diff options
Diffstat (limited to 'docs/docbook/projdoc')
23 files changed, 1031 insertions, 747 deletions
diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index 887ecd74c2..3e34d53c0a 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -14,8 +14,7 @@ This is a rough guide to setting up Samba 3.0 with kerberos authentication again Windows2000 KDC. </para> -<para>Pieces you need before you begin:</para> -<para> +<para>Pieces you need before you begin: <simplelist> <member>a Windows 2000 server.</member> <member>samba 3.0 or higher.</member> @@ -27,8 +26,7 @@ Windows2000 KDC. <sect1> <title>Installing the required packages for Debian</title> -<para>On Debian you need to install the following packages:</para> -<para> +<para>On Debian you need to install the following packages: <simplelist> <member>libkrb5-dev</member> <member>krb5-user</member> @@ -39,8 +37,7 @@ Windows2000 KDC. <sect1> <title>Installing the required packages for RedHat</title> -<para>On RedHat this means you should have at least: </para> -<para> +<para>On RedHat this means you should have at least: <simplelist> <member>krb5-workstation (for kinit)</member> <member>krb5-libs (for linking with)</member> @@ -60,8 +57,7 @@ to get them off CD2.</para> <para>If your kerberos libraries are in a non-standard location then remember to add the configure option --with-krb5=DIR.</para> -<para>After you run configure make sure that include/config.h it - generates contains +<para>After you run configure make sure that include/config.h contains lines like this:</para> <para><programlisting> @@ -90,10 +86,9 @@ In case samba can't figure out your ads server using your realm name, use the </programlisting> </para> -<para>You do *not* need a smbpasswd file, and older clients will - be authenticated as if "security = domain", although it won't do any harm - and allows you to have local users not in the domain. - I expect that the above +<para>You do *not* need a smbpasswd file, although it won't do any harm + and if you have one then Samba will be able to fall back to normal + password security for older clients. I expect that the above required options will change soon when we get better active directory integration.</para> </sect1> @@ -104,7 +99,7 @@ In case samba can't figure out your ads server using your realm name, use the <para>The minimal configuration for krb5.conf is:</para> <para><programlisting> -[realms] + [realms] YOUR.KERBEROS.REALM = { kdc = your.kerberos.server } @@ -133,7 +128,7 @@ to join the realm. <para> If all you want is kerberos support in smbclient then you can skip straight to step 5 now. Step 3 is only needed if you want kerberos -support for smbd and winbindd. +support in smbd. </para> </sect1> @@ -142,7 +137,9 @@ support for smbd and winbindd. <title>Create the computer account</title> <para> -As a user that has write permission on the Samba private directory +Do a "kinit" as a user that has authority to change arbitrary +passwords on the KDC ("Administrator" is a good choice). Then as a +user that has write permission on the Samba private directory (usually root) run: <command>net ads join</command> </para> @@ -152,6 +149,8 @@ As a user that has write permission on the Samba private directory <para> <variablelist> +<varlistentry><term>"bash: kinit: command not found"</term> +<listitem><para>kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</para></listitem></varlistentry> <varlistentry><term>"ADS support not compiled in"</term> <listitem><para>Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</para></listitem></varlistentry> </variablelist> diff --git a/docs/docbook/projdoc/Browsing-Quickguide.sgml b/docs/docbook/projdoc/Browsing-Quickguide.sgml index 0a5cf72038..8ecc795966 100644 --- a/docs/docbook/projdoc/Browsing-Quickguide.sgml +++ b/docs/docbook/projdoc/Browsing-Quickguide.sgml @@ -1,10 +1,9 @@ <chapter id="Browsing-Quick"> <chapterinfo> <author> - <firstname>John H</firstname><surname>Terpstra</surname> + <firstname>John</firstname><surname>Terpstra</surname> </author> <pubdate>July 5, 1998</pubdate> - <pubdate>Updated: March 15, 2003</pubdate> </chapterinfo> <title>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</title> @@ -17,22 +16,16 @@ of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling except by way of name to address mapping. </para> -<para> -Note: MS Windows 2000 and later can be configured to operate with NO NetBIOS -over TCP/IP. Samba-3 and later also supports this mode of operation. -</para> - - <sect1> <title>Discussion</title> <para> Firstly, all MS Windows networking is based on SMB (Server Message -Block) based messaging. SMB messaging may be implemented using NetBIOS or -without NetBIOS. Samba implements NetBIOS by encapsulating it over TCP/IP. -MS Windows products can do likewise. NetBIOS based networking uses broadcast -messaging to affect browse list management. When running NetBIOS over -TCP/IP this uses UDP based messaging. UDP messages can be broadcast or unicast. +Block) based messaging. SMB messaging is implemented using NetBIOS. Samba +implements