs/htmldocs/pwencrypt.html new file mode 100644 index 0000000000..0ce1bd037e --- /dev/null +++ b/docs/htmldocs/pwencrypt.html @@ -0,0 +1,445 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>LanMan and NT Password Encryption in Samba</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="General installation" +HREF="introduction.html"><LINK +REL="PREVIOUS" +TITLE="Quick Cross Subnet Browsing / Cross Workgroup Browsing guide" +HREF="browsing-quick.html"><LINK +REL="NEXT" +TITLE="Type of installation" +HREF="type.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="browsing-quick.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="type.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="PWENCRYPT" +></A +>Chapter 5. LanMan and NT Password Encryption in Samba</H1 +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN473" +></A +>5.1. Introduction</H1 +><P +>Newer windows clients send encrypted passwords over + the wire, instead of plain text passwords. The newest clients + will only send encrypted passwords and refuse to send plain text + passwords, unless their registry is tweaked.</P +><P +>These passwords can't be converted to unix style encrypted + passwords. Because of that you can't use the standard unix + user database, and you have to store the Lanman and NT hashes + somewhere else. For more information, see the documentation + about the <B +CLASS="COMMAND" +>passdb backend = </B +> parameter. + </P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN478" +></A +>5.2. Important Notes About Security</H1 +><P +>The unix and SMB password encryption techniques seem similar + on the surface. This similarity is, however, only skin deep. The unix + scheme typically sends clear text passwords over the network when + logging in. This is bad. The SMB encryption scheme never sends the + cleartext password over the network but it does store the 16 byte + hashed values on disk. This is also bad. Why? Because the 16 byte hashed + values are a "password equivalent". You cannot derive the user's + password from them, but they could potentially be used in a modified + client to gain access to a server. This would require considerable + technical knowledge on behalf of the attacker but is perfectly possible. + You should thus treat the smbpasswd file as though it contained the + cleartext passwords of all your users. Its contents must be kept + secret, and the file should be protected accordingly.</P +><P +>Ideally we would like a password scheme which neither requires + plain text passwords on the net or on disk. Unfortunately this + is not available as Samba is stuck with being compatible with + other SMB systems (WinNT, WfWg, Win95 etc). </P +><DIV +CLASS="WARNING" +><P +></P +><TABLE +CLASS="WARNING" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/docbook-dsssl/warning.gif" +HSPACE="5" +ALT="Warning"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Note that Windows NT 4.0 Service pack 3 changed the + default for permissible authentication so that plaintext + passwords are <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>never</I +></SPAN +> sent over the wire. + The solution to this is either to switch to encrypted passwords + with Samba or edit the Windows NT registry to re-enable plaintext + passwords. See the document WinNT.txt for details on how to do + this.</P +><P +>Other Microsoft operating systems which also exhibit + this behavior includes</P +><P +></P +><UL +><LI +><P +>MS DOS Network client 3.0 with + the basic network redirector installed</P +></LI +><LI +><P +>Windows 95 with the network redirector + update installed</P +></LI +><LI +><P +>Windows 98 [se]</P +></LI +><LI +><P +>Windows 2000</P +></LI +></UL +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Note :</I +></SPAN +>All current release of + Microsoft SMB/CIFS clients support authentication via the + SMB Challenge/Response mechanism described here. Enabling + clear text authentication does not disable the ability + of the client to participate in encrypted authentication.</P +></TD +></TR +></TABLE +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN497" +></A +>5.2.1. Advantages of SMB Encryption</H2 +><P +></P +><UL +><LI +><P +>plain text passwords are not passed across + the network. Someone using a network sniffer cannot just + record passwords going to the SMB server.</P +></LI +><LI +><P +>WinNT doesn't like talking to a server + that isn't using SMB encrypted passwords. It will refuse + to browse the server if the server is also in user level + security mode. It will insist on prompting the user for the + password on each connection, which is very annoying. The + only things you can do to stop this is to use SMB encryption. + </P +></LI +></UL +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN504" +></A +>5.2.2. Advantages of non-encrypted passwords</H2 +><P +></P +><UL +><LI +><P +>plain text passwords are not kept + on disk. </P +></LI +><LI +><P +>uses same password file as other unix + services such as login and ftp</P +></LI +><LI +><P +>you are probably already using other + services (such as telnet and ftp) which send plain text + passwords over the net, so sending them for SMB isn't + such a big deal.</P +></LI +></UL +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN513" +></A +>5.3. The smbpasswd Command</H1 +><P +>The smbpasswd command maintains the two 32 byte password fields + in the smbpasswd file. If you wish to make it similar to the unix + <B +CLASS="COMMAND" +>passwd</B +> or <B +CLASS="COMMAND" +>yppasswd</B +> programs, + install it in <TT +CLASS="FILENAME" +>/usr/local/samba/bin/</TT +> (or your + main Samba binary directory).</P +><P +><B +CLASS="COMMAND" +>smbpasswd</B +> now works in a client-server mode + where it contacts the local smbd to change the user's password on its + behalf. This has enormous benefits - as follows.</P +><P +><B +CLASS="COMMAND" +>smbpasswd</B +> now has the capability + to change passwords on Windows NT servers (this only works when + the request is sent to the NT Primary Domain Controller if you + are changing an NT Domain user's password).</P +><P +>To run smbpasswd as a normal user just type :</P +><P +><TT +CLASS="PROMPT" +>$ </TT +><TT +CLASS="USERINPUT" +><B +>smbpasswd</B +></TT +></P +><P +><TT +CLASS="PROMPT" +>Old SMB password: </TT +><TT +CLASS="USERINPUT" +><B +><type old value here - + or hit return if there was no old password></B +></TT +></P +><P +><TT +CLASS="PROMPT" +>New SMB Password: </TT +><TT +CLASS="USERINPUT" +><B +><type new value> + </B +></TT +></P +><P +><TT +CLASS="PROMPT" +>Repeat New SMB Password: </TT +><TT +CLASS="USERINPUT" +><B +><re-type new value + </B +></TT +></P +><P +>If the old value does not match the current value stored for + that user, or the two new values do not match each other, then the + password will not be changed.</P +><P +>If invoked by an ordinary user it will only allow the user + to change his or her own Samba password.</P +><P +>If run by the root user smbpasswd may take an optional + argument, specifying the user name whose SMB password you wish to + change. Note that when run as root smbpasswd does not prompt for + or check the old password value, thus allowing root to set passwords + for users who have forgotten their passwords.</P +><P +><B +CLASS="COMMAND" +>smbpasswd</B +> is designed to work in the same way + and be familiar to UNIX users who use the <B +CLASS="COMMAND" +>passwd</B +> or + <B +CLASS="COMMAND" +>yppasswd</B +> commands.</P +><P +>For more details on using <B +CLASS="COMMAND" +>smbpasswd</B +> refer + to the man page which will always be the definitive reference.</P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="browsing-quick.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="type.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="introduction.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Type of installation</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/samba-howto-collection.html b/docs/htmldocs/samba-howto-collection.html new file mode 100644 index 0000000000..3c789a7a45 --- /dev/null +++ b/docs/htmldocs/samba-howto-collection.html @@ -0,0 +1,1132 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>SAMBA Project Documentation</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK +REL="NEXT" +TITLE="General installation" +HREF="introduction.html"></HEAD +><BODY +CLASS="BOOK" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="BOOK" +><A +NAME="SAMBA-HOWTO-COLLECTION" +></A +><DIV +CLASS="TITLEPAGE" +><H1 +CLASS="TITLE" +><A +NAME="SAMBA-HOWTO-COLLECTION" +></A +>SAMBA Project Documentation</H1 +><H3 +CLASS="AUTHOR" +><A +NAME="AEN4" +></A +>SAMBA Team</H3 +><HR></DIV +><H1 +><A +NAME="AEN8" +></A +>Abstract</H1 +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Last Update</I +></SPAN +> : $Date: 2002/11/13 15:34:49 $</P +><P +>This book is a collection of HOWTOs added to Samba documentation over the years. +I try to ensure that all are current, but sometimes the is a larger job +than one person can maintain. The most recent version of this document +can be found at <A +HREF="http://www.samba.org/" +TARGET="_top" +>http://www.samba.org/</A +> +on the "Documentation" page. Please send updates to <A +HREF="mailto:jerry@samba.org" +TARGET="_top" +>jerry@samba.org</A +> or +<A +HREF="mailto:jelmer@samba.org" +TARGET="_top" +>jelmer@samba.org</A +>.</P +><P +>This documentation is distributed under the GNU General Public License (GPL) +version 2. A copy of the license is included with the Samba source +distribution. A copy can be found on-line at <A +HREF="http://www.fsf.org/licenses/gpl.txt" +TARGET="_top" +>http://www.fsf.org/licenses/gpl.txt</A +></P +><P +>Cheers, jerry</P +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>I. <A +HREF="introduction.html" +>General installation</A +></DT +><DD +><DL +><DT +>1. <A +HREF="install.html" +>How to Install and Test SAMBA</A +></DT +><DD +><DL +><DT +>1.1. <A +HREF="install.html#AEN26" +>Read the man pages</A +></DT +><DT +>1.2. <A +HREF="install.html#AEN36" +>Building the Binaries</A +></DT +><DT +>1.3. <A +HREF="install.html#AEN64" +>The all important step</A +></DT +><DT +>1.4. <A +HREF="install.html#AEN68" +>Create the smb configuration file.</A +></DT +><DT +>1.5. <A +HREF="install.html#AEN82" +>Test your config file with + <B +CLASS="COMMAND" +>testparm</B +></A +></DT +><DT +>1.6. <A +HREF="install.html#AEN90" +>Starting the smbd and nmbd</A +></DT +><DT +>1.7. <A +HREF="install.html#AEN145" +>Try listing the shares available on your + server</A +></DT +><DT +>1.8. <A +HREF="install.html#AEN154" +>Try connecting with the unix client</A +></DT +><DT +>1.9. <A +HREF="install.html#AEN170" +>Try connecting from a DOS, WfWg, Win9x, WinNT, + Win2k, OS/2, etc... client</A +></DT +><DT +>1.10. <A +HREF="install.html#AEN184" +>What If Things Don't Work?</A +></DT +></DL +></DD +><DT +>2. <A +HREF="improved-browsing.html" +>Improved browsing in samba</A +></DT +><DD +><DL +><DT +>2.1. <A +HREF="improved-browsing.html#AEN229" +>Overview of browsing</A +></DT +><DT +>2.2. <A +HREF="improved-browsing.html#AEN233" +>Browsing support in samba</A +></DT +><DT +>2.3. <A +HREF="improved-browsing.html#AEN242" +>Problem resolution</A +></DT +><DT +>2.4. <A +HREF="improved-browsing.html#AEN249" +>Browsing across subnets</A +></DT +><DT +>2.5. <A +HREF="improved-browsing.html#AEN289" +>Setting up a WINS server</A +></DT +><DT +>2.6. <A +HREF="improved-browsing.html#AEN308" +>Setting up Browsing in a WORKGROUP</A +></DT +><DT +>2.7. <A +HREF="improved-browsing.html#AEN326" +>Setting up Browsing in a DOMAIN</A +></DT +><DT +>2.8. <A +HREF="improved-browsing.html#AEN336" +>Forcing samba to be the master</A +></DT +><DT +>2.9. <A +HREF="improved-browsing.html#AEN345" +>Making samba the domain master</A +></DT +><DT +>2.10. <A +HREF="improved-browsing.html#AEN363" +>Note about broadcast addresses</A +></DT +><DT +>2.11. <A +HREF="improved-browsing.html#AEN366" +>Multiple interfaces</A +></DT +></DL +></DD +><DT +>3. <A +HREF="oplocks.html" +>Oplocks</A +></DT +><DD +><DL +><DT +>3.1. <A +HREF="oplocks.html#AEN378" +>What are oplocks?</A +></DT +></DL +></DD +><DT +>4. <A +HREF="browsing-quick.html" +>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</A +></DT +><DD +><DL +><DT +>4.1. <A +HREF="browsing-quick.html#AEN393" +>Discussion</A +></DT +><DT +>4.2. <A +HREF="browsing-quick.html#AEN401" +>Use of the "Remote Announce" parameter</A +></DT +><DT +>4.3. <A +HREF="browsing-quick.html#AEN415" +>Use of the "Remote Browse Sync" parameter</A +></DT +><DT +>4.4. <A +HREF="browsing-quick.html#AEN420" +>Use of WINS</A +></DT +><DT +>4.5. <A +HREF="browsing-quick.html#AEN431" +>Do NOT use more than one (1) protocol on MS Windows machines</A +></DT +><DT +>4.6. <A +HREF="browsing-quick.html#AEN437" +>Name Resolution Order</A +></DT +></DL +></DD +><DT +>5. <A +HREF="pwencrypt.html" +>LanMan and NT Password Encryption in Samba</A +></DT +><DD +><DL +><DT +>5.1. <A +HREF="pwencrypt.html#AEN473" +>Introduction</A +></DT +><DT +>5.2. <A +HREF="pwencrypt.html#AEN478" +>Important Notes About Security</A +></DT +><DT +>5.3. <A +HREF="pwencrypt.html#AEN513" +>The smbpasswd Command</A +></DT +></DL +></DD +></DL +></DD +><DT +>II. <A +HREF="type.html" +>Type of installation</A +></DT +><DD +><DL +><DT +>6. <A +HREF="securitylevels.html" +>User and Share security level (for servers not in a domain)</A +></DT +><DT +>7. <A +HREF="samba-pdc.html" +>How to Configure Samba as a NT4 Primary Domain Controller</A +></DT +><DD +><DL +><DT +>7.1. <A +HREF="samba-pdc.html#AEN591" +>Prerequisite Reading</A +></DT +><DT +>7.2. <A +HREF="samba-pdc.html#AEN597" +>Background</A +></DT +><DT +>7.3. <A +HREF="samba-pdc.html#AEN636" +>Configuring the Samba Domain Controller</A +></DT +><DT +>7.4. <A +HREF="samba-pdc.html#AEN679" +>Creating Machine Trust Accounts and Joining Clients to the +Domain</A +></DT +><DT +>7.5. <A +HREF="samba-pdc.html#AEN763" +>Common Problems and Errors</A +></DT +><DT +>7.6. <A +HREF="samba-pdc.html#AEN811" +>System Policies and Profiles</A +></DT +><DT +>7.7. <A +HREF="samba-pdc.html#AEN855" +>What other help can I get?</A +></DT +><DT +>7.8. <A +HREF="samba-pdc.html#AEN969" +>Domain Control for Windows 9x/ME</A +></DT +><DT +>7.9. <A +HREF="samba-pdc.html#AEN1107" +>DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A +></DT +></DL +></DD +><DT +>8. <A +HREF="samba-bdc.html" +>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</A +></DT +><DD +><DL +><DT +>8.1. <A +HREF="samba-bdc.html#AEN1143" +>Prerequisite Reading</A +></DT +><DT +>8.2. <A +HREF="samba-bdc.html#AEN1147" +>Background</A +></DT +><DT +>8.3. <A +HREF="samba-bdc.html#AEN1155" +>What qualifies a Domain Controller on the network?</A +></DT +><DT +>8.4. <A +HREF="samba-bdc.html#AEN1164" +>Can Samba be a Backup Domain Controller?</A +></DT +><DT +>8.5. <A +HREF="samba-bdc.html#AEN1168" +>How do I set up a Samba BDC?</A +></DT +></DL +></DD +><DT +>9. <A +HREF="ads.html" +>Samba as a ADS domain member</A +></DT +><DD +><DL +><DT +>9.1. <A +HREF="ads.html#AEN1203" +>Installing the required packages for Debian</A +></DT +><DT +>9.2. <A +HREF="ads.html#AEN1209" +>Installing the required packages for RedHat</A +></DT +><DT +>9.3. <A +HREF="ads.html#AEN1218" +>Compile Samba</A +></DT +><DT +>9.4. <A +HREF="ads.html#AEN1230" +>Setup your /etc/krb5.conf</A +></DT +><DT +>9.5. <A +HREF="ads.html#AEN1240" +>Create the computer account</A +></DT +><DT +>9.6. <A +HREF="ads.html#AEN1256" +>Test your server setup</A +></DT +><DT +>9.7. <A +HREF="ads.html#AEN1261" +>Testing with smbclient</A +></DT +><DT +>9.8. <A +HREF="ads.html#AEN1264" +>Notes</A +></DT +></DL +></DD +><DT +>10. <A +HREF="domain-security.html" +>Samba as a NT4 domain member</A +></DT +><DD +><DL +><DT +>10.1. <A +HREF="domain-security.html#AEN1286" +>Joining an NT Domain with Samba 2.2</A +></DT +><DT +>10.2. <A +HREF="domain-security.html#AEN1350" +>Samba and Windows 2000 Domains</A +></DT +><DT +>10.3. <A +HREF="domain-security.html#AEN1355" +>Why is this better than security = server?</A +></DT +></DL +></DD +></DL +></DD +><DT +>III. <A +HREF="optional.html" +>Optional configuration</A +></DT +><DD +><DL +><DT +>11. <A +HREF="integrate-ms-networks.html" +>Integrating MS Windows networks with Samba</A +></DT +><DD +><DL +><DT +>11.1. <A +HREF="integrate-ms-networks.html#AEN1387" +>Agenda</A +></DT +><DT +>11.2. <A +HREF="integrate-ms-networks.html#AEN1409" +>Name Resolution in a pure Unix/Linux world</A +></DT +><DT +>11.3. <A +HREF="integrate-ms-networks.html#AEN1472" +>Name resolution as used within MS Windows networking</A +></DT +><DT +>11.4. <A +HREF="integrate-ms-networks.html#AEN1517" +>How browsing functions and how to deploy stable and +dependable browsing using Samba</A +></DT +><DT +>11.5. <A +HREF="integrate-ms-networks.html#AEN1527" +>MS Windows security options and how to configure +Samba for seemless integration</A +></DT +><DT +>11.6. <A +HREF="integrate-ms-networks.html#AEN1597" +>Conclusions</A +></DT +></DL +></DD +><DT +>12. <A +HREF="unix-permissions.html" +>UNIX Permission Bits and Windows NT Access Control Lists</A +></DT +><DD +><DL +><DT +>12.1. <A +HREF="unix-permissions.html#AEN1618" +>Viewing and changing UNIX permissions using the NT + security dialogs</A +></DT +><DT +>12.2. <A +HREF="unix-permissions.html#AEN1627" +>How to view file security on a Samba share</A +></DT +><DT +>12.3. <A +HREF="unix-permissions.html#AEN1638" +>Viewing file ownership</A +></DT +><DT +>12.4. <A +HREF="unix-permissions.html#AEN1658" +>Viewing file or directory permissions</A +></DT +><DT +>12.5. <A +HREF="unix-permissions.html#AEN1694" +>Modifying file or directory permissions</A +></DT +><DT +>12.6. <A +HREF="unix-permissions.html#AEN1716" +>Interaction with the standard Samba create mask + parameters</A +></DT +><DT +>12.7. <A +HREF="unix-permissions.html#AEN1780" +>Interaction with the standard Samba file attribute + mapping</A +></DT +></DL +></DD +><DT +>13. <A +HREF="pam.html" +>Configuring PAM for distributed but centrally +managed authentication</A +></DT +><DD +><DL +><DT +>13.1. <A +HREF="pam.html#AEN1801" +>Samba and PAM</A +></DT +><DT +>13.2. <A +HREF="pam.html#AEN1845" +>Distributed Authentication</A +></DT +><DT +>13.3. <A +HREF="pam.html#AEN1852" +>PAM Configuration in smb.conf</A +></DT +></DL +></DD +><DT +>14. <A +HREF="msdfs.html" +>Hosting a Microsoft Distributed File System tree on Samba</A +></DT +><DD +><DL +><DT +>14.1. <A +HREF="msdfs.html#AEN1872" +>Instructions</A +></DT +></DL +></DD +><DT +>15. <A +HREF="printing.html" +>Printing Support</A +></DT +><DD +><DL +><DT +>15.1. <A +HREF="printing.html#AEN1933" +>Introduction</A +></DT +><DT +>15.2. <A +HREF="printing.html#AEN1955" +>Configuration</A +></DT +><DT +>15.3. <A +HREF="printing.html#AEN2063" +>The Imprints Toolset</A +></DT +><DT +>15.4. <A +HREF="printing.html#AEN2106" +>Diagnosis</A +></DT +></DL +></DD +><DT +>16. <A +HREF="winbind.html" +>Unified Logons between Windows NT and UNIX using Winbind</A +></DT +><DD +><DL +><DT +>16.1. <A +HREF="winbind.html#AEN2238" +>Abstract</A +></DT +><DT +>16.2. <A +HREF="winbind.html#AEN2242" +>Introduction</A +></DT +><DT +>16.3. <A +HREF="winbind.html#AEN2255" +>What Winbind Provides</A +></DT +><DT +>16.4. <A +HREF="winbind.html#AEN2266" +>How Winbind Works</A +></DT +><DT +>16.5. <A +HREF="winbind.html#AEN2306" +>Installation and Configuration</A +></DT +><DT +>16.6. <A +HREF="winbind.html#AEN2555" +>Limitations</A +></DT +><DT +>16.7. <A +HREF="winbind.html#AEN2565" +>Conclusion</A +></DT +></DL +></DD +><DT +>17. <A +HREF="pdb-mysql.html" +>Passdb MySQL plugin</A +></DT +><DD +><DL +><DT +>17.1. <A +HREF="pdb-mysql.html#AEN2579" +>Building</A +></DT +><DT +>17.2. <A +HREF="pdb-mysql.html#AEN2585" +>Configuring</A +></DT +><DT +>17.3. <A +HREF="pdb-mysql.html#AEN2600" +>Using plaintext passwords or encrypted password</A +></DT +><DT +>17.4. <A +HREF="pdb-mysql.html#AEN2605" +>Getting non-column data from the table</A +></DT +></DL +></DD +><DT +>18. <A +HREF="pdb-xml.html" +>Passdb XML plugin</A +></DT +><DD +><DL +><DT +>18.1. <A +HREF="pdb-xml.html#AEN2624" +>Building</A +></DT +><DT +>18.2. <A +HREF="pdb-xml.html#AEN2630" +>Usage</A +></DT +></DL +></DD +><DT +>19. <A +HREF="vfs.html" +>Stackable VFS modules</A +></DT +><DD +><DL +><DT +>19.1. <A +HREF="vfs.html#AEN2651" +>Introduction and configuration</A +></DT +><DT +>19.2. <A +HREF="vfs.html#AEN2659" +>Included modules</A +></DT +><DT +>19.3. <A +HREF="vfs.html#AEN2713" +>VFS modules available elsewhere</A +></DT +></DL +></DD +><DT +>20. <A +HREF="samba-ldap-howto.html" +>Storing Samba's User/Machine Account information in an LDAP Directory</A +></DT +><DD +><DL +><DT +>20.1. <A +HREF="samba-ldap-howto.html#AEN2747" +>Purpose</A +></DT +><DT +>20.2. <A +HREF="samba-ldap-howto.html#AEN2767" +>Introduction</A +></DT +><DT +>20.3. <A +HREF="samba-ldap-howto.html#AEN2796" +>Supported LDAP Servers</A +></DT +><DT +>20.4. <A +HREF="samba-ldap-howto.html#AEN2801" +>Schema and Relationship to the RFC 2307 posixAccount</A +></DT +><DT +>20.5. <A +HREF="samba-ldap-howto.html#AEN2813" +>Configuring Samba with LDAP</A +></DT +><DT +>20.6. <A +HREF="samba-ldap-howto.html#AEN2860" +>Accounts and Groups management</A +></DT +><DT +>20.7. <A +HREF="samba-ldap-howto.html#AEN2865" +>Security and sambaAccount</A +></DT +><DT +>20.8. <A +HREF="samba-ldap-howto.html#AEN2885" +>LDAP specials attributes for sambaAccounts</A +></DT +><DT +>20.9. <A +HREF="samba-ldap-howto.html#AEN2955" +>Example LDIF Entries for a sambaAccount</A +></DT +><DT +>20.10. <A +HREF="samba-ldap-howto.html#AEN2963" +>Comments</A +></DT +></DL +></DD +><DT +>21. <A +HREF="cvs-access.html" +>HOWTO Access Samba source code via CVS</A +></DT +><DD +><DL +><DT +>21.1. <A +HREF="cvs-access.html#AEN2974" +>Introduction</A +></DT +><DT +>21.2. <A +HREF="cvs-access.html#AEN2979" +>CVS Access to samba.org</A +></DT +></DL +></DD +><DT +>22. <A +HREF="groupmapping.html" +>Group mapping HOWTO</A +></DT +><DT +>23. <A +HREF="speed.html" +>Samba performance issues</A +></DT +><DD +><DL +><DT +>23.1. <A +HREF="speed.html#AEN3065" +>Comparisons</A +></DT +><DT +>23.2. <A +HREF="speed.html#AEN3071" +>Oplocks</A +></DT +><DT +>23.3. <A +HREF="speed.html#AEN3091" +>Socket options</A +></DT +><DT +>23.4. <A +HREF="speed.html#AEN3098" +>Read size</A +></DT +><DT +>23.5. <A +HREF="speed.html#AEN3103" +>Max xmit</A +></DT +><DT +>23.6. <A +HREF="speed.html#AEN3108" +>Locking</A +></DT +><DT +>23.7. <A +HREF="speed.html#AEN3112" +>Share modes</A +></DT +><DT +>23.8. <A +HREF="speed.html#AEN3117" +>Log level</A +></DT +><DT +>23.9. <A +HREF="speed.html#AEN3120" +>Wide lines</A +></DT +><DT +>23.10. <A +HREF="speed.html#AEN3123" +>Read raw</A +></DT +><DT +>23.11. <A +HREF="speed.html#AEN3128" +>Write raw</A +></DT +><DT +>23.12. <A +HREF="speed.html#AEN3132" +>Read prediction</A +></DT +><DT +>23.13. <A +HREF="speed.html#AEN3139" +>Memory mapping</A +></DT +><DT +>23.14. <A +HREF="speed.html#AEN3144" +>Slow Clients</A +></DT +><DT +>23.15. <A +HREF="speed.html#AEN3148" +>Slow Logins</A +></DT +><DT +>23.16. <A +HREF="speed.html#AEN3151" +>Client tuning</A +></DT +><DT +>23.17. <A +HREF="speed.html#AEN3183" +>My Results</A +></DT +></DL +></DD +></DL +></DD +><DT +>IV. <A +HREF="appendixes.html" +>Appendixes</A +></DT +><DD +><DL +><DT +>24. <A +HREF="portability.html" +>Portability</A +></DT +><DD +><DL +><DT +>24.1. <A +HREF="portability.html#AEN3198" +>HPUX</A +></DT +><DT +>24.2. <A +HREF="portability.html#AEN3204" +>SCO Unix</A +></DT +><DT +>24.3. <A +HREF="portability.html#AEN3208" +>DNIX</A +></DT +><DT +>24.4. <A +HREF="portability.html#AEN3237" +>RedHat Linux Rembrandt-II</A +></DT +></DL +></DD +><DT +>25. <A +HREF="other-clients.html" +>Samba and other CIFS clients</A +></DT +><DD +><DL +><DT +>25.1. <A +HREF="other-clients.html#AEN3258" +>Macintosh clients?</A +></DT +><DT +>25.2. <A +HREF="other-clients.html#AEN3267" +>OS2 Client</A +></DT +><DT +>25.3. <A +HREF="other-clients.html#AEN3307" +>Windows for Workgroups</A +></DT +><DT +>25.4. <A +HREF="other-clients.html#AEN3328" +>Windows '95/'98</A +></DT +><DT +>25.5. <A +HREF="other-clients.html#AEN3344" +>Windows 2000 Service Pack 2</A +></DT +></DL +></DD +><DT +>26. <A +HREF="bugreport.html" +>Reporting Bugs</A +></DT +><DD +><DL +><DT +>26.1. <A +HREF="bugreport.html#AEN3368" +>Introduction</A +></DT +><DT +>26.2. <A +HREF="bugreport.html#AEN3378" +>General info</A +></DT +><DT +>26.3. <A +HREF="bugreport.html#AEN3384" +>Debug levels</A +></DT +><DT +>26.4. <A +HREF="bugreport.html#AEN3401" +>Internal errors</A +></DT +><DT +>26.5. <A +HREF="bugreport.html#AEN3411" +>Attaching to a running process</A +></DT +><DT +>26.6. <A +HREF="bugreport.html#AEN3414" +>Patches</A +></DT +></DL +></DD +><DT +>27. <A +HREF="diagnosis.html" +>Diagnosing your samba server</A +></DT +><DD +><DL +><DT +>27.1. <A +HREF="diagnosis.html#AEN3437" +>Introduction</A +></DT +><DT +>27.2. <A +HREF="diagnosis.html#AEN3442" +>Assumptions</A +></DT +><DT +>27.3. <A +HREF="diagnosis.html#AEN3452" +>Tests</A +></DT +><DT +>27.4. <A +HREF="diagnosis.html#AEN3562" +>Still having troubles?</A +></DT +></DL +></DD +></DL +></DD +></DL +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +> </TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +> </TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="introduction.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +> </TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +> </TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>General installation</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/samba-pdc.html b/docs/htmldocs/samba-pdc.html new file mode 100644 index 0000000000..daab00fba9 --- /dev/null +++ b/docs/htmldocs/samba-pdc.html @@ -0,0 +1,2649 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>How to Configure Samba as a NT4 Primary Domain Controller</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Type of installation" +HREF="type.html"><LINK +REL="PREVIOUS" +TITLE="User and Share security level (for servers not in a domain)" +HREF="securitylevels.html"><LINK +REL="NEXT" +TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain" +HREF="samba-bdc.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="securitylevels.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="samba-bdc.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="SAMBA-PDC" +></A +>Chapter 7. How to Configure Samba as a NT4 Primary Domain Controller</H1 +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN591" +></A +>7.1. Prerequisite Reading</H1 +><P +>Before you continue reading in this chapter, please make sure +that you are comfortable with configuring basic files services +in smb.conf and how to enable and administer password +encryption in Samba. Theses two topics are covered in the +<A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +> +manpage and the <A +HREF="ENCRYPTION.html" +TARGET="_top" +>Encryption chapter</A +> +of this HOWTO Collection.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN597" +></A +>7.2. Background</H1 +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/docbook-dsssl/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Author's Note:</I +></SPAN +> This document is a combination +of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ". +Both documents are superseded by this one.</P +></TD +></TR +></TABLE +></DIV +><P +>Versions of Samba prior to release 2.2 had marginal capabilities to act +as a Windows NT 4.0 Primary Domain Controller + +(PDC). With Samba 2.2.0, we are proud to announce official support for +Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows +2000 clients. This article outlines the steps +necessary for configuring Samba as a PDC. It is necessary to have a +working Samba server prior to implementing the PDC functionality. If +you have not followed the steps outlined in <A +HREF="UNIX_INSTALL.html" +TARGET="_top" +> UNIX_INSTALL.html</A +>, please make sure +that your server is configured correctly before proceeding. Another +good resource in the <A +HREF="smb.conf.5.html" +TARGET="_top" +>smb.conf(5) man +page</A +>. The following functionality should work in 2.2:</P +><P +></P +><UL +><LI +><P +> domain logons for Windows NT 4.0/2000 clients. + </P +></LI +><LI +><P +> placing a Windows 9x client in user level security + </P +></LI +><LI +><P +> retrieving a list of users and groups from a Samba PDC to + Windows 9x/NT/2000 clients + </P +></LI +><LI +><P +> roving (roaming) user profiles + </P +></LI +><LI +><P +> Windows NT 4.0-style system policies + </P +></LI +></UL +><P +>The following pieces of functionality are not included in the 2.2 release:</P +><P +></P +><UL +><LI +><P +> Windows NT 4 domain trusts + </P +></LI +><LI +><P +> SAM replication with Windows NT 4.0 Domain Controllers + (i.e. a Samba PDC and a Windows NT BDC or vice versa) + </P +></LI +><LI +><P +> Adding users via the User Manager for Domains + </P +></LI +><LI +><P +> Acting as a Windows 2000 Domain Controller (i.e. Kerberos and + Active Directory) + </P +></LI +></UL +><P +>Please note that Windows 9x clients are not true members of a domain +for reasons outlined in this article. Therefore the protocol for +support Windows 9x-style domain logons is completely different +from NT4 domain logons and has been officially supported for some +time.</P +><P +>Implementing a Samba PDC can basically be divided into 2 broad +steps.</P +><P +></P +><OL +TYPE="1" +><LI +><P +> Configuring the Samba PDC + </P +></LI +><LI +><P +> Creating machine trust accounts and joining clients + to the domain + </P +></LI +></OL +><P +>There are other minor details such as user profiles, system +policies, etc... However, these are not necessarily specific +to a Samba PDC as much as they are related to Windows NT networking +concepts. They will be mentioned only briefly here.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN636" +></A +>7.3. Configuring the Samba Domain Controller</H1 +><P +>The first step in creating a working Samba PDC is to +understand the parameters necessary in smb.conf. I will not +attempt to re-explain the parameters here as they are more that +adequately covered in <A +HREF="smb.conf.5.html" +TARGET="_top" +> the smb.conf +man page</A +>. For convenience, the parameters have been +linked with the actual smb.conf description.</P +><P +>Here is an example <TT +CLASS="FILENAME" +>smb.conf</TT +> for acting as a PDC:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>[global] + ; Basic server settings + <A +HREF="smb.conf.5.html#NETBIOSNAME" +TARGET="_top" +>netbios name</A +> = <TT +CLASS="REPLACEABLE" +><I +>POGO</I +></TT +> + <A +HREF="smb.conf.5.html#WORKGROUP" +TARGET="_top" +>workgroup</A +> = <TT +CLASS="REPLACEABLE" +><I +>NARNIA</I +></TT +> + + ; we should act as the domain and local master browser + <A +HREF="smb.conf.5.html#OSLEVEL" +TARGET="_top" +>os level</A +> = 64 + <A +HREF="smb.conf.5.html#PERFERREDMASTER" +TARGET="_top" +>preferred master</A +> = yes + <A +HREF="smb.conf.5.html#DOMAINMASTER" +TARGET="_top" +>domain master</A +> = yes + <A +HREF="smb.conf.5.html#LOCALMASTER" +TARGET="_top" +>local master</A +> = yes + + ; security settings (must user security = user) + <A +HREF="smb.conf.5.html#SECURITYEQUALSUSER" +TARGET="_top" +>security</A +> = user + + ; encrypted passwords are a requirement for a PDC + <A +HREF="smb.conf.5.html#ENCRYPTPASSWORDS" +TARGET="_top" +>encrypt passwords</A +> = yes + + ; support domain logons + <A +HREF="smb.conf.5.html#DOMAINLOGONS" +TARGET="_top" +>domain logons</A +> = yes + + ; where to store user profiles? + <A +HREF="smb.conf.5.html#LOGONPATH" +TARGET="_top" +>logon path</A +> = \\%N\profiles\%u + + ; where is a user's home directory and where should it + ; be mounted at? + <A +HREF="smb.conf.5.html#LOGONDRIVE" +TARGET="_top" +>logon drive</A +> = H: + <A +HREF="smb.conf.5.html#LOGONHOME" +TARGET="_top" +>logon home</A +> = \\homeserver\%u + + ; specify a generic logon script for all users + ; this is a relative **DOS** path to the [netlogon] share + <A +HREF="smb.conf.5.html#LOGONSCRIPT" +TARGET="_top" +>logon script</A +> = logon.cmd + +; necessary share for domain controller +[netlogon] + <A +HREF="smb.conf.5.html#PATH" +TARGET="_top" +>path</A +> = /usr/local/samba/lib/netlogon + <A +HREF="smb.conf.5.html#READONLY" +TARGET="_top" +>read only</A +> = yes + <A +HREF="smb.conf.5.html#WRITELIST" +TARGET="_top" +>write list</A +> = <TT +CLASS="REPLACEABLE" +><I +>ntadmin</I +></TT +> + +; share for storing user profiles +[profiles] + <A +HREF="smb.conf.5.html#PATH" +TARGET="_top" +>path</A +> = /export/smb/ntprofile + <A +HREF="smb.conf.5.html#READONLY" +TARGET="_top" +>read only</A +> = no + <A +HREF="smb.conf.5.html#CREATEMASK" +TARGET="_top" +>create mask</A +> = 0600 + <A +HREF="smb.conf.5.html#DIRECTORYMASK" +TARGET="_top" +>directory mask</A +> = 0700</PRE +></P +><P +>There are a couple of points to emphasize in the above configuration.</P +><P +></P +><UL +><LI +><P +> Encrypted passwords must be enabled. For more details on how + to do this, refer to <A +HREF="ENCRYPTION.html" +TARGET="_top" +>ENCRYPTION.html</A +>. + </P +></LI +><LI +><P +> The server must support domain logons and a + <TT +CLASS="FILENAME" +>[netlogon]</TT +> share + </P +></LI +><LI +><P +> The server must be the domain master browser in order for Windows + client to locate the server as a DC. Please refer to the various + Network Browsing documentation included with this distribution for + details. + </P +></LI +></UL +><P +>As Samba 2.2 does not offer a complete implementation of group mapping +between Windows NT groups and Unix groups (this is really quite +complicated to explain in a short space), you should refer to the +<A +HREF="smb.conf.5.html#DOMAINADMINGROUP" +TARGET="_top" +>domain admin +group</A +> smb.conf parameter for information of creating "Domain +Admins" style accounts.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN679" +></A +>7.4. Creating Machine Trust Accounts and Joining Clients to the +Domain</H1 +><P +>A machine trust account is a Samba account that is used to +authenticate a client machine (rather than a user) to the Samba +server. In Windows terminology, this is known as a "Computer +Account."</P +><P +>The password of a machine trust account acts as the shared secret for +secure communication with the Domain Controller. This is a security +feature to prevent an unauthorized machine with the same NetBIOS name +from joining the domain and gaining access to domain user/group +accounts. Windows NT and 2000 clients use machine trust accounts, but +Windows 9x clients do not. Hence, a Windows 9x client is never a true +member of a domain because it does not possess a machine trust +account, and thus has no shared secret with the domain controller.