NetBIOS by encapsulating it over TCP/IP. MS Windows products can +do likewise. NetBIOS based networking uses broadcast messaging to affect +browse list management. When running NetBIOS over TCP/IP this uses UDP +based messaging. UDP messages can be broadcast or unicast. </para> <para> @@ -52,27 +45,20 @@ the "remote browse sync" parameters to your smb.conf file. </para> <para> -If only one WINS server is used for an entire multi-segment network then -the use of the "remote announce" and the "remote browse sync" parameters -should NOT be necessary. -</para> - -<para> -As of Samba-3 WINS replication is being worked on. The bulk of the code has -been committed, but it still needs maturation. +If only one WINS server is used then the use of the "remote announce" and the +"remote browse sync" parameters should NOT be necessary. </para> <para> -Right now samba WINS does not support MS-WINS replication. This means that -when setting up Samba as a WINS server there must only be one nmbd configured -as a WINS server on the network. Some sites have used multiple Samba WINS -servers for redundancy (one server per subnet) and then used "remote browse -sync" and "remote announce" to affect browse list collation across all -segments. Note that this means clients will only resolve local names, -and must be configured to use DNS to resolve names on other subnets in -order to resolve the IP addresses of the servers they can see on other -subnets. This setup is not recommended, but is mentioned as a practical -consideration (ie: an 'if all else fails' scenario). +Samba WINS does not support MS-WINS replication. This means that when setting up +Samba as a WINS server there must only be one nmbd configured as a WINS server +on the network. Some sites have used multiple Samba WINS servers for redundancy +(one server per subnet) and then used "remote browse sync" and "remote announce" +to affect browse list collation across all segments. Note that this means +clients will only resolve local names, and must be configured to use DNS to +resolve names on other subnets in order to resolve the IP addresses of the +servers they can see on other subnets. This setup is not recommended, but is +mentioned as a practical consideration (ie: an 'if all else fails' scenario). </para> <para> @@ -140,9 +126,8 @@ simultaneously the LMB on it's network segment. <para> The syntax of the "remote browse sync" parameter is: - <programlisting> -remote browse sync = a.b.c.d + remote browse sync = a.b.c.d </programlisting> where a.b.c.d is either the IP address of the remote LMB or else is the network broadcast address of the remote segment. @@ -212,9 +197,8 @@ To configure Samba to register with a WINS server just add </para> <para> -<emphasis>DO NOT EVER</emphasis> use both "wins support = yes" together -with "wins server = a.b.c.d" particularly not using it's own IP address. -Specifying both will cause nmbd to refuse to start! +<emphasis>DO NOT EVER</emphasis> use both "wins support = yes" together with "wins server = a.b.c.d" +particularly not using it's own IP address. </para> </sect1> @@ -228,7 +212,7 @@ one protocol on an MS Windows machine. </para> <para> -Every NetBIOS machine takes part in a process of electing the LMB (and DMB) +Every NetBIOS machine take part in a process of electing the LMB (and DMB) every 15 minutes. A set of election criteria is used to determine the order of precidence for winning this election process. A machine running Samba or Windows NT will be biased so that the most suitable machine will predictably @@ -247,15 +231,6 @@ as an LMB and thus browse list operation on all TCP/IP only machines will fail. </para> -<para><emphasis> -Windows 95, 98, 98se, Me are referred to generically as Windows 9x. -The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly -referred to as the WinNT family, but it should be recognised that 2000 and -XP/2003 introduce new protocol extensions that cause them to behave -differently from MS Windows NT4. Generally, where a server does NOT support -the newer or extended protocol, these will fall back to the NT4 protocols. -</emphasis></para> - <para> The safest rule of all to follow it this - USE ONLY ONE PROTOCOL! </para> @@ -268,35 +243,36 @@ The safest rule of all to follow it this - USE ONLY ONE PROTOCOL! <para> Resolution of NetBIOS names to IP addresses can take place using a number of methods. The only ones that can provide NetBIOS name_type information -are:</para> - +are: <simplelist> <member>WINS: the best tool!</member> <member>LMHOSTS: is static and hard to maintain.</member> <member>Broadcast: uses UDP and can not resolve names across remote segments.</member> </simplelist> +</para> <para> -Alternative means of name resolution includes:</para> +Alternative means of name resolution includes: <simplelist> <member>/etc/hosts: is static, hard to maintain, and lacks name_type info</member> <member>DNS: is a good choice but lacks essential name_type info.