</P +><P +>A Windows PDC stores each machine trust account in the Windows +Registry. A Samba PDC, however, stores each machine trust account +in two parts, as follows: + +<P +></P +><UL +><LI +><P +>A Samba account, stored in the same location as user + LanMan and NT password hashes (currently + <TT +CLASS="FILENAME" +>smbpasswd</TT +>). The Samba account + possesses and uses only the NT password hash.</P +></LI +><LI +><P +>A corresponding Unix account, typically stored in + <TT +CLASS="FILENAME" +>/etc/passwd</TT +>. (Future releases will alleviate the need to + create <TT +CLASS="FILENAME" +>/etc/passwd</TT +> entries.) </P +></LI +></UL +></P +><P +>There are two ways to create machine trust accounts:</P +><P +></P +><UL +><LI +><P +> Manual creation. Both the Samba and corresponding + Unix account are created by hand.</P +></LI +><LI +><P +> "On-the-fly" creation. The Samba machine trust + account is automatically created by Samba at the time the client + is joined to the domain. (For security, this is the + recommended method.) The corresponding Unix account may be + created automatically or manually. </P +></LI +></UL +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN698" +></A +>7.4.1. Manual Creation of Machine Trust Accounts</H2 +><P +>The first step in manually creating a machine trust account is to +manually create the corresponding Unix account in +<TT +CLASS="FILENAME" +>/etc/passwd</TT +>. This can be done using +<B +CLASS="COMMAND" +>vipw</B +> or other 'add user' command that is normally +used to create new Unix accounts. The following is an example for a +Linux based Samba server:</P +><P +> <TT +CLASS="PROMPT" +>root# </TT +><B +CLASS="COMMAND" +>/usr/sbin/useradd -g 100 -d /dev/null -c <TT +CLASS="REPLACEABLE" +><I +>"machine +nickname"</I +></TT +> -s /bin/false <TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +>$ </B +></P +><P +><TT +CLASS="PROMPT" +>root# </TT +><B +CLASS="COMMAND" +>passwd -l <TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +>$</B +></P +><P +>On *BSD systems, this can be done using the 'chpass' utility:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +><B +CLASS="COMMAND" +>chpass -a "<TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +>$:*:101:100::0:0:Workstation <TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +>:/dev/null:/sbin/nologin"</B +></P +><P +>The <TT +CLASS="FILENAME" +>/etc/passwd</TT +> entry will list the machine name +with a "$" appended, won't have a password, will have a null shell and no +home directory. For example a machine named 'doppy' would have an +<TT +CLASS="FILENAME" +>/etc/passwd</TT +> entry like this:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>doppy$:x:505:501:<TT +CLASS="REPLACEABLE" +><I +>machine_nickname</I +></TT +>:/dev/null:/bin/false</PRE +></P +><P +>Above, <TT +CLASS="REPLACEABLE" +><I +>machine_nickname</I +></TT +> can be any +descriptive name for the client, i.e., BasementComputer. +<TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +> absolutely must be the NetBIOS +name of the client to be joined to the domain. The "$" must be +appended to the NetBIOS name of the client or Samba will not recognize +this as a machine trust account.</P +><P +>Now that the corresponding Unix account has been created, the next step is to create +the Samba account for the client containing the well-known initial +machine trust account password. This can be done using the <A +HREF="smbpasswd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbpasswd(8)</B +></A +> command +as shown here:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +><B +CLASS="COMMAND" +>smbpasswd -a -m <TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +></B +></P +><P +>where <TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +> is the machine's NetBIOS +name. The RID of the new machine account is generated from the UID of +the corresponding Unix account.</P +><DIV +CLASS="WARNING" +><P +></P +><TABLE +CLASS="WARNING" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/docbook-dsssl/warning.gif" +HSPACE="5" +ALT="Warning"></TD +><TH +ALIGN="LEFT" +VALIGN="CENTER" +><B +>Join the client to the domain immediately</B +></TH +></TR +><TR +><TD +> </TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> Manually creating a machine trust account using this method is the + equivalent of creating a machine trust account on a Windows NT PDC using + the "Server Manager". From the time at which the account is created + to the time which the client joins the domain and changes the password, + your domain is vulnerable to an intruder joining your domain using a + a machine with the same NetBIOS name. A PDC inherently trusts + members of the domain and will serve out a large degree of user + information to such clients. You have been warned! + </P +></TD +></TR +></TABLE +></DIV +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN739" +></A +>7.4.2. "On-the-Fly" Creation of Machine Trust Accounts</H2 +><P +>The second (and recommended) way of creating machine trust accounts is +simply to allow the Samba server to create them as needed when the client +is joined to the domain. </P +><P +>Since each Samba machine trust account requires a corresponding +Unix account, a method for automatically creating the +Unix account is usually supplied; this requires configuration of the +<A +HREF="smb.conf.5.html#ADDUSERSCRIPT" +TARGET="_top" +>add user script</A +> +option in <TT +CLASS="FILENAME" +>smb.conf</TT +>. This +method is not required, however; corresponding Unix accounts may also +be created manually.</P +><P +>Below is an example for a RedHat 6.2 Linux system.</P +><P +><PRE +CLASS="PROGRAMLISTING" +>[global] + # <...remainder of parameters...> + add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE +></P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN748" +></A +>7.4.3. Joining the Client to the Domain</H2 +><P +>The procedure for joining a client to the domain varies with the +version of Windows.</P +><P +></P +><UL +><LI +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Windows 2000</I +></SPAN +></P +><P +> When the user elects to join the client to a domain, Windows prompts for + an account and password that is privileged to join the domain. A + Samba administrative account (i.e., a Samba account that has root + privileges on the Samba server) must be entered here; the + operation will fail if an ordinary user account is given. + The password for this account should be + set to a different password than the associated + <TT +CLASS="FILENAME" +>/etc/passwd</TT +> entry, for security + reasons. </P +><P +>The session key of the Samba administrative account acts as an + encryption key for setting the password of the machine trust + account. The machine trust account will be created on-the-fly, or + updated if it already exists.</P +></LI +><LI +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Windows NT</I +></SPAN +></P +><P +> If the machine trust account was created manually, on the + Identification Changes menu enter the domain name, but do not + check the box "Create a Computer Account in the Domain." In this case, + the existing machine trust account is used to join the machine to + the domain.</P +><P +> If the machine trust account is to be created + on-the-fly, on the Identification Changes menu enter the domain + name, and check the box "Create a Computer Account in the Domain." In + this case, joining the domain proceeds as above for Windows 2000 + (i.e., you must supply a Samba administrative account when + prompted).</P +></LI +></UL +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN763" +></A +>7.5. Common Problems and Errors</H1 +><P +></P +><P +></P +><UL +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>I cannot include a '$' in a machine name.</I +></SPAN +> + </P +><P +> A 'machine name' in (typically) <TT +CLASS="FILENAME" +>/etc/passwd</TT +> + of the machine name with a '$' appended. FreeBSD (and other BSD + systems?) won't create a user with a '$' in their name. + </P +><P +> The problem is only in the program used to make the entry, once + made, it works perfectly. So create a user without the '$' and + use <B +CLASS="COMMAND" +>vipw</B +> to edit the entry, adding the '$'. Or create + the whole entry with vipw if you like, make sure you use a + unique User ID ! + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>I get told "You already have a connection to the Domain...." + or "Cannot join domain, the credentials supplied conflict with an + existing set.." when creating a machine trust account.</I +></SPAN +> + </P +><P +> This happens if you try to create a machine trust account from the + machine itself and already have a connection (e.g. mapped drive) + to a share (or IPC$) on the Samba PDC. The following command + will remove all network drive connections: + </P +><P +> <TT +CLASS="PROMPT" +>C:\WINNT\></TT +> <B +CLASS="COMMAND" +>net use * /d</B +> + </P +><P +> Further, if the machine is a already a 'member of a workgroup' that + is the same name as the domain you are joining (bad idea) you will + get this message. Change the workgroup name to something else, it + does not matter what, reboot, and try again. + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>The system can not log you on (C000019B)....</I +></SPAN +> + </P +><P +>I joined the domain successfully but after upgrading + to a newer version of the Samba code I get the message, "The system + can not log you on (C000019B), Please try a gain or consult your + system administrator" when attempting to logon. + </P +><P +> This occurs when the domain SID stored in + <TT +CLASS="FILENAME" +>private/WORKGROUP.SID</TT +> is + changed. For example, you remove the file and <B +CLASS="COMMAND" +>smbd</B +> automatically + creates a new one. Or you are swapping back and forth between + versions 2.0.7, TNG and the HEAD branch code (not recommended). The + only way to correct the problem is to restore the original domain + SID or remove the domain client from the domain and rejoin. + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>The machine trust account for this computer either does not + exist or is not accessible.</I +></SPAN +> + </P +><P +> When I try to join the domain I get the message "The machine account + for this computer either does not exist or is not accessible". What's + wrong? + </P +><P +> This problem is caused by the PDC not having a suitable machine trust account. + If you are using the <TT +CLASS="PARAMETER" +><I +>add user script</I +></TT +> method to create + accounts then this would indicate that it has not worked. Ensure the domain + admin user system is working. + </P +><P +> Alternatively if you are creating account entries manually then they + have not been created correctly. Make sure that you have the entry + correct for the machine trust account in smbpasswd file on the Samba PDC. + If you added the account using an editor rather than using the smbpasswd + utility, make sure that the account name is the machine NetBIOS name + with a '$' appended to it ( i.e. computer_name$ ). There must be an entry + in both /etc/passwd and the smbpasswd file. Some people have reported + that inconsistent subnet masks between the Samba server and the NT + client have caused this problem. Make sure that these are consistent + for both client and server. + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>When I attempt to login to a Samba Domain from a NT4/W2K workstation, + I get a message about my account being disabled.</I +></SPAN +> + </P +><P +> This problem is caused by a PAM related bug in Samba 2.2.0. This bug is + fixed in 2.2.1. Other symptoms could be unaccessible shares on + NT/W2K member servers in the domain or the following error in your smbd.log: + passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user% + </P +><P +> At first be ensure to enable the useraccounts with <B +CLASS="COMMAND" +>smbpasswd -e + %user%</B +>, this is normally done, when you create an account. + </P +><P +> In order to work around this problem in 2.2.0, configure the + <TT +CLASS="PARAMETER" +><I +>account</I +></TT +> control flag in + <TT +CLASS="FILENAME" +>/etc/pam.d/samba</TT +> file as follows: + </P +><P +><PRE +CLASS="PROGRAMLISTING" +> account required pam_permit.so + </PRE +></P +><P +> If you want to remain backward compatibility to samba 2.0.x use + <TT +CLASS="FILENAME" +>pam_permit.so</TT +>, it's also possible to use + <TT +CLASS="FILENAME" +>pam_pwdb.so</TT +>. There are some bugs if you try to + use <TT +CLASS="FILENAME" +>pam_unix.so</TT +>, if you need this, be ensure to use + the most recent version of this file. + </P +></LI +></UL +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN811" +></A +>7.6. System Policies and Profiles</H1 +><P +>Much of the information necessary to implement System Policies and +Roving User Profiles in a Samba domain is the same as that for +implementing these same items in a Windows NT 4.0 domain. +You should read the white paper <A +HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" +TARGET="_top" +>Implementing +Profiles and Policies in Windows NT 4.0</A +> available from Microsoft.</P +><P +>Here are some additional details:</P +><P +></P +><UL +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>What about Windows NT Policy Editor?</I +></SPAN +> + </P +><P +> To create or edit <TT +CLASS="FILENAME" +>ntconfig.pol</TT +> you must use + the NT Server Policy Editor, <B +CLASS="COMMAND" +>poledit.exe</B +> which + is included with NT Server but <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>not NT Workstation</I +></SPAN +>. + There is a Policy Editor on a NTws + but it is not suitable for creating <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Domain Policies</I +></SPAN +>. + Further, although the Windows 95 + Policy Editor can be installed on an NT Workstation/Server, it will not + work with NT policies because the registry key that are set by the policy templates. + However, the files from the NT Server will run happily enough on an NTws. + You need <TT +CLASS="FILENAME" +>poledit.exe, common.adm</TT +> and <TT +CLASS="FILENAME" +>winnt.adm</TT +>. It is convenient + to put the two *.adm files in <TT +CLASS="FILENAME" +>c:\winnt\inf</TT +> which is where + the binary will look for them unless told otherwise. Note also that that + directory is 'hidden'. + </P +><P +> The Windows NT policy editor is also included with the Service Pack 3 (and + later) for Windows NT 4.0. Extract the files using <B +CLASS="COMMAND" +>servicepackname /x</B +>, + i.e. that's <B +CLASS="COMMAND" +>Nt4sp6ai.exe /x</B +> for service pack 6a. The policy editor, + <B +CLASS="COMMAND" +>poledit.exe</B +> and the associated template files (*.adm) should + be extracted as well. It is also possible to downloaded the policy template + files for Office97 and get a copy of the policy editor. Another possible + location is with the Zero Administration Kit available for download from Microsoft. + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Can Win95 do Policies?</I +></SPAN +> + </P +><P +> Install the group policy handler for Win9x to pick up group + policies. Look on the Win98 CD in <TT +CLASS="FILENAME" +>\tools\reskit\netadmin\poledit</TT +>. + Install group policies on a Win9x client by double-clicking + <TT +CLASS="FILENAME" +>grouppol.inf</TT +>. Log off and on again a couple of + times and see if Win98 picks up group policies. Unfortunately this needs + to be done on every Win9x machine that uses group policies.... + </P +><P +> If group policies don't work one reports suggests getting the updated + (read: working) grouppol.dll for Windows 9x. The group list is grabbed + from /etc/group. + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>How do I get 'User Manager' and 'Server Manager'</I +></SPAN +> + </P +><P +> Since I don't need to buy an NT Server CD now, how do I get + the 'User Manager for Domains', the 'Server Manager'? + </P +><P +> Microsoft distributes a version of these tools called nexus for + installation on Windows 95 systems. The tools set includes + </P +><P +></P +><UL +><LI +><P +>Server Manager</P +></LI +><LI +><P +>User Manager for Domains</P +></LI +><LI +><P +>Event Viewer</P +></LI +></UL +><P +> Click here to download the archived file <A +HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" +TARGET="_top" +>ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A +> + </P +><P +> The Windows NT 4.0 version of the 'User Manager for + Domains' and 'Server Manager' are available from Microsoft via ftp + from <A +HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" +TARGET="_top" +>ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A +> + </P +></LI +></UL +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN855" +></A +>7.7. What other help can I get?</H1 +><P +>There are many sources of information available in the form +of mailing lists, RFC's and documentation. The docs that come +with the samba distribution contain very good explanations of +general SMB topics such as browsing.</P +><P +></P +><UL +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>What are some diagnostics tools I can use to debug the domain logon + process and where can I find them?</I +></SPAN +> + </P +><P +> One of the best diagnostic tools for debugging problems is Samba itself. + You can use the -d option for both smbd and nmbd to specify what + 'debug level' at which to run. See the man pages on smbd, nmbd and + smb.conf for more information on debugging options. The debug + level can range from 1 (the default) to 10 (100 for debugging passwords). + </P +><P +> Another helpful method of debugging is to compile samba using the + <B +CLASS="COMMAND" +>gcc -g </B +> flag. This will include debug + information in the binaries and allow you to attach gdb to the + running smbd / nmbd process. In order to attach gdb to an smbd + process for an NT workstation, first get the workstation to make the + connection. Pressing ctrl-alt-delete and going down to the domain box + is sufficient (at least, on the first time you join the domain) to + generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation + maintains an open connection, and therefore there will be an smbd + process running (assuming that you haven't set a really short smbd + idle timeout) So, in between pressing ctrl alt delete, and actually + typing in your password, you can gdb attach and continue. + </P +><P +> Some useful samba commands worth investigating: + </P +><P +></P +><UL +><LI +><P +>testparam | more</P +></LI +><LI +><P +>smbclient -L //{netbios name of server}</P +></LI +></UL +><P +> An SMB enabled version of tcpdump is available from + <A +HREF="http://www.tcpdump.org/" +TARGET="_top" +>http://www.tcpdup.org/</A +>. + Ethereal, another good packet sniffer for Unix and Win32 + hosts, can be downloaded from <A +HREF="http://www.ethereal.com/" +TARGET="_top" +>http://www.ethereal.com</A +>. + </P +><P +> For tracing things on the Microsoft Windows NT, Network Monitor + (aka. netmon) is available on the Microsoft Developer Network CD's, + the Windows NT Server install CD and the SMS CD's. The version of + netmon that ships with SMS allows for dumping packets between any two + computers (i.e. placing the network interface in promiscuous mode). + The version on the NT Server install CD will only allow monitoring + of network traffic directed to the local NT box and broadcasts on the + local subnet. Be aware that Ethereal can read and write netmon + formatted files. + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>How do I install 'Network Monitor' on an NT Workstation + or a Windows 9x box?</I +></SPAN +> + </P +><P +> Installing netmon on an NT workstation requires a couple + of steps. The following are for installing Netmon V4.00.349, which comes + with Microsoft Windows NT Server 4.0, on Microsoft Windows NT + Workstation 4.0. The process should be similar for other version of + Windows NT / Netmon. You will need both the Microsoft Windows + NT Server 4.0 Install CD and the Workstation 4.0 Install CD. + </P +><P +> Initially you will need to install 'Network Monitor Tools and Agent' + on the NT Server. To do this + </P +><P +></P +><UL +><LI +><P +>Goto Start - Settings - Control Panel - + Network - Services - Add </P +></LI +><LI +><P +>Select the 'Network Monitor Tools and Agent' and + click on 'OK'.</P +></LI +><LI +><P +>Click 'OK' on the Network Control Panel. + </P +></LI +><LI +><P +>Insert the Windows NT Server 4.0 install CD + when prompted.</P +></LI +></UL +><P +> At this point the Netmon files should exist in + <TT +CLASS="FILENAME" +>%SYSTEMROOT%\System32\netmon\*.*</TT +>. + Two subdirectories exist as well, <TT +CLASS="FILENAME" +>parsers\</TT +> + which contains the necessary DLL's for parsing the netmon packet + dump, and <TT +CLASS="FILENAME" +>captures\</TT +>. + </P +><P +> In order to install the Netmon tools on an NT Workstation, you will + first need to install the 'Network Monitor Agent' from the Workstation + install CD. + </P +><P +></P +><UL +><LI +><P +>Goto Start - Settings - Control Panel - + Network - Services - Add</P +></LI +><LI +><P +>Select the 'Network Monitor Agent' and click + on 'OK'.</P +></LI +><LI +><P +>Click 'OK' on the Network Control Panel. + </P +></LI +><LI +><P +>Insert the Windows NT Workstation 4.0 install + CD when prompted.</P +></LI +></UL +><P +> Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* + to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set + permissions as you deem appropriate for your site. You will need + administrative rights on the NT box to run netmon. + </P +><P +> To install Netmon on a Windows 9x box install the network monitor agent + from the Windows 9x CD (\admin\nettools\netmon). There is a readme + file located with the netmon driver files on the CD if you need + information on how to do this. Copy the files from a working + Netmon installation. + </P +></LI +><LI +><P +> The following is a list if helpful URLs and other links: + </P +><P +></P +><UL +><LI +><P +>Home of Samba site <A +HREF="http://samba.org" +TARGET="_top" +> http://samba.org</A +>. We have a mirror near you !</P +></LI +><LI +><P +> The <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Development</I +></SPAN +> document + on the Samba mirrors might mention your problem. If so, + it might mean that the developers are working on it.</P +></LI +><LI +><P +>See how Scott Merrill simulates a BDC behavior at + <A +HREF="http://www.skippy.net/linux/smb-howto.html" +TARGET="_top" +> http://www.skippy.net/linux/smb-howto.html</A +>. </P +></LI +><LI +><P +>Although 2.0.7 has almost had its day as a PDC, David Bannon will + keep the 2.0.7 PDC pages at <A +HREF="http://bioserve.latrobe.edu.au/samba" +TARGET="_top" +> http://bioserve.latrobe.edu.au/samba</A +> going for a while yet.</P +></LI +><LI +><P +>Misc links to CIFS information + <A +HREF="http://samba.org/cifs/" +TARGET="_top" +>http://samba.org/cifs/</A +></P +></LI +><LI +><P +>NT Domains for Unix <A +HREF="http://mailhost.cb1.com/~lkcl/ntdom/" +TARGET="_top" +> http://mailhost.cb1.com/~lkcl/ntdom/</A +></P +></LI +><LI +><P +>FTP site for older SMB specs: + <A +HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/" +TARGET="_top" +> ftp://ftp.microsoft.com/developr/drg/CIFS/</A +></P +></LI +></UL +></LI +></UL +><P +></P +><UL +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>How do I get help from the mailing lists?</I +></SPAN +> + </P +><P +> There are a number of Samba related mailing lists. Go to <A +HREF="http://samba.org" +TARGET="_top" +>http://samba.org</A +>, click on your nearest mirror + and then click on <B +CLASS="COMMAND" +>Support</B +> and then click on <B +CLASS="COMMAND" +> Samba related mailing lists</B +>. + </P +><P +> For questions relating to Samba TNG go to + <A +HREF="http://www.samba-tng.org/" +TARGET="_top" +>http://www.samba-tng.org/</A +> + It has been requested that you don't post questions about Samba-TNG to the + main stream Samba lists.</P +><P +> If you post a message to one of the lists please observe the following guide lines : + </P +><P +></P +><UL +><LI +><P +> Always remember that the developers are volunteers, they are + not paid and they never guarantee to produce a particular feature at + a particular time. Any time lines are 'best guess' and nothing more. + </P +></LI +><LI +><P +> Always mention what version of samba you are using and what + operating system its running under. You should probably list the + relevant sections of your smb.conf file, at least the options + in [global] that affect PDC support.</P +></LI +><LI +><P +>In addition to the version, if you obtained Samba via + CVS mention the date when you last checked it out.</P +></LI +><LI +><P +> Try and make your question clear and brief, lots of long, + convoluted questions get deleted before they are completely read ! + Don't post html encoded messages (if you can select colour or font + size its html).</P +></LI +><LI +><P +> If you run one of those nifty 'I'm on holidays' things when + you are away, make sure its configured to not answer mailing lists. + </P +></LI +><LI +><P +> Don't cross post. Work out which is the best list to post to + and see what happens, i.e. don't post to both samba-ntdom and samba-technical. + Many people active on the lists subscribe to more + than one list and get annoyed to see the same message two or more times. + Often someone will see a message and thinking it would be better dealt + with on another, will forward it on for you.</P +></LI +><LI +><P +>You might include <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>partial</I +></SPAN +> + log files written at a debug level set to as much as 20. + Please don't send the entire log but enough to give the context of the + error messages.</P +></LI +><LI +><P +>(Possibly) If you have a complete netmon trace ( from the opening of + the pipe to the error ) you can send the *.CAP file as well.</P +></LI +><LI +><P +>Please think carefully before attaching a document to an email. + Consider pasting the relevant parts into the body of the message. The samba + mailing lists go to a huge number of people, do they all need a copy of your + smb.conf in their attach directory?</P +></LI +></UL +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>How do I get off the mailing lists?</I +></SPAN +> + </P +><P +>To have your name removed from a samba mailing list, go to the + same place you went to to get on it. Go to <A +HREF="http://lists.samba.org/" +TARGET="_top" +>http://lists.samba.org</A +>, + click on your nearest mirror and then click on <B +CLASS="COMMAND" +>Support</B +> and + then click on <B +CLASS="COMMAND" +> Samba related mailing lists</B +>. Or perhaps see + <A +HREF="http://lists.samba.org/mailman/roster/samba-ntdom" +TARGET="_top" +>here</A +> + </P +><P +> Please don't post messages to the list asking to be removed, you will just + be referred to the above address (unless that process failed in some way...) + </P +></LI +></UL +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN969" +></A +>7.8. Domain Control for Windows 9x/ME</H1 +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/docbook-dsssl/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>The following section contains much of the original +DOMAIN.txt file previously included with Samba. Much of +the material is based on what went into the book <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Special +Edition, Using Samba</I +></SPAN +>, by Richard Sharpe.</P +></TD +></TR +></TABLE +></DIV +><P +>A domain and a workgroup are exactly the same thing in terms of network +browsing. The difference is that a distributable authentication +database is associated with a domain, for secure login access to a +network. Also, different access rights can be granted to users if they +successfully authenticate against a domain logon server (NT server and +other systems based on NT server support this, as does at least Samba TNG now).</P +><P +>The SMB client logging on to a domain has an expectation that every other +server in the domain should accept the same authentication information. +Network browsing functionality of domains and workgroups is +identical and is explained in BROWSING.txt. It should be noted, that browsing +is totally orthogonal to logon support.</P +><P +>Issues related to the single-logon network model are discussed in this +section. Samba supports domain logons, network logon scripts, and user +profiles for MS Windows for workgroups and MS Windows 9X/ME clients +which will be the focus of this section.</P +><P +>When an SMB client in a domain wishes to logon it broadcast requests for a +logon server. The first one to reply gets the job, and validates its +password using whatever mechanism the Samba administrator has installed. +It is possible (but very stupid) to create a domain where the user +database is not shared between servers, i.e. they are effectively workgroup +servers advertising themselves as participating in a domain. This +demonstrates how authentication is quite different from but closely +involved with domains.</P +><P +>Using these features you can make your clients verify their logon via +the Samba server; make clients run a batch file when they logon to +the network and download their preferences, desktop and start menu.</P +><P +>Before launching into the configuration instructions, it is +worthwhile lookingat how a Windows 9x/ME client performs a logon:</P +><P +></P +><OL +TYPE="1" +><LI +><P +> The client broadcasts (to the IP broadcast address of the subnet it is in) + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the + NetBIOS layer. The client chooses the first response it receives, which + contains the NetBIOS name of the logon server to use in the format of + \\SERVER. + </P +></LI +><LI +><P +> The client then connects to that server, logs on (does an SMBsessetupX) and + then connects to the IPC$ share (using an SMBtconX). + </P +></LI +><LI +><P +> The client then does a NetWkstaUserLogon request, which retrieves the name + of the user's logon script. + </P +></LI +><LI +><P +> The client then connects to the NetLogon share and searches for this + and if it is found and can be read, is retrieved and executed by the client. + After this, the client disconnects from the NetLogon share. + </P +></LI +><LI +><P +> The client then sends a NetUserGetInfo request to the server, to retrieve + the user's home share, which is used to search for profiles. Since the + response to the NetUserGetInfo request does not contain much more + the user's home share, profiles for Win9X clients MUST reside in the user + home directory. + </P +></LI +><LI +><P +> The client then connects to the user's home share and searches for the + user's profile. As it turns out, you can specify the user's home share as + a sharename and path. For example, \\server\fred\.profile. + If the profiles are found, they are implemented. + </P +></LI +><LI +><P +> The client then disconnects from the user's home share, and reconnects to + the NetLogon share and looks for CONFIG.POL, the policies file. If this is + found, it is read and implemented. + </P +></LI +></OL +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN995" +></A +>7.8.1. Configuration Instructions: Network Logons</H2 +><P +>The main difference between a PDC and a Windows 9x logon +server configuration is that</P +><P +></P +><UL +><LI +><P +>Password encryption is not required for a Windows 9x logon server.</P +></LI +><LI +><P +>Windows 9x/ME clients do not possess machine trust accounts.</P +></LI +></UL +><P +>Therefore, a Samba PDC will also act as a Windows 9x logon +server.</P +><DIV +CLASS="WARNING" +><P +></P +><TABLE +CLASS="WARNING" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/docbook-dsssl/warning.gif" +HSPACE="5" +ALT="Warning"></TD +><TH +ALIGN="LEFT" +VALIGN="CENTER" +><B +>security mode and master browsers</B +></TH +></TR +><TR +><TD +> </TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>There are a few comments to make in order to tie up some +loose ends. There has been much debate over the issue of whether +or not it is ok to configure Samba as a Domain Controller in security +modes other than <TT +CLASS="CONSTANT" +>USER</TT +>. The only security mode +which will not work due to technical reasons is <TT +CLASS="CONSTANT" +>SHARE</TT +> +mode security. <TT +CLASS="CONSTANT" +>DOMAIN</TT +> and <TT +CLASS="CONSTANT" +>SERVER</TT +> +mode security is really just a variation on SMB user level security.</P +><P +>Actually, this issue is also closely tied to the debate on whether +or not Samba must be the domain master browser for its workgroup +when operating as a DC. While it may technically be possible +to configure a server as such (after all, browsing and domain logons +are two distinctly different functions), it is not a good idea to +so. You should remember that the DC must register the DOMAIN#1b NetBIOS +name. This is the name used by Windows clients to locate the DC. +Windows clients do not distinguish between the DC and the DMB. +For this reason, it is very wise to configure the Samba DC as the DMB.</P +><P +>Now back to the issue of configuring a Samba DC to use a mode other +than "security = user". If a Samba host is configured to use +another SMB server or DC in order to validate user connection +requests, then it is a fact that some other machine on the network +(the "password server") knows more about user than the Samba host. +99% of the time, this other host is a domain controller. Now +in order to operate in domain mode security, the "workgroup" parameter +must be set to the name of the Windows NT domain (which already +has a domain controller, right?)</P +><P +>Therefore configuring a Samba box as a DC for a domain that +already by definition has a PDC is asking for trouble. +Therefore, you should always configure the Samba DC to be the DMB +for its domain.</P +></TD +></TR +></TABLE +></DIV +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN1014" +></A +>7.8.2. Configuration Instructions: Setting up Roaming User Profiles</H2 +><DIV +CLASS="WARNING" +><P +></P +><TABLE +CLASS="WARNING" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/docbook-dsssl/warning.gif" +HSPACE="5" +ALT="Warning"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>NOTE!</I +></SPAN +> Roaming profiles support is different +for Win9X and WinNT.</P +></TD +></TR +></TABLE +></DIV +><P +>Before discussing how to configure roaming profiles, it is useful to see how +Win9X and WinNT clients implement these features.</P +><P +>Win9X clients send a NetUserGetInfo request to the server to get the user's +profiles location. However, the response does not have room for a separate +profiles location field, only the user's home share. This means that Win9X +profiles are restricted to being in the user's home directory.