</member> </simplelist> +</para> <para> Many sites want to restrict DNS lookups and want to avoid broadcast name resolution traffic. The "name resolve order" parameter is of great help here. The syntax of the "name resolve order" parameter is: <programlisting> -name resolve order = wins lmhosts bcast host + name resolve order = wins lmhosts bcast host </programlisting> _or_ <programlisting> -name resolve order = wins lmhosts (eliminates bcast and host) + name resolve order = wins lmhosts (eliminates bcast and host) </programlisting> The default is: <programlisting> -name resolve order = host lmhost wins bcast + name resolve order = host lmhost wins bcast </programlisting>. where "host" refers the the native methods used by the Unix system to implement the gethostbyname() function call. This is normally diff --git a/docs/docbook/projdoc/Browsing.sgml b/docs/docbook/projdoc/Browsing.sgml index aeb3b477c5..13d6fce917 100644 --- a/docs/docbook/projdoc/Browsing.sgml +++ b/docs/docbook/projdoc/Browsing.sgml @@ -27,15 +27,8 @@ document. </para> <para> -MS Windows 2000 and later, as with Samba-3 and later, can be -configured to not use NetBIOS over TCP/IP. When configured this way -it is imperative that name resolution (using DNS/LDAP/ADS) be correctly -configured and operative. Browsing will NOT work if name resolution -from SMB machine names to IP addresses does not function correctly. -</para> - -<para> -Where NetBIOS over TCP/IP is enabled use of a WINS server is highly +Browsing will NOT work if name resolution from NetBIOS names to IP +addresses does not function correctly. Use of a WINS server is highly recommended to aid the resolution of NetBIOS (SMB) names to IP addresses. WINS allows remote segment clients to obtain NetBIOS name_type information that can NOT be provided by any other means of name resolution. @@ -47,10 +40,14 @@ that can NOT be provided by any other means of name resolution. <title>Browsing support in samba</title> <para> -Samba facilitates browsing. The browsing is supported by nmbd +Samba now fully supports browsing. The browsing is supported by nmbd and is also controlled by options in the smb.conf file (see smb.conf(5)). +</para> + +<para> Samba can act as a local browse master for a workgroup and the ability -for samba to support domain logons and scripts is now available. +for samba to support domain logons and scripts is now available. See +DOMAIN.txt for more information on domain logons. </para> <para> @@ -71,12 +68,12 @@ that is providing this service. <para> [Note that nmbd can be configured as a WINS server, but it is not -necessary to specifically use samba as your WINS server. MS Windows -NT4, Server or Advanced Server 2000 or 2003 can be configured as -your WINS server. In a mixed NT/2000/2003 server and samba environment on -a Wide Area Network, it is recommended that you use the Microsoft -WINS server capabilities. In a samba-only environment, it is -recommended that you use one and only one Samba server as your WINS server. +necessary to specifically use samba as your WINS server. NTAS can +be configured as your WINS server. In a mixed NT server and +samba environment on a Wide Area Network, it is recommended that +you use the NT server's WINS server capabilities. In a samba-only +environment, it is recommended that you use one and only one nmbd +as your WINS server]. </para> <para> @@ -116,15 +113,6 @@ connection that lists the shares is done as guest, and thus you must have a valid guest account. </para> -<para><emphasis> -MS Windows 2000 and upwards (as with Samba) can be configured to disallow -anonymous (ie: Guest account) access to the IPC$ share. In that case, the -MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the -name of the currently logged in user to query the IPC$ share. MS Windows -9X clients are not able to do this and thus will NOT be able to browse -server resources. -</emphasis></para> - <para> Also, a lot of people are getting bitten by the problem of too many parameters on the command line of nmbd in inetd.conf. This trick is to @@ -144,7 +132,7 @@ in smb.conf) <sect1> <title>Browsing across subnets</title> <para> -Since the release of Samba 1.9.17(alpha1) Samba has been +With the release of Samba 1.9.17(alpha1 and above) Samba has been updated to enable it to support the replication of browse lists across subnet boundaries. New code and options have been added to achieve this. This section describes how to set this feature up @@ -179,7 +167,8 @@ settings) for Samba this is in the smb.conf file. Cross subnet browsing is a complicated dance, containing multiple moving parts. It has taken Microsoft several years to get the code that achieves this correct, and Samba lags behind in some areas. -Samba is capable of cross subnet browsing when configured correctly. +However, with the 1.9.17 release, Samba is capable of cross subnet +browsing when configured correctly. </para> <para> @@ -430,9 +419,9 @@ in the [globals] section add the line </para> <para> -Versions of Samba prior to 1.9.17 had this parameter default to +Versions of Samba previous to 1.9.17 had this parameter default to yes. If you have any older versions of Samba on your