</P +><P +>WinNT clients send a NetSAMLogon RPC request, which contains many fields, +including a separate field for the location of the user's profiles. +This means that support for profiles is different for Win9X and WinNT.</P +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN1022" +></A +>7.8.2.1. Windows NT Configuration</H3 +><P +>To support WinNT clients, in the [global] section of smb.conf set the +following (for example):</P +><P +><PRE +CLASS="PROGRAMLISTING" +>logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</PRE +></P +><P +>The default for this option is \\%N\%U\profile, namely +\\sambaserver\username\profile. The \\N%\%U service is created +automatically by the [homes] service. +If you are using a samba server for the profiles, you _must_ make the +share specified in the logon path browseable. </P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/docbook-dsssl/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>[lkcl 26aug96 - we have discovered a problem where Windows clients can +maintain a connection to the [homes] share in between logins. The +[homes] share must NOT therefore be used in a profile path.]</P +></TD +></TR +></TABLE +></DIV +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN1030" +></A +>7.8.2.2. Windows 9X Configuration</H3 +><P +>To support Win9X clients, you must use the "logon home" parameter. Samba has +now been fixed so that "net use/home" now works as well, and it, too, relies +on the "logon home" parameter.</P +><P +>By using the logon home parameter, you are restricted to putting Win9X +profiles in the user's home directory. But wait! There is a trick you +can use. If you set the following in the [global] section of your +smb.conf file:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>logon home = \\%L\%U\.profiles</PRE +></P +><P +>then your Win9X clients will dutifully put their clients in a subdirectory +of your home directory called .profiles (thus making them hidden).</P +><P +>Not only that, but 'net use/home' will also work, because of a feature in +Win9X. It removes any directory stuff off the end of the home directory area +and only uses the server and share portion. That is, it looks like you +specified \\%L\%U for "logon home".</P +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN1038" +></A +>7.8.2.3. Win9X and WinNT Configuration</H3 +><P +>You can support profiles for both Win9X and WinNT clients by setting both the +"logon home" and "logon path" parameters. For example:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>logon home = \\%L\%U\.profiles +logon path = \\%L\profiles\%U</PRE +></P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/docbook-dsssl/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>I have not checked what 'net use /home' does on NT when "logon home" is +set as above.</P +></TD +></TR +></TABLE +></DIV +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN1045" +></A +>7.8.2.4. Windows 9X Profile Setup</H3 +><P +>When a user first logs in on Windows 9X, the file user.DAT is created, +as are folders "Start Menu", "Desktop", "Programs" and "Nethood". +These directories and their contents will be merged with the local +versions stored in c:\windows\profiles\username on subsequent logins, +taking the most recent from each. You will need to use the [global] +options "preserve case = yes", "short preserve case = yes" and +"case sensitive = no" in order to maintain capital letters in shortcuts +in any of the profile folders.</P +><P +>The user.DAT file contains all the user's preferences. If you wish to +enforce a set of preferences, rename their user.DAT file to user.MAN, +and deny them write access to this file.</P +><P +></P +><OL +TYPE="1" +><LI +><P +> On the Windows 95 machine, go to Control Panel | Passwords and + select the User Profiles tab. Select the required level of + roaming preferences. Press OK, but do _not_ allow the computer + to reboot. + </P +></LI +><LI +><P +> On the Windows 95 machine, go to Control Panel | Network | + Client for Microsoft Networks | Preferences. Select 'Log on to + NT Domain'. Then, ensure that the Primary Logon is 'Client for + Microsoft Networks'. Press OK, and this time allow the computer + to reboot. + </P +></LI +></OL +><P +>Under Windows 95, Profiles are downloaded from the Primary Logon. +If you have the Primary Logon as 'Client for Novell Networks', then +the profiles and logon script will be downloaded from your Novell +Server. If you have the Primary Logon as 'Windows Logon', then the +profiles will be loaded from the local machine - a bit against the +concept of roaming profiles, if you ask me.</P +><P +>You will now find that the Microsoft Networks Login box contains +[user, password, domain] instead of just [user, password]. Type in +the samba server's domain name (or any other domain known to exist, +but bear in mind that the user will be authenticated against this +domain and profiles downloaded from it, if that domain logon server +supports it), user name and user's password.</P +><P +>Once the user has been successfully validated, the Windows 95 machine +will inform you that 'The user has not logged on before' and asks you +if you wish to save the user's preferences? Select 'yes'.</P +><P +>Once the Windows 95 client comes up with the desktop, you should be able +to examine the contents of the directory specified in the "logon path" +on the samba server and verify that the "Desktop", "Start Menu", +"Programs" and "Nethood" folders have been created.</P +><P +>These folders will be cached locally on the client, and updated when +the user logs off (if you haven't made them read-only by then :-). +You will find that if the user creates further folders or short-cuts, +that the client will merge the profile contents downloaded with the +contents of the profile directory already on the local client, taking +the newest folders and short-cuts from each set.</P +><P +>If you have made the folders / files read-only on the samba server, +then you will get errors from the w95 machine on logon and logout, as +it attempts to merge the local and the remote profile. Basically, if +you have any errors reported by the w95 machine, check the Unix file +permissions and ownership rights on the profile directory contents, +on the samba server.</P +><P +>If you have problems creating user profiles, you can reset the user's +local desktop cache, as shown below. When this user then next logs in, +they will be told that they are logging in "for the first time".</P +><P +></P +><OL +TYPE="1" +><LI +><P +> instead of logging in under the [user, password, domain] dialog, + press escape. + </P +></LI +><LI +><P +> run the regedit.exe program, and look in: + </P +><P +> HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList + </P +><P +> you will find an entry, for each user, of ProfilePath. Note the + contents of this key (likely to be c:\windows\profiles\username), + then delete the key ProfilePath for the required user. + </P +><P +> [Exit the registry editor]. + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>WARNING</I +></SPAN +> - before deleting the contents of the + directory listed in + the ProfilePath (this is likely to be c:\windows\profiles\username), + ask them if they have any important files stored on their desktop + or in their start menu. delete the contents of the directory + ProfilePath (making a backup if any of the files are needed). + </P +><P +> This will have the effect of removing the local (read-only hidden + system file) user.DAT in their profile directory, as well as the + local "desktop", "nethood", "start menu" and "programs" folders. + </P +></LI +><LI +><P +> search for the user's .PWL password-caching file in the c:\windows + directory, and delete it. + </P +></LI +><LI +><P +> log off the windows 95 client. + </P +></LI +><LI +><P +> check the contents of the profile path (see "logon path" described + above), and delete the user.DAT or user.MAN file for the user, + making a backup if required. + </P +></LI +></OL +><P +>If all else fails, increase samba's debug log levels to between 3 and 10, +and / or run a packet trace program such as tcpdump or netmon.exe, and +look for any error reports.</P +><P +>If you have access to an NT server, then first set up roaming profiles +and / or netlogons on the NT server. Make a packet trace, or examine +the example packet traces provided with NT server, and see what the +differences are with the equivalent samba trace.</P +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN1081" +></A +>7.8.2.5. Windows NT Workstation 4.0</H3 +><P +>When a user first logs in to a Windows NT Workstation, the profile +NTuser.DAT is created. The profile location can be now specified +through the "logon path" parameter. </P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/docbook-dsssl/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>[lkcl 10aug97 - i tried setting the path to +\\samba-server\homes\profile, and discovered that this fails because +a background process maintains the connection to the [homes] share +which does _not_ close down in between user logins. you have to +have \\samba-server\%L\profile, where user is the username created +from the [homes] share].</P +></TD +></TR +></TABLE +></DIV +><P +>There is a parameter that is now available for use with NT Profiles: +"logon drive". This should be set to "h:" or any other drive, and +should be used in conjunction with the new "logon home" parameter.</P +><P +>The entry for the NT 4.0 profile is a _directory_ not a file. The NT +help on profiles mentions that a directory is also created with a .PDS +extension. The user, while logging in, must have write permission to +create the full profile path (and the folder with the .PDS extension) +[lkcl 10aug97 - i found that the creation of the .PDS directory failed, +and had to create these manually for each user, with a shell script. +also, i presume, but have not tested, that the full profile path must +be browseable just as it is for w95, due to the manner in which they +attempt to create the full profile path: test existence of each path +component; create path component].</P +><P +>In the profile directory, NT creates more folders than 95. It creates +"Application Data" and others, as well as "Desktop", "Nethood", +"Start Menu" and "Programs". The profile itself is stored in a file +NTuser.DAT. Nothing appears to be stored in the .PDS directory, and +its purpose is currently unknown.</P +><P +>You can use the System Control Panel to copy a local profile onto +a samba server (see NT Help on profiles: it is also capable of firing +up the correct location in the System Control Panel for you). The +NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN +turns a profile into a mandatory one.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/docbook-dsssl/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>[lkcl 10aug97 - i notice that NT Workstation tells me that it is +downloading a profile from a slow link. whether this is actually the +case, or whether there is some configuration issue, as yet unknown, +that makes NT Workstation _think_ that the link is a slow one is a +matter to be resolved].</P +><P +>[lkcl 20aug97 - after samba digest correspondence, one user found, and +another confirmed, that profiles cannot be loaded from a samba server +unless "security = user" and "encrypt passwords = yes" (see the file +ENCRYPTION.txt) or "security = server" and "password server = ip.address. +of.yourNTserver" are used. Either of these options will allow the NT +workstation to access the samba server using LAN manager encrypted +passwords, without the user intervention normally required by NT +workstation for clear-text passwords].</P +><P +>[lkcl 25aug97 - more comments received about NT profiles: the case of +the profile _matters_. the file _must_ be called NTuser.DAT or, for +a mandatory profile, NTuser.MAN].</P +></TD +></TR +></TABLE +></DIV +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN1094" +></A +>7.8.2.6. Windows NT Server</H3 +><P +>There is nothing to stop you specifying any path that you like for the +location of users' profiles. Therefore, you could specify that the +profile be stored on a samba server, or any other SMB server, as long as +that SMB server supports encrypted passwords.</P +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN1097" +></A +>7.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</H3 +><DIV +CLASS="WARNING" +><P +></P +><TABLE +CLASS="WARNING" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/docbook-dsssl/warning.gif" +HSPACE="5" +ALT="Warning"></TD +><TH +ALIGN="LEFT" +VALIGN="CENTER" +><B +>Potentially outdated or incorrect material follows</B +></TH +></TR +><TR +><TD +> </TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>I think this is all bogus, but have not deleted it. (Richard Sharpe)</P +></TD +></TR +></TABLE +></DIV +><P +>The default logon path is \\%N\%U. NT Workstation will attempt to create +a directory "\\samba-server\username.PDS" if you specify the logon path +as "\\samba-server\username" with the NT User Manager. Therefore, you +will need to specify (for example) "\\samba-server\username\profile". +NT 4.0 will attempt to create "\\samba-server\username\profile.PDS", which +is more likely to succeed.</P +><P +>If you then want to share the same Start Menu / Desktop with W95, you will +need to specify "logon path = \\samba-server\username\profile" [lkcl 10aug97 +this has its drawbacks: i created a shortcut to telnet.exe, which attempts +to run from the c:\winnt\system32 directory. this directory is obviously +unlikely to exist on a Win95-only host].</P +><P +> If you have this set up correctly, you will find separate user.DAT and +NTuser.DAT files in the same profile directory.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/docbook-dsssl/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>[lkcl 25aug97 - there are some issues to resolve with downloading of +NT profiles, probably to do with time/date stamps. i have found that +NTuser.DAT is never updated on the workstation after the first time that +it is copied to the local workstation profile directory. this is in +contrast to w95, where it _does_ transfer / update profiles correctly].</P +></TD +></TR +></TABLE +></DIV +></DIV +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1107" +></A +>7.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</H1 +><DIV +CLASS="WARNING" +><P +></P +><TABLE +CLASS="WARNING" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/docbook-dsssl/warning.gif" +HSPACE="5" +ALT="Warning"></TD +><TH +ALIGN="LEFT" +VALIGN="CENTER" +><B +>Possibly Outdated Material</B +></TH +></TR +><TR +><TD +> </TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> This appendix was originally authored by John H Terpstra of + the Samba Team and is included here for posterity. + </P +></TD +></TR +></TABLE +></DIV +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>NOTE :</I +></SPAN +> +The term "Domain Controller" and those related to it refer to one specific +method of authentication that can underly an SMB domain. Domain Controllers +prior to Windows NT Server 3.1 were sold by various companies and based on +private extensions to the LAN Manager 2.1 protocol. Windows NT introduced +Microsoft-specific ways of distributing the user authentication database. +See DOMAIN.txt for examples of how Samba can participate in or create +SMB domains based on shared authentication database schemes other than the +Windows NT SAM.</P +><P +>Windows NT Server can be installed as either a plain file and print server +(WORKGROUP workstation or server) or as a server that participates in Domain +Control (DOMAIN member, Primary Domain controller or Backup Domain controller). +The same is true for OS/2 Warp Server, Digital Pathworks and other similar +products, all of which can participate in Domain Control along with Windows NT.</P +><P +>To many people these terms can be confusing, so let's try to clear the air.</P +><P +>Every Windows NT system (workstation or server) has a registry database. +The registry contains entries that describe the initialization information +for all services (the equivalent of Unix Daemons) that run within the Windows +NT environment. The registry also contains entries that tell application +software where to find dynamically loadable libraries that they depend upon. +In fact, the registry contains entries that describes everything that anything +may need to know to interact with the rest of the system.</P +><P +>The registry files can be located on any Windows NT machine by opening a +command prompt and typing:</P +><P +><TT +CLASS="PROMPT" +>C:\WINNT\></TT +> dir %SystemRoot%\System32\config</P +><P +>The environment variable %SystemRoot% value can be obtained by typing:</P +><P +><TT +CLASS="PROMPT" +>C:\WINNT></TT +>echo %SystemRoot%</P +><P +>The active parts of the registry that you may want to be familiar with are +the files called: default, system, software, sam and security.</P +><P +>In a domain environment, Microsoft Windows NT domain controllers participate +in replication of the SAM and SECURITY files so that all controllers within +the domain have an exactly identical copy of each.</P +><P +>The Microsoft Windows NT system is structured within a security model that +says that all applications and services must authenticate themselves before +they can obtain permission from the security manager to do what they set out +to do.</P +><P +>The Windows NT User database also resides within the registry. This part of +the registry contains the user's security identifier, home directory, group +memberships, desktop profile, and so on.</P +><P +>Every Windows NT system (workstation as well as server) will have its own +registry. Windows NT Servers that participate in Domain Security control +have a database that they share in common - thus they do NOT own an +independent full registry database of their own, as do Workstations and +plain Servers.</P +><P +>The User database is called the SAM (Security Access Manager) database and +is used for all user authentication as well as for authentication of inter- +process authentication (i.e. to ensure that the service action a user has +requested is permitted within the limits of that user's privileges).</P +><P +>The Samba team have produced a utility that can dump the Windows NT SAM into +smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and +/pub/samba/pwdump on your nearest Samba mirror for the utility. This +facility is useful but cannot be easily used to implement SAM replication +to Samba systems.</P +><P +>Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers +can participate in a Domain security system that is controlled by Windows NT +servers that have been correctly configured. Almost every domain will have +ONE Primary Domain Controller (PDC). It is desirable that each domain will +have at least one Backup Domain Controller (BDC).</P +><P +>The PDC and BDCs then participate in replication of the SAM database so that +each Domain Controlling participant will have an up to date SAM component +within its registry.</P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="securitylevels.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="samba-bdc.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>User and Share security level (for servers not in a domain)</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="type.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/type.html b/docs/htmldocs/type.html new file mode 100644 index 0000000000..ec6aa6df6c --- /dev/null +++ b/docs/htmldocs/type.html @@ -0,0 +1,392 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Type of installation</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="PREVIOUS" +TITLE="LanMan and NT Password Encryption in Samba" +HREF="pwencrypt.html"><LINK +REL="NEXT" +TITLE="User and Share security level (for servers not in a domain)" +HREF="securitylevels.html"></HEAD +><BODY +CLASS="PART" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="pwencrypt.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="securitylevels.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="PART" +><A +NAME="TYPE" +></A +><DIV +CLASS="TITLEPAGE" +><H1 +CLASS="TITLE" +>II. Type of installation</H1 +><DIV +CLASS="PARTINTRO" +><A +NAME="AEN547" +></A +><H1 +>Introduction</H1 +><P +>Samba can operate in various SMB networks. This part contains information on configuring samba +for various environments.</P +></DIV +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>6. <A +HREF="securitylevels.html" +>User and Share security level (for servers not in a domain)</A +></DT +><DT +>7. <A +HREF="samba-pdc.html" +>How to Configure Samba as a NT4 Primary Domain Controller</A +></DT +><DD +><DL +><DT +>7.1. <A +HREF="samba-pdc.html#AEN591" +>Prerequisite Reading</A +></DT +><DT +>7.2. <A +HREF="samba-pdc.html#AEN597" +>Background</A +></DT +><DT +>7.3. <A +HREF="samba-pdc.html#AEN636" +>Configuring the Samba Domain Controller</A +></DT +><DT +>7.4. <A +HREF="samba-pdc.html#AEN679" +>Creating Machine Trust Accounts and Joining Clients to the +Domain</A +></DT +><DD +><DL +><DT +>7.4.1. <A +HREF="samba-pdc.html#AEN698" +>Manual Creation of Machine Trust Accounts</A +></DT +><DT +>7.4.2. <A +HREF="samba-pdc.html#AEN739" +>"On-the-Fly" Creation of Machine Trust Accounts</A +></DT +><DT +>7.4.3. <A +HREF="samba-pdc.html#AEN748" +>Joining the Client to the Domain</A +></DT +></DL +></DD +><DT +>7.5. <A +HREF="samba-pdc.html#AEN763" +>Common Problems and Errors</A +></DT +><DT +>7.6. <A +HREF="samba-pdc.html#AEN811" +>System Policies and Profiles</A +></DT +><DT +>7.7. <A +HREF="samba-pdc.html#AEN855" +>What other help can I get?</A +></DT +><DT +>7.8. <A +HREF="samba-pdc.html#AEN969" +>Domain Control for Windows 9x/ME</A +></DT +><DD +><DL +><DT +>7.8.1. <A +HREF="samba-pdc.html#AEN995" +>Configuration Instructions: Network Logons</A +></DT +><DT +>7.8.2. <A +HREF="samba-pdc.html#AEN1014" +>Configuration Instructions: Setting up Roaming User Profiles</A +></DT +></DL +></DD +><DT +>7.9. <A +HREF="samba-pdc.html#AEN1107" +>DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A +></DT +></DL +></DD +><DT +>8. <A +HREF="samba-bdc.html" +>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</A +></DT +><DD +><DL +><DT +>8.1. <A +HREF="samba-bdc.html#AEN1143" +>Prerequisite Reading</A +></DT +><DT +>8.2. <A +HREF="samba-bdc.html#AEN1147" +>Background</A +></DT +><DT +>8.3. <A +HREF="samba-bdc.html#AEN1155" +>What qualifies a Domain Controller on the network?</A +></DT +><DD +><DL +><DT +>8.3.1. <A +HREF="samba-bdc.html#AEN1158" +>How does a Workstation find its domain controller?</A +></DT +><DT +>8.3.2. <A +HREF="samba-bdc.html#AEN1161" +>When is the PDC needed?</A +></DT +></DL +></DD +><DT +>8.4. <A +HREF="samba-bdc.html#AEN1164" +>Can Samba be a Backup Domain Controller?</A +></DT +><DT +>8.5. <A +HREF="samba-bdc.html#AEN1168" +>How do I set up a Samba BDC?</A +></DT +><DD +><DL +><DT +>8.5.1. <A +HREF="samba-bdc.html#AEN1185" +>How do I replicate the smbpasswd file?</A +></DT +></DL +></DD +></DL +></DD +><DT +>9. <A +HREF="ads.html" +>Samba as a ADS domain member</A +></DT +><DD +><DL +><DT +>9.1. <A +HREF="ads.html#AEN1203" +>Installing the required packages for Debian</A +></DT +><DT +>9.2. <A +HREF="ads.html#AEN1209" +>Installing the required packages for RedHat</A +></DT +><DT +>9.3. <A +HREF="ads.html#AEN1218" +>Compile Samba</A +></DT +><DT +>9.4. <A +HREF="ads.html#AEN1230" +>Setup your /etc/krb5.conf</A +></DT +><DT +>9.5. <A +HREF="ads.html#AEN1240" +>Create the computer account</A +></DT +><DD +><DL +><DT +>9.5.1. <A +HREF="ads.html#AEN1244" +>Possible errors</A +></DT +></DL +></DD +><DT +>9.6. <A +HREF="ads.html#AEN1256" +>Test your server setup</A +></DT +><DT +>9.7. <A +HREF="ads.html#AEN1261" +>Testing with smbclient</A +></DT +><DT +>9.8. <A +HREF="ads.html#AEN1264" +>Notes</A +></DT +></DL +></DD +><DT +>10. <A +HREF="domain-security.html" +>Samba as a NT4 domain member</A +></DT +><DD +><DL +><DT +>10.1. <A +HREF="domain-security.html#AEN1286" +>Joining an NT Domain with Samba 2.2</A +></DT +><DT +>10.2. <A +HREF="domain-security.html#AEN1350" +>Samba and Windows 2000 Domains</A +></DT +><DT +>10.3. <A +HREF="domain-security.html#AEN1355" +>Why is this better than security = server?</A +></DT +></DL +></DD +></DL +></DIV +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="pwencrypt.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="securitylevels.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>LanMan and NT Password Encryption in Samba</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +> </TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>User and Share security level (for servers not in a domain)</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/vfs.html b/docs/htmldocs/vfs.html new file mode 100644 index 0000000000..fb0554e10c --- /dev/null +++ b/docs/htmldocs/vfs.html @@ -0,0 +1,403 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Stackable VFS modules</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Optional configuration" +HREF="optional.html"><LINK +REL="PREVIOUS" +TITLE="Passdb XML plugin" +HREF="pdb-xml.html"><LINK +REL="NEXT" +TITLE="Storing Samba's User/Machine Account information in an LDAP Directory" +HREF="samba-ldap-howto.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="pdb-xml.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="samba-ldap-howto.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="VFS" +></A +>Chapter 19. Stackable VFS modules</H1 +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2651" +></A +>19.1. Introduction and configuration</H1 +><P +>Since samba 3.0, samba supports stackable VFS(Virtual File System) modules. +Samba passes each request to access the unix file system thru the loaded VFS modules. +This chapter covers all the modules that come with the samba source and references to +some external modules.</P +><P +>You may have problems to compile these modules, as shared libraries are +compiled and linked in different ways on different systems. +I currently tested them against GNU/linux and IRIX.</P +><P +>To use the VFS modules, create a share similar to the one below. The +important parameter is the <B +CLASS="COMMAND" +>vfs object</B +> parameter which must point to +the exact pathname of the shared library object. For example, to use audit.so: + +<PRE +CLASS="PROGRAMLISTING" +> [audit] + comment = Audited /data directory + path = /data + vfs object = /path/to/audit.so + writeable = yes + browseable = yes</PRE +></P +><P +>Further documentation on writing VFS modules for Samba can be found in +docs directory of the Samba source distribution.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2659" +></A +>19.2. Included modules</H1 +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2661" +></A +>19.2.1. audit</H2 +><P +>A simple module to audit file access to the syslog +facility. The following operations are logged: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>share</TD +></TR +><TR +><TD +>connect/disconnect</TD +></TR +><TR +><TD +>directory opens/create/remove</TD +></TR +><TR +><TD +>file open/close/rename/unlink/chmod</TD +></TR +></TBODY +></TABLE +><P +></P +></P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2669" +></A +>19.2.2. recycle</H2 +><P +>A recycle-bin like modules. When used any unlink call +will be intercepted and files moved to the recycle +directory instead of beeing deleted.</P +><P +>Supported options: +<P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>vfs_recycle_bin:repository</DT +><DD +><P +>FIXME</P +></DD +><DT +>vfs_recycle_bin:keeptree</DT +><DD +><P +>FIXME</P +></DD +><DT +>vfs_recycle_bin:versions</DT +><DD +><P +>FIXME</P +></DD +><DT +>vfs_recycle_bin:touch</DT +><DD +><P +>FIXME</P +></DD +><DT +>vfs_recycle_bin:maxsize</DT +><DD +><P +>FIXME</P +></DD +><DT +>vfs_recycle_bin:exclude</DT +><DD +><P +>FIXME</P +></DD +><DT +>vfs_recycle_bin:exclude_dir</DT +><DD +><P +>FIXME</P +></DD +><DT +>vfs_recycle_bin:noversions</DT +><DD +><P +>FIXME</P +></DD +></DL +></DIV +></P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2706" +></A +>19.2.3. netatalk</H2 +><P +>A netatalk module, that will ease co-existence of samba and +netatalk file sharing services.</P +><P +>Advantages compared to the old netatalk module: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>it doesn't care about creating of .AppleDouble forks, just keeps ones in sync</TD +></TR +><TR +><TD +>if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</TD +></TR +></TBODY +></TABLE +><P +></P +></P +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2713" +></A +>19.3. VFS modules available elsewhere</H1 +><P +>This section contains a listing of various other VFS modules that +have been posted but don't currently reside in the Samba CVS +tree for one reason ot another (e.g. it is easy for the maintainer +to have his or her own CVS tree).</P +><P +>No statemets about the stability or functionality any module +should be implied due to its presence here.</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2717" +></A +>19.3.1. DatabaseFS</H2 +><P +>URL: <A +HREF="http://www.css.tayloru.edu/~elorimer/databasefs/index.php" +TARGET="_top" +>http://www.css.tayloru.edu/~elorimer/databasefs/index.php</A +></P +><P +>By <A +HREF="mailto:elorimer@css.tayloru.edu" +TARGET="_top" +>Eric Lorimer</A +>.</P +><P +>I have created a VFS module which implements a fairly complete read-only +filesystem. It presents information from a database as a filesystem in +a modular and generic way to allow different databases to be used +(originally designed for organizing MP3s under directories such as +"Artists," "Song Keywords," etc... I have since applied it to a student +roster database very easily). The directory structure is stored in the +database itself and the module makes no assumptions about the database +structure beyond the table it requires to run.</P +><P +>Any feedback would be appreciated: comments, suggestions, patches, +etc... If nothing else, hopefully it might prove useful for someone +else who wishes to create a virtual filesystem.</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2725" +></A +>19.3.2. vscan</H2 +><P +>URL: <A +HREF="http://www.openantivirus.org/" +TARGET="_top" +>http://www.openantivirus.org/</A +></P +><P +>samba-vscan is a proof-of-concept module for Samba, which +uses the VFS (virtual file system) features of Samba 2.2.x/3.0 +alphaX. Of couse, Samba has to be compiled with VFS support. +samba-vscan supports various virus scanners and is maintained +by Rainer Link.</P +></DIV +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="pdb-xml.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="samba-ldap-howto.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Passdb XML plugin</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="optional.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Storing Samba's User/Machine Account information in an LDAP Directory</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/source3/modules/vfs_audit.c b/source3/modules/vfs_audit.c new file mode 100644 index 0000000000..92b78c1c32 --- /dev/null +++ b/source3/modules/vfs_audit.c @@ -0,0 +1,268 @@ +/* + * Auditing VFS module for samba. Log selected file operations to syslog + * facility. + * + * Copyright (C) Tim Potter, 1999-2000 + * Copyright (C) Alexander Bokovoy, 2002 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "config.h" +#include <stdio.h> +#include <sys/stat.h> +#ifdef HAVE_UTIME_H +#include <utime.h> +#endif +#ifdef HAVE_DIRENT_H +#include <dirent.h> +#endif +#include <syslog.h> +#ifdef HAVE_FCNTL_H +#include <fcntl.h> +#endif +#include <errno.h> +#include <string.h> +#include <includes.h> +#include <vfs.h> + +#ifndef SYSLOG_FACILITY +#define SYSLOG_FACILITY LOG_USER +#endif + +#ifndef SYSLOG_PRIORITY +#define SYSLOG_PRIORITY LOG_NOTICE +#endif + +/* Function prototypes */ + +static int audit_connect(struct connection_struct *conn, const char *svc, const char *user); +static void audit_disconnect(struct connection_struct *conn); +static DIR *audit_opendir(struct connection_struct *conn, const char *fname); +static int audit_mkdir(struct connection_struct *conn, const char *path, mode_t mode); +static int audit_rmdir(struct connection_struct *conn, const char *path); +static int audit_open(struct connection_struct *conn, const char *fname, int flags, mode_t mode); +static int audit_close(struct files_struct *fsp, int fd); +static int audit_rename(struct connection_struct *conn, const char *old, const char *new); +static int audit_unlink(struct connection_struct *conn, const char *path); +static int audit_chmod(struct connection_struct *conn, const char *path, mode_t mode); +static int audit_chmod_acl(struct connection_struct *conn, const char *name, mode_t mode); +static int audit_fchmod(struct files_struct *fsp, int fd, mode_t mode); +static int audit_fchmod_acl(struct files_struct *fsp, int fd, mode_t mode); + +/* VFS operations */ + +static struct vfs_ops default_vfs_ops; /* For passthrough operation */ +static struct smb_vfs_handle_struct *audit_handle; + +static vfs_op_tuple audit_ops[] = { + + /* Disk operations */ + + {audit_connect, SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_LOGGER}, + {audit_disconnect, SMB_VFS_OP_DISCONNECT, SMB_VFS_LAYER_LOGGER}, + + /* Directory operations */ + + {audit_opendir, SMB_VFS_OP_OPENDIR, SMB_VFS_LAYER_LOGGER}, + {audit_mkdir, SMB_VFS_OP_MKDIR, SMB_VFS_LAYER_LOGGER}, + {audit_rmdir, SMB_VFS_OP_RMDIR, SMB_VFS_LAYER_LOGGER}, + + /* File operations */ + + {audit_open, SMB_VFS_OP_OPEN, SMB_VFS_LAYER_LOGGER}, + {audit_close, SMB_VFS_OP_CLOSE, SMB_VFS_LAYER_LOGGER}, + {audit_rename, SMB_VFS_OP_RENAME, SMB_VFS_LAYER_LOGGER}, + {audit_unlink, SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_LOGGER}, + {audit_chmod, SMB_VFS_OP_CHMOD, SMB_VFS_LAYER_LOGGER}, + {audit_fchmod, SMB_VFS_OP_FCHMOD, SMB_VFS_LAYER_LOGGER}, + {audit_chmod_acl, SMB_VFS_OP_CHMOD_ACL, SMB_VFS_LAYER_LOGGER}, + {audit_fchmod_acl, SMB_VFS_OP_FCHMOD_ACL, SMB_VFS_LAYER_LOGGER}, + + /* Finish VFS operations definition */ + + {NULL, SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP} +}; + +/* VFS initialisation function. Return vfs_op_tuple array back to SAMBA. */ + +vfs_op_tuple *vfs_init(int *vfs_version, struct vfs_ops *def_vfs_ops, + struct smb_vfs_handle_struct *vfs_handle) +{ + *vfs_version = SMB_VFS_INTERFACE_VERSION; + memcpy(&default_vfs_ops, def_vfs_ops, sizeof(struct vfs_ops)); + + audit_handle = vfs_handle; + + openlog("smbd_audit", LOG_PID, SYSLOG_FACILITY); + syslog(SYSLOG_PRIORITY, "VFS_INIT: vfs_ops loaded\n"); + return audit_ops; +} + +/* VFS finalization function. */ +void vfs_done(connection_struct *conn) +{ + syslog(SYSLOG_PRIORITY, "VFS_DONE: vfs module unloaded\n"); +} + +/* Implementation of vfs_ops. Pass everything on to the default + operation but log event first. */ + +static int audit_connect(struct connection_struct *conn, const char *svc, const char *user) +{ + syslog(SYSLOG_PRIORITY, "connect to service %s by user %s\n", + svc, user); + + return default_vfs_ops.connect(conn, svc, user); +} + +static void audit_disconnect(struct connection_struct *conn) +{ + syslog(SYSLOG_PRIORITY, "disconnected\n"); + default_vfs_ops.disconnect(conn); +} + +static DIR *audit_opendir(struct connection_struct *conn, const char *fname) +{ + DIR *result = default_vfs_ops.opendir(conn, fname); + + syslog(SYSLOG_PRIORITY, "opendir %s %s%s\n", + fname, + (result == NULL) ? "failed: " : "", + (result == NULL) ? strerror(errno) : ""); + + return result; +} + +static int audit_mkdir(struct connection_struct *conn, const char *path, mode_t mode) +{ + int result = default_vfs_ops.mkdir(conn, path, mode); + + syslog(SYSLOG_PRIORITY, "mkdir %s %s%s\n", + path, + (result < 0) ? "failed: " : "", + (result < 0) ? strerror(errno) : ""); + + return result; +} + +static int audit_rmdir(struct connection_struct *conn, const char *path) +{ + int result = default_vfs_ops.rmdir(conn, path); + + syslog(SYSLOG_PRIORITY, "rmdir %s %s%s\n", + path, + (result < 0) ? "failed: " : "", + (result < 0) ? strerror(errno) : ""); + + return result; +} + +static int audit_open(struct connection_struct *conn, const char *fname, int flags, mode_t mode) +{ + int result = default_vfs_ops.open(conn, fname, flags, mode); + + syslog(SYSLOG_PRIORITY, "open %s (fd %d) %s%s%s\n", + fname, result, + ((flags & O_WRONLY) || (flags & O_RDWR)) ? "for writing " : "", + (result < 0) ? "failed: " : "", + (result < 0) ? strerror(errno) : ""); + + return result; +} + +static int audit_close(struct files_struct *fsp, int fd) +{ + int result = default_vfs_ops.close(fsp, fd); + + syslog(SYSLOG_PRIORITY, "close fd %d %s%s\n", + fd, + (result < 0) ? "failed: " : "", + (result < 0) ? strerror(errno) : ""); + + return result; +} + +static int audit_rename(struct connection_struct *conn, const char *old, const char *new) +{ + int result = default_vfs_ops.rename(conn, old, new); + + syslog(SYSLOG_PRIORITY, "rename %s -> %s %s%s\n", + old, new, + (result < 0) ? "failed: " : "", + (result < 0) ? strerror(errno) : ""); + + return result; +} + +static int audit_unlink(struct connection_struct *conn, const char *path) +{ + int result = default_vfs_ops.unlink(conn, path); + + syslog(SYSLOG_PRIORITY, "unlink %s %s%s\n", + path, + (result < 0) ? "failed: " : "", + (result < 0) ? strerror(errno) : ""); + + return result; +} + +static int audit_chmod(struct connection_struct *conn, const char *path, mode_t mode) +{ + int result = default_vfs_ops.chmod(conn, path, mode); + + syslog(SYSLOG_PRIORITY, "chmod %s mode 0x%x %s%s\n", + path, mode, + (result < 0) ? "failed: " : "", + (result < 0) ? strerror(errno) : ""); + + return result; +} + +static int audit_chmod_acl(struct connection_struct *conn, const char *path, mode_t mode) +{ + int result = default_vfs_ops.chmod_acl(conn, path, mode); + + syslog(SYSLOG_PRIORITY, "chmod_acl %s mode 0x%x %s%s\n", + path, mode, + (result < 0) ? "failed: " : "", + (result < 0) ? strerror(errno) : ""); + + return result; +} + +static int audit_fchmod(struct files_struct *fsp, int fd, mode_t mode) +{ + int result = default_vfs_ops.fchmod(fsp, fd, mode); + + syslog(SYSLOG_PRIORITY, "fchmod %s mode 0x%x %s%s\n", + fsp->fsp_name, mode, + (result < 0) ? "failed: " : "", + (result < 0) ? strerror(errno) : ""); + + return result; +} + +static int audit_fchmod_acl(struct files_struct *fsp, int fd, mode_t mode) +{ + int result = default_vfs_ops.fchmod_acl(fsp, fd, mode); + + syslog(SYSLOG_PRIORITY, "fchmod_acl %s mode 0x%x %s%s\n", + fsp->fsp_name, mode, + (result < 0) ? "failed: " : "", + (result < 0) ? strerror(errno) : ""); + + return result; +} diff --git a/source3/modules/vfs_netatalk.c b/source3/modules/vfs_netatalk.c new file mode 100644 index 0000000000..353be36e6f --- /dev/null +++ b/source3/modules/vfs_netatalk.c @@ -0,0 +1,430 @@ +/* + * AppleTalk VFS module for Samba-3.x + * + * Copyright (C) Alexei Kotovich, 2002 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "config.h" +#include <stdio.h> +#include <sys/stat.h> +#ifdef HAVE_UTIME_H +#include <utime.h> +#endif +#ifdef HAVE_DIRENT_H +#include <dirent.h> +#endif +#ifdef HAVE_FCNTL_H +#include <fcntl.h> +#endif +#include <errno.h> +#include <string.h> +#include <includes.h> +#include <vfs.h> + +#define APPLEDOUBLE ".AppleDouble" +#define ADOUBLEMODE 0777 + +/* atalk functions */ + +static int atalk_build_paths(TALLOC_CTX *ctx, const char *path, + const char *fname, char **adbl_path, char **orig_path, + SMB_STRUCT_STAT *adbl_info, SMB_STRUCT_STAT *orig_info); + +static int atalk_unlink_file(const char *path); + +static struct vfs_ops default_vfs_ops; /* For passthrough operation */ +static struct smb_vfs_handle_struct *atalk_handle; + +static int atalk_get_path_ptr(char *path) +{ + int i = 0; + int ptr = 0; + + for (i = 0; path[i]; i ++) { + if (path[i] == '/') + ptr = i; + /* get out some 'spam';) from win32's file name */ + else if (path[i] == ':') { + path[i] = '\0'; + break; + } + } + + return ptr; +} + +static int atalk_build_paths(TALLOC_CTX *ctx, const char *path, const char *fname, + char **adbl_path, char **orig_path, + SMB_STRUCT_STAT *adbl_info, SMB_STRUCT_STAT *orig_info) +{ + int ptr0 = 0; + int ptr1 = 0; + char *dname = 0; + char *name = 0; + + if (!ctx || !path || !fname || !adbl_path || !orig_path || + !adbl_info || !orig_info) + return -1; +#if 0 + DEBUG(3, ("ATALK: PATH: %s[%s]\n", path, fname)); +#endif + if (strstr(path, APPLEDOUBLE) || strstr(fname, APPLEDOUBLE)) { + DEBUG(3, ("ATALK: path %s[%s] already contains %s\n", path, fname, APPLEDOUBLE)); + return -1; + } + + if (fname[0] == '.') ptr0 ++; + if (fname[1] == '/') ptr0 ++; + + *orig_path = talloc_asprintf(ctx, "%s/%s", path, &fname[ptr0]); + + /* get pointer to last '/' */ + ptr1 = atalk_get_path_ptr(*orig_path); + + sys_lstat(*orig_path, orig_info); + + if (S_ISDIR(orig_info->st_mode)) { + *adbl_path = talloc_asprintf(ctx, "%s/%s/%s/", + path, &fname[ptr0], APPLEDOUBLE); + } else { + dname = talloc_strdup(ctx, *orig_path); + dname[ptr1] = '\0'; + name = *orig_path; + *adbl_path = talloc_asprintf(ctx, "%s/%s/%s", + dname, APPLEDOUBLE, &name[ptr1 + 1]); + } +#if 0 + DEBUG(3, ("ATALK: DEBUG:\n%s\n%s\n", *orig_path, *adbl_path)); +#endif + sys_lstat(*adbl_path, adbl_info); + return 0; +} + +static int atalk_unlink_file(const char *path) +{ + int ret = 0; + + become_root(); + ret = unlink(path); + unbecome_root(); + + return ret; +} + +static void atalk_add_to_list(name_compare_entry **list) +{ + int i, count = 0; + name_compare_entry *new_list = 0; + name_compare_entry *cur_list = 0; + + cur_list = *list; + + if (cur_list) { + for (i = 0, count = 0; cur_list[i].name; i ++, count ++) { + if (strstr(cur_list[i].name, APPLEDOUBLE)) + return; + } + } + + if (!(new_list = calloc(1, + (count == 0 ? 1 : count + 1) * sizeof(name_compare_entry)))) + return; + + for (i = 0; i < count; i ++) { + new_list[i].name = strdup(cur_list[i].name); + new_list[i].is_wild = cur_list[i].is_wild; + } + + new_list[i].name = strdup(APPLEDOUBLE); + new_list[i].is_wild = False; + + free_namearray(*list); + + *list = new_list; + new_list = 0; + cur_list = 0; +} + +static void atalk_rrmdir(TALLOC_CTX *ctx, char *path) +{ + int n; + char *dpath; + struct dirent **namelist; + + if (!path) return; + + n = scandir(path, &namelist, 0, alphasort); + if (n < 0) { + return; + } else { + while (n --) { + if (strcmp(namelist[n]->d_name, ".") == 0 || + strcmp(namelist[n]->d_name, "..") == 0) + continue; + if (!(dpath = talloc_asprintf(ctx, "%s/%s", + path, namelist[n]->d_name))) + continue; + atalk_unlink_file(dpath); + free(namelist[n]); + } + } +} + +/* Disk operations */ + +/* Directory operations */ + +DIR *atalk_opendir(struct connection_struct *conn, const char *fname) +{ + DIR *ret = 0; + + ret = default_vfs_ops.opendir(conn, fname); + + /* + * when we try to perform delete operation upon file which has fork + * in ./.AppleDouble and this directory wasn't hidden by Samba, + * MS Windows explorer causes the error: "Cannot find the specified file" + * There is some workaround to avoid this situation, i.e. if + * connection has not .AppleDouble entry in either veto or hide + * list then it would be nice to add one. + */ + + atalk_add_to_list(&conn->hide_list); + atalk_add_to_list(&conn->veto_list); + + return ret; +} + +static int atalk_rmdir(struct connection_struct *conn, const char *path) +{ + BOOL add = False; + TALLOC_CTX *ctx = 0; + char *dpath; + + if (!conn || !conn->origpath || !path) goto exit_rmdir; + + /* due to there is no way to change bDeleteVetoFiles variable + * from this module, gotta use talloc stuff.. + */ + + strstr(path, APPLEDOUBLE) ? (add = False) : (add = True); + + if (!(ctx = talloc_init_named("remove_directory"))) + goto exit_rmdir; + + if (!(dpath = talloc_asprintf(ctx, "%s/%s%s", + conn->origpath, path, add ? "/"APPLEDOUBLE : ""))) + goto exit_rmdir; + + atalk_rrmdir(ctx, dpath); + +exit_rmdir: + talloc_destroy(ctx); + return default_vfs_ops.rmdir(conn, path); +} + +/* File operations */ + +static int atalk_rename(struct connection_struct *conn, const char *old, const char *new) +{ + int ret = 0; + char *adbl_path = 0; + char *orig_path = 0; + SMB_STRUCT_STAT adbl_info; + SMB_STRUCT_STAT orig_info; + TALLOC_CTX *ctx; + + ret = default_vfs_ops.rename(conn, old, new); + + if (!conn || !old) return ret; + + if (!(ctx = talloc_init_named("rename_file"))) + return ret; + + if (atalk_build_paths(ctx, conn->origpath, old, &adbl_path, &orig_path, + &adbl_info, &orig_info) != 0) + return ret; + + if (S_ISDIR(orig_info.st_mode) || S_ISREG(orig_info.st_mode)) { + DEBUG(3, ("ATALK: %s has passed..\n", adbl_path)); + goto exit_rename; + } + + atalk_unlink_file(adbl_path); + +exit_rename: + talloc_destroy(ctx); + return ret; +} + +static int atalk_unlink(struct connection_struct *conn, const char *path) +{ + int ret = 0, i; + char *adbl_path = 0; + char *orig_path = 0; + SMB_STRUCT_STAT adbl_info; + SMB_STRUCT_STAT orig_info; + TALLOC_CTX *ctx; + + ret = default_vfs_ops.unlink(conn, path); + + if (!conn || !path) return ret; + + /* no .AppleDouble sync if veto or hide list is empty, + * otherwise "Cannot find the specified file" error will be caused + */ + + if (!conn->veto_list) return ret; + if (!conn->hide_list) return ret; + + for (i = 0; conn->veto_list[i].name; i ++) { + if (strstr(conn->veto_list[i].name, APPLEDOUBLE)) + break; + } + + if (!conn->veto_list[i].name) { + for (i = 0; conn->hide_list[i].name; i ++) { + if (strstr(conn->hide_list[i].name, APPLEDOUBLE)) + break; + else { + DEBUG(3, ("ATALK: %s is not hidden, skipped..\n", + APPLEDOUBLE)); + return ret; + } + } + } + + if (!(ctx = talloc_init_named("unlink_file"))) + return ret; + + if (atalk_build_paths(ctx, conn->origpath, path, &adbl_path, &orig_path, + &adbl_info, &orig_info) != 0) + return ret; + + if (S_ISDIR(orig_info.st_mode) || S_ISREG(orig_info.st_mode)) { + DEBUG(3, ("ATALK: %s has passed..\n", adbl_path)); + goto exit_unlink; + } + + atalk_unlink_file(adbl_path); + +exit_unlink: + talloc_destroy(ctx); + return ret; +} + +static int atalk_chmod(struct connection_struct *conn, const char *path, mode_t mode) +{ + int ret = 0; + char *adbl_path = 0; + char *orig_path = 0; + SMB_STRUCT_STAT adbl_info; + SMB_STRUCT_STAT orig_info; + TALLOC_CTX *ctx; + + ret = default_vfs_ops.chmod(conn, path, mode); + + if (!conn || !path) return ret; + + if (!(ctx = talloc_init_named("chmod_file"))) + return ret; + + if (atalk_build_paths(ctx, conn->origpath, path, &adbl_path, &orig_path, + &adbl_info, &orig_info) != 0) + return ret; + + if (!S_ISDIR(orig_info.st_mode) && !S_ISREG(orig_info.st_mode)) { + DEBUG(3, ("ATALK: %s has passed..\n", orig_path)); + goto exit_chmod; + } + + chmod(adbl_path, ADOUBLEMODE); + +exit_chmod: + talloc_destroy(ctx); + return ret; +} + +static int atalk_chown(struct connection_struct *conn, const char *path, uid_t uid, gid_t gid) +{ + int ret = 0; + char *adbl_path = 0; + char *orig_path = 0; + SMB_STRUCT_STAT adbl_info; + SMB_STRUCT_STAT orig_info; + TALLOC_CTX *ctx; + + ret = default_vfs_ops.chown(conn, path, uid, gid); + + if (!conn || !path) return ret; + + if (!(ctx = talloc_init_named("chown_file"))) + return ret; + + if (atalk_build_paths(ctx, conn->origpath, path, &adbl_path, &orig_path, + &adbl_info, &orig_info) != 0) + return ret; + + if (!S_ISDIR(orig_info.st_mode) && !S_ISREG(orig_info.st_mode)) { + DEBUG(3, ("ATALK: %s has passed..\n", orig_path)); + goto exit_chown; + } + + chown(adbl_path, uid, gid); + +exit_chown: + talloc_destroy(ctx); + return ret; +} + +static vfs_op_tuple atalk_ops[] = { + + /* Directory operations */ + + {atalk_opendir, SMB_VFS_OP_OPENDIR, SMB_VFS_LAYER_TRANSPARENT}, + {atalk_rmdir, SMB_VFS_OP_RMDIR, SMB_VFS_LAYER_TRANSPARENT}, + + /* File operations */ + + {atalk_rename, SMB_VFS_OP_RENAME, SMB_VFS_LAYER_TRANSPARENT}, + {atalk_unlink, SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_TRANSPARENT}, + {atalk_chmod, SMB_VFS_OP_CHMOD, SMB_VFS_LAYER_TRANSPARENT}, + {atalk_chown, SMB_VFS_OP_CHOWN, SMB_VFS_LAYER_TRANSPARENT}, + + /* Finish VFS operations definition */ + + {NULL, SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP} +}; + +/* VFS initialisation function. Return vfs_op_tuple array back to SAMBA. */ +vfs_op_tuple *vfs_init(int *vfs_version, struct vfs_ops *def_vfs_ops, + struct smb_vfs_handle_struct *vfs_handle) +{ + *vfs_version = SMB_VFS_INTERFACE_VERSION; + memcpy(&default_vfs_ops, def_vfs_ops, sizeof(struct vfs_ops)); + + atalk_handle = vfs_handle; + + DEBUG(3, ("ATALK: vfs module loaded\n")); + return atalk_ops; +} + +/* VFS finalization function. */ +void vfs_done(connection_struct *conn) +{ + DEBUG(3, ("ATALK: vfs module unloaded\n")); +} diff --git a/source3/modules/vfs_recycle.c b/source3/modules/vfs_recycle.c new file mode 100644 index 0000000000..b59cb92a28 --- /dev/null +++ b/source3/modules/vfs_recycle.c @@ -0,0 +1,559 @@ +/* + * Recycle bin VFS module for Samba. + * + * Copyright (C) 2001, Brandon Stone, Amherst College, <bbstone@amherst.edu>. + * Copyright (C) 2002, Jeremy Allison - modified to make a VFS module. + * Copyright (C) 2002, Alexander Bokovoy - cascaded VFS adoption, + * Copyright (C) 2002, Juergen Hasch - added some options. + * Copyright (C) 2002, Simo Sorce + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +#define ALLOC_CHECK(ptr, label) do { if ((ptr) == NULL) { DEBUG(0, ("recycle.bin: out of memory!\n")); errno = ENOMEM; goto label; } } while(0) + +static int vfs_recycle_debug_level = DBGC_VFS; + +#undef DBGC_CLASS +#define DBGC_CLASS vfs_recycle_debug_level + +static const char *delimiter = "|"; /* delimiter for options */ + +/* One per connection */ + +typedef struct recycle_bin_struct +{ + TALLOC_CTX *ctx; + char *repository; /* name of the recycle bin directory */ + BOOL keep_dir_tree; /* keep directory structure of deleted file in recycle bin */ + BOOL versions; /* create versions of deleted files with identical name */ + BOOL touch; /* touch access date of deleted file */ + char *exclude; /* which files to exclude */ + char *exclude_dir; /* which directories to exclude */ + char *noversions; /* which files to exclude from versioning */ + SMB_OFF_T maxsize; /* maximum file size to be saved */ +} recycle_bin_struct; + +/* VFS operations */ +static struct vfs_ops default_vfs_ops; /* For passthrough operation */ + +static int recycle_connect(struct connection_struct *conn, const char *service, const char *user); +static void recycle_disconnect(struct connection_struct *conn); +static int recycle_unlink(connection_struct *, const char *); + +#define VFS_OP(x) ((void *) x) + +static vfs_op_tuple recycle_ops[] = { + + /* Disk operations */ + {VFS_OP(recycle_connect), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_TRANSPARENT}, + {VFS_OP(recycle_disconnect), SMB_VFS_OP_DISCONNECT, SMB_VFS_LAYER_TRANSPARENT}, + + /* File operations */ + {VFS_OP(recycle_unlink), SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_TRANSPARENT}, + + {NULL, SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP} +}; + +static BOOL check_bool_param(const char *value) +{ + if (strwicmp(value, "yes") == 0 || + strwicmp(value, "true") == 0 || + strwicmp(value, "1") == 0) + return True; + + return False; +} + +/** + * VFS initialisation function. + * + * @retval initialised vfs_op_tuple array + **/ +vfs_op_tuple *vfs_init(int *vfs_version, struct vfs_ops *def_vfs_ops, + struct smb_vfs_handle_struct *vfs_handle) +{ + DEBUG(10, ("Initializing VFS module recycle\n")); + *vfs_version = SMB_VFS_INTERFACE_VERSION; + memcpy(&default_vfs_ops, def_vfs_ops, sizeof(struct vfs_ops)); + vfs_recycle_debug_level = debug_add_class("vfs_recycle_bin"); + if (vfs_recycle_debug_level == -1) { + vfs_recycle_debug_level = DBGC_VFS; + DEBUG(0, ("vfs_recycle: Couldn't register custom debugging class!\n")); + } else { + DEBUG(0, ("vfs_recycle: Debug class number of 'vfs_recycle': %d\n", vfs_recycle_debug_level)); + } + + return recycle_ops; +} + +/** + * VFS finalization function. + * + **/ +void vfs_done(connection_struct *conn) +{ + DEBUG(10,("Called for connection %d\n", SNUM(conn))); +} + +static int recycle_connect(struct connection_struct *conn, const char *service, const char *user) +{ + TALLOC_CTX *ctx = NULL; + recycle_bin_struct *recbin; + char *servicename; + char *tmp_str; + + DEBUG(10, ("Called for service %s (%d) as user %s\n", service, SNUM(conn), user)); + + if (!(ctx = talloc_init_named("recycle bin"))) { + DEBUG(0, ("Failed to allocate memory in VFS module recycle_bin\n")); + return 0; + } + + recbin = talloc(ctx,sizeof(recycle_bin_struct)); + if ( recbin == NULL) { + DEBUG(0, ("Failed to allocate memory in VFS module recycle_bin\n")); + return -1; + } + recbin->ctx = ctx; + + /* Set defaults */ + recbin->repository = talloc_strdup(ctx, ".recycle"); + ALLOC_CHECK(recbin->repository, error); + recbin->keep_dir_tree = False; + recbin->versions = False; + recbin->touch = False; + recbin->exclude = ""; + recbin->exclude_dir = ""; + recbin->noversions = ""; + recbin->maxsize = 0; + + /* parse configuration options */ + servicename = talloc_strdup(recbin->ctx, lp_servicename(SNUM(conn))); + DEBUG(10, ("servicename = %s\n",servicename)); + if ((tmp_str = lp_parm_string(servicename, "vfs_recycle_bin", "repository")) != NULL) { + recbin->repository = talloc_sub_conn(ctx, conn, tmp_str); + ALLOC_CHECK(recbin->repository, error); + trim_string(recbin->repository, "/", "/"); + DEBUG(5, ("recycle.bin: repository = %s\n", recbin->repository)); + } + if ((tmp_str = lp_parm_string(servicename, "vfs_recycle_bin", "keeptree")) != NULL) { + if (check_bool_param(tmp_str) == True) + recbin->keep_dir_tree = True; + DEBUG(5, ("recycle.bin: keeptree = %s\n", tmp_str)); + } + if ((tmp_str = lp_parm_string(servicename, "vfs_recycle_bin", "versions")) != NULL) { + if (check_bool_param(tmp_str) == True) + recbin->versions = True; + DEBUG(5, ("recycle.bin: versions = %s\n", tmp_str)); + } + if ((tmp_str = lp_parm_string(servicename, "vfs_recycle_bin", "touch")) != NULL) { + if (check_bool_param(tmp_str) == True) + recbin->touch = True; + DEBUG(5, ("recycle.bin: touch = %s\n", tmp_str)); + } + if ((tmp_str = lp_parm_string(servicename, "vfs_recycle_bin", "maxsize")) != NULL) { + recbin->maxsize = strtoul(tmp_str, NULL, 10); + if (recbin->maxsize == 0) { + recbin->maxsize = -1; + DEBUG(5, ("recycle.bin: maxsize = -infinite-\n")); + } else { + DEBUG(5, ("recycle.bin: maxsize = %ld\n", (long int)recbin->maxsize)); + } + } + if ((tmp_str = lp_parm_string(servicename, "vfs_recycle_bin", "exclude")) != NULL) { + recbin->exclude = talloc_strdup(ctx, tmp_str); + ALLOC_CHECK(recbin->exclude, error); + DEBUG(5, ("recycle.bin: exclude = %s\n", recbin->exclude)); + } + if ((tmp_str = lp_parm_string(servicename,"vfs_recycle_bin", "exclude_dir")) != NULL) { + recbin->exclude_dir = talloc_strdup(ctx, tmp_str); + ALLOC_CHECK(recbin->exclude_dir, error); + DEBUG(5, ("recycle.bin: exclude_dir = %s\n", recbin->exclude_dir)); + } + if ((tmp_str = lp_parm_string(servicename,"vfs_recycle_bin", "noversions")) != NULL) { + recbin->noversions = talloc_strdup(ctx, tmp_str); + ALLOC_CHECK(recbin->noversions, error); + DEBUG(5, ("recycle.bin: noversions = %s\n", recbin->noversions)); + } + + conn->vfs_private = (void *)recbin; + return default_vfs_ops.connect(conn, service, user); + +error: + talloc_destroy(ctx); + return -1; +} + +static void recycle_disconnect(struct connection_struct *conn) +{ + DEBUG(10, ("Disconnecting VFS module recycle bin\n")); + if (conn->vfs_private) { + talloc_destroy(((recycle_bin_struct *)conn->vfs_private)->ctx); + conn->vfs_private = NULL; + } + default_vfs_ops.disconnect(conn); +} + +static BOOL recycle_directory_exist(connection_struct *conn, const char *dname) +{ + SMB_STRUCT_STAT st; + + if (default_vfs_ops.stat(conn, dname, &st) == 0) { + if (S_ISDIR(st.st_mode)) { + return True; + } + } + + return False; +} + +static BOOL recycle_file_exist(connection_struct *conn, const char *fname) +{ + SMB_STRUCT_STAT st; + + if (default_vfs_ops.stat(conn, fname, &st) == 0) { + if (S_ISREG(st.st_mode)) { + return True; + } + } + + return False; +} + +/** + * Return file size + * @param conn connection + * @param fname file name + * @return size in bytes + **/ +static SMB_OFF_T recycle_get_file_size(connection_struct *conn, const char *fname) +{ + SMB_STRUCT_STAT st; + if (default_vfs_ops.stat(conn, fname, &st) != 0) { + DEBUG(0,("recycle.bin: stat for %s returned %s\n", fname, strerror(errno))); + return (SMB_OFF_T)0; + } + return(st.st_size); +} + +/** + * Create directory tree + * @param conn connection + * @param dname Directory tree to be created + * @return Returns True for success + **/ +static BOOL recycle_create_dir(connection_struct *conn, const char *dname) +{ + int len; + mode_t mode; + char *new_dir = NULL; + char *tmp_str = NULL; + char *token; + char *tok_str; + BOOL ret = False; + + mode = S_IREAD | S_IWRITE | S_IEXEC; + + tmp_str = strdup(dname); + ALLOC_CHECK(tmp_str, done); + tok_str = tmp_str; + + len = strlen(dname); + new_dir = (char *)malloc(len + 1); + ALLOC_CHECK(new_dir, done); + *new_dir = '\0'; + + /* Create directory tree if neccessary */ + for(token = strtok(tok_str, "/"); token; token = strtok(NULL, "/")) { + safe_strcat(new_dir, token, len); + if (recycle_directory_exist(conn, new_dir)) + DEBUG(10, ("recycle.bin: dir %s already exists\n", new_dir)); + else { + DEBUG(5, ("recycle.bin: creating new dir %s\n", new_dir)); + if (default_vfs_ops.mkdir(conn, new_dir, mode) != 0) { + DEBUG(1,("recycle.bin: mkdir failed for %s with error: %s\n", new_dir, strerror(errno))); + ret = False; + goto done; + } + } + safe_strcat(new_dir, "/", len); + } + + ret = True; +done: + SAFE_FREE(tmp_str); + SAFE_FREE(new_dir); + return ret; +} + +/** + * Check if needle is contained exactly in haystack + * @param haystack list of parameters separated by delimimiter character + * @param needle string to be matched exactly to haystack + * @return True if found + **/ +static BOOL checkparam(const char *haystack, const char *needle) +{ + char *token; + char *tok_str; + char *tmp_str; + BOOL ret = False; + + if (haystack == NULL || strlen(haystack) == 0 || needle == NULL || strlen(needle) == 0) { + return False; + } + + tmp_str = strdup(haystack); + ALLOC_CHECK(tmp_str, done); + token = tok_str = tmp_str; + + for(token = strtok(tok_str, delimiter); token; token = strtok(NULL, delimiter)) { + if(strcmp(token, needle) == 0) { + ret = True; + goto done; + } + } +done: + SAFE_FREE(tmp_str); + return ret; +} + +/** + * Check if needle is contained in haystack, * and ? patterns are resolved + * @param haystack list of parameters separated by delimimiter character + * @param needle string to be matched exectly to haystack including pattern matching + * @return True if found + **/ +static BOOL matchparam(const char *haystack, const char *needle) +{ + char *token; + char *tok_str; + char *tmp_str; + BOOL ret = False; + + if (haystack == NULL || strlen(haystack) == 0 || needle == NULL || strlen(needle) == 0) { + return False; + } + + tmp_str = strdup(haystack); + ALLOC_CHECK(tmp_str, done); + token = tok_str = tmp_str; + + for(token = strtok(tok_str, delimiter); token; token = strtok(NULL, delimiter)) { + if (!unix_wild_match(token, needle)) { + ret = True; + goto done; + } + } +done: + SAFE_FREE(tmp_str); + return ret; +} + +/** + * Touch access date + **/ +static void recycle_touch(connection_struct *conn, const char *fname) +{ + SMB_STRUCT_STAT st; + struct utimbuf tb; + time_t currtime; + + if (default_vfs_ops.stat(conn, fname, &st) != 0) { + DEBUG(0,("recycle.bin: stat for %s returned %s\n", fname, strerror(errno))); + return; + } + currtime = time(&currtime); + tb.actime = currtime; + tb.modtime = st.st_mtime; + + if (default_vfs_ops.utime(conn, fname, &tb) == -1 ) + DEBUG(0, ("recycle.bin: touching %s failed, reason = %s\n", fname, strerror(errno))); + } + +/** + * Check if file should be recycled + **/ +static int recycle_unlink(connection_struct *conn, const char *inname) +{ + recycle_bin_struct *recbin; + char *file_name = NULL; + char *path_name = NULL; + char *temp_name = NULL; + char *final_name = NULL; + char *base; + int i; + SMB_BIG_UINT dfree, dsize, bsize; + SMB_OFF_T file_size, space_avail; + BOOL exist; + int rc = -1; + + file_name = strdup(inname); + ALLOC_CHECK(file_name, done); + + if (conn->vfs_private) + recbin = (recycle_bin_struct *)conn->vfs_private; + else { + DEBUG(0, ("Recycle bin not initialized!\n")); + rc = default_vfs_ops.unlink(conn, file_name); + goto done; + } + + if(!recbin->repository || *(recbin->repository) == '\0') { + DEBUG(3, ("Recycle path not set, purging %s...\n", file_name)); + rc = default_vfs_ops.unlink(conn, file_name); + goto done; + } + + /* we don't recycle the recycle bin... */ + if (strncmp(file_name, recbin->repository, strlen(recbin->repository)) == 0) { + DEBUG(3, ("File is within recycling bin, unlinking ...\n")); + rc = default_vfs_ops.unlink(conn, file_name); + goto done; + } + + file_size = recycle_get_file_size(conn, file_name); + /* it is wrong to purge filenames only because they are empty imho + * --- simo + * + if(fsize == 0) { + DEBUG(3, ("File %s is empty, purging...\n", file_name)); + rc = default_vfs_ops.unlink(conn,file_name); + goto done; + } + */ + + /* FIXME: this is wrong, we should check the hole size of the recycle bin is + * not greater then maxsize, not the size of the single file, also it is better + * to remove older files + */ + if(recbin->maxsize > 0 && file_size > recbin->maxsize) { + DEBUG(3, ("File %s exceeds maximum recycle size, purging... \n", file_name)); + rc = default_vfs_ops.unlink(conn, file_name); + goto done; + } + + /* FIXME: this is wrong: moving files with rename does not change the disk space + * allocation + * + space_avail = default_vfs_ops.disk_free(conn, ".", True, &bsize, &dfree, &dsize) * 1024L; + DEBUG(5, ("space_avail = %Lu, file_size = %Lu\n", space_avail, file_size)); + if(space_avail < file_size) { + DEBUG(3, ("Not enough diskspace, purging file %s\n", file_name)); + rc = default_vfs_ops.unlink(conn, file_name); + goto done; + } + */ + + /* extract filename and path */ + path_name = (char *)malloc(PATH_MAX); + ALLOC_CHECK(path_name, done); + *path_name = '\0'; + safe_strcpy(path_name, file_name, PATH_MAX); + base = strrchr(path_name, '/'); + if (base == NULL) { + base = file_name; + safe_strcpy(path_name, "/", PATH_MAX); + } + else { + *base = '\0'; + base++; + } + + DEBUG(10, ("recycle.bin: fname = %s\n", file_name)); /* original filename with path */ + DEBUG(10, ("recycle.bin: fpath = %s\n", path_name)); /* original path */ + DEBUG(10, ("recycle.bin: base = %s\n", base)); /* filename without path */ + + if (matchparam(recbin->exclude, base)) { + DEBUG(3, ("recycle.bin: file %s is excluded \n", base)); + rc = default_vfs_ops.unlink(conn, file_name); + goto done; + } + + /* FIXME: this check will fail if we have more than one level of directories, + * we shoud check for every level 1, 1/2, 1/2/3, 1/2/3/4 .... + * ---simo + */ + if (checkparam(recbin->exclude_dir, path_name)) { + DEBUG(3, ("recycle.bin: directory %s is excluded \n", path_name)); + rc = default_vfs_ops.unlink(conn, file_name); + goto done; + } + + temp_name = (char *)malloc(PATH_MAX); + ALLOC_CHECK(temp_name, done); + safe_strcpy(temp_name, recbin->repository, PATH_MAX); + + /* see if we need to recreate the original directory structure in the recycle bin */ + if (recbin->keep_dir_tree == True) { + safe_strcat(temp_name, "/", PATH_MAX); + safe_strcat(temp_name, path_name, PATH_MAX); + } + + exist = recycle_directory_exist(conn, temp_name); + if (exist) { + DEBUG(10, ("recycle.bin: Directory already exists\n")); + } else { + DEBUG(10, ("recycle.bin: Creating directory %s\n", temp_name)); + if (recycle_create_dir(conn, temp_name) == False) { + DEBUG(3, ("Could not create directory, purging %s...\n", file_name)); + rc = default_vfs_ops.unlink(conn, file_name); + goto done; + } + } + + final_name = (char *)malloc(PATH_MAX); + ALLOC_CHECK(final_name, done); + snprintf(final_name, PATH_MAX, "%s/%s", temp_name, base); + DEBUG(10, ("recycle.bin: recycled file name%s\n", temp_name)); /* new filename with path */ + + /* check if we should delete file from recycle bin */ + if (recycle_file_exist(conn, final_name)) { + if (recbin->versions == False || matchparam(recbin->noversions, base) == True) { + DEBUG(3, ("recycle.bin: Removing old file %s from recycle bin\n", final_name)); + if (default_vfs_ops.unlink(conn, final_name) != 0) { + DEBUG(1, ("recycle.bin: Error deleting old file: %s\n", strerror(errno))); + } + } + } + + /* rename file we move to recycle bin */ + i = 1; + while (recycle_file_exist(conn, final_name)) { + snprintf(final_name, PATH_MAX, "%s/Copy #%d of %s", temp_name, i++, base); + } + + DEBUG(10, ("recycle.bin: Moving %s to %s\n", file_name, final_name)); + rc = default_vfs_ops.rename(conn, file_name, final_name); + if (rc != 0) { + DEBUG(3, ("recycle.bin: Move error %d (%s), purging file %s (%s)\n", errno, strerror(errno), file_name, final_name)); + rc = default_vfs_ops.unlink(conn, file_name); + goto done; + } + + /* touch access date of moved file */ + if (recbin->touch == True ) + recycle_touch(conn, final_name); + +done: + SAFE_FREE(file_name); + SAFE_FREE(path_name); + SAFE_FREE(temp_name); + SAFE_FREE(final_name); + return rc; +} diff --git a/source3/script/installmodules.sh b/source3/script/installmodules.sh new file mode 100755 index 0000000000..9b9d950ca2 --- /dev/null +++ b/source3/script/installmodules.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +INSTALLPERMS=$1 +BASEDIR=$2 +LIBDIR=$3 +shift +shift +shift + +for p in $*; do + p2=`basename $p` + echo Installing $p as $LIBDIR/$p2 + cp -f $p $LIBDIR/ + chmod $INSTALLPERMS $LIBDIR/$p2 +done + + +cat << EOF +====================================================================== +The modules are installed. You may uninstall the modules using the +command "make uninstallmodules" or "make uninstall" to uninstall +binaries, man pages, shell scripts and modules. +====================================================================== +EOF + +exit 0 diff --git a/source3/script/uninstallmodules.sh b/source3/script/uninstallmodules.sh new file mode 100755 index 0000000000..30582a39fa --- /dev/null +++ b/source3/script/uninstallmodules.sh @@ -0,0 +1,37 @@ +#!/bin/sh +#4 July 96 Dan.Shearer@UniSA.edu.au + +INSTALLPERMS=$1 +BASEDIR=$2 +LIBDIR=$3 +shift +shift +shift + +if [ ! -d $LIBDIR ]; then + echo Directory $LIBDIR does not exist! + echo Do a "make installmodules" or "make install" first. + exit 1 +fi + +for p in $*; do + p2=`basename $p` + if [ -f $LIBDIR/$p2 ]; then + echo Removing $LIBDIR/$p2 + rm -f $LIBDIR/$p2 + if [ -f $LIBDIR/$p2 ]; then + echo Cannot remove $LIBDIR/$p2 ... does $USER have privileges? + fi + fi +done + + +cat << EOF +====================================================================== +The modules have been uninstalled. You may restore the modules using +the command "make installmodules" or "make install" to install +binaries, modules, man pages and shell scripts. +====================================================================== +EOF + +exit 0 diff --git a/testsuite/build_farm/basicsmb-preexec.test b/testsuite/build_farm/basicsmb-preexec.test new file mode 100644 index 0000000000..bc87723700 --- /dev/null +++ b/testsuite/build_farm/basicsmb-preexec.test @@ -0,0 +1,28 @@ +. basicsmb.fns + +password=samba +(test_smb_conf_setup && test_smbpasswd $password ) || exit 1 + +rm -f $prefix/testdir/preexec_touch + +mode=PREEXEC +(test_listfilesauth $mode) || exit 1 + +if [ -f $prefix/testdir/preexec_touch ]; then + rm -f $prefix/testdir/preexec_touch +else + exit 1; +fi + +mode=PREEXEC_close +(test_listfilesauth $mode) || exit 1 + +if [ -f $prefix/testdir/preexec_touch ]; then + rm -f $prefix/testdir/preexec_touch +else + exit 1; +fi + +mode=PREEXEC_cl_fail +(test_listfilesauth_should_deny $mode) || exit 1 + diff --git a/testsuite/build_farm/basicsmb.smb.conf.preexec.template b/testsuite/build_farm/basicsmb.smb.conf.preexec.template new file mode 100644 index 0000000000..cc34872c5d --- /dev/null +++ b/testsuite/build_farm/basicsmb.smb.conf.preexec.template @@ -0,0 +1 @@ +preexec = /bin/sh PREFIX/lib/preexec diff --git a/testsuite/build_farm/basicsmb.smb.conf.preexec_cl_fail.template b/testsuite/build_farm/basicsmb.smb.conf.preexec_cl_fail.template new file mode 100644 index 0000000000..5578e7110e --- /dev/null +++ b/testsuite/build_farm/basicsmb.smb.conf.preexec_cl_fail.template @@ -0,0 +1,2 @@ +preexec close = yes +preexec = /bin/sh PREFIX/lib/preexec_does_not_exist
\ No newline at end of file diff --git a/testsuite/build_farm/basicsmb.smb.conf.preexec_close.template b/testsuite/build_farm/basicsmb.smb.conf.preexec_close.template new file mode 100644 index 0000000000..3aac6998bf --- /dev/null +++ b/testsuite/build_farm/basicsmb.smb.conf.preexec_close.template @@ -0,0 +1,2 @@ +preexec close = yes +preexec = /bin/sh PREFIX/lib/preexec diff --git a/testsuite/build_farm/basicsmb.smb.conf.validusers.template b/testsuite/build_farm/basicsmb.smb.conf.validusers.template new file mode 100644 index 0000000000..d4a85e0a02 --- /dev/null +++ b/testsuite/build_farm/basicsmb.smb.conf.validusers.template @@ -0,0 +1 @@ + valid users = WHOAMI diff --git a/testsuite/build_farm/preexec.template b/testsuite/build_farm/preexec.template new file mode 100644 index 0000000000..e417d6a017 --- /dev/null +++ b/testsuite/build_farm/preexec.template @@ -0,0 +1,2 @@ +#!/bin/sh +echo "Test worked" > PREFIX/testdir/preexec_touch |