network it is -strongly suggested you upgrade to a recent version, or at the very +strongly suggested you upgrade to 1.9.17 or above, or at the very least set the parameter to 'no' on all these machines. </para> @@ -484,7 +473,7 @@ machine or its IP address. Note that this line MUST NOT BE SET in the smb.conf file of the Samba server acting as the WINS server itself. If you set both the "<command>wins support = yes</command>" option and the -"<command>wins server = <name></command>" option then +"<command>wins server = >name<</command>" option then nmbd will fail to start. </para> @@ -549,12 +538,11 @@ server, if you require. <para> Next, you should ensure that each of the subnets contains a machine that can act as a local master browser for the -workgroup. Any MS Windows NT/2K/XP/2003 machine should be -able to do this, as will Windows 9x machines (although these -tend to get rebooted more often, so it's not such a good idea -to use these). To make a Samba server a local master browser -set the following options in the [global] section of the -smb.conf file : +workgroup. Any NT machine should be able to do this, as will +Windows 95 machines (although these tend to get rebooted more +often, so it's not such a good idea to use these). To make a +Samba server a local master browser set the following +options in the [global] section of the smb.conf file : </para> <para> @@ -606,7 +594,7 @@ you must not set up a Samba server as a domain master browser. By default, a Windows NT Primary Domain Controller for a Domain name is also the Domain master browser for that name, and many things will break if a Samba server registers the Domain master -browser NetBIOS name (DOMAIN<1B>) with WINS instead of the PDC. +browser NetBIOS name (DOMAIN>1B<) with WINS instead of the PDC. </para> <para> @@ -673,8 +661,8 @@ samba systems!) </para> <para> -A "os level" of 2 would make it beat WfWg and Win95, but not MS Windows -NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32. +A "os level" of 2 would make it beat WfWg and Win95, but not NTAS. A +NTAS domain controller uses level 32. </para> <para>The maximum os level is 255</para> diff --git a/docs/docbook/projdoc/CVS-Access.sgml b/docs/docbook/projdoc/CVS-Access.sgml new file mode 100644 index 0000000000..98ef925f20 --- /dev/null +++ b/docs/docbook/projdoc/CVS-Access.sgml @@ -0,0 +1,157 @@ +<chapter id="cvs-access"> + + +<chapterinfo> + <author> + <affiliation> + <orgname>Samba Team</orgname> + </affiliation> + </author> + + + <pubdate> (22 May 2001) </pubdate> +</chapterinfo> + +<title>HOWTO Access Samba source code via CVS</title> + +<sect1> +<title>Introduction</title> + +<para> +Samba is developed in an open environment. Developers use CVS +(Concurrent Versioning System) to "checkin" (also known as +"commit") new source code. Samba's various CVS branches can +be accessed via anonymous CVS using the instructions +detailed in this chapter. +</para> + +<para> +This document is a modified version of the instructions found at +<ulink url="http://samba.org/samba/cvs.html">http://samba.org/samba/cvs.html</ulink> +</para> + +</sect1> + + +<sect1> +<title>CVS Access to samba.org</title> + +<para> +The machine samba.org runs a publicly accessible CVS +repository for access to the source code of several packages, +including samba, rsync and jitterbug. There are two main ways of +accessing the CVS server on this host. +</para> + +<sect2> +<title>Access via CVSweb</title> + +<para> +You can access the source code via your +favourite WWW browser. This allows you to access the contents of +individual files in the repository and also to look at the revision +history and commit logs of individual files. You can also ask for a diff +listing between any two versions on the repository. +</para> + +<para> +Use the URL : <ulink +url="http://samba.org/cgi-bin/cvsweb">http://samba.org/cgi-bin/cvsweb</ulink> +</para> +</sect2> + +<sect2> +<title>Access via cvs</title> + +<para> +You can also access the source code via a +normal cvs client. This gives you much more control over you can +do with the repository and allows you to checkout whole source trees +and keep them up to date via normal cvs commands. This is the +preferred method of access if you are a developer and not +just a casual browser. +</para> + +<para> +To download the latest cvs source code, point your +browser at the URL : <ulink url="http://www.cyclic.com/">http://www.cyclic.com/</ulink>. +and click on the 'How to get cvs' link. CVS is free software under +the GNU GPL (as is Samba). Note that there are several graphical CVS clients +which provide a graphical interface to the sometimes mundane CVS commands. +Links to theses clients are also available from http://www.cyclic.com. +</para> + +<para> +To gain access via anonymous cvs use the following steps. +For this example it is assumed that you want a copy of the +samba source code. For the other source code repositories +on this system just substitute the correct package name +</para> + +<orderedlist> +<listitem> + <para> + Install a recent copy of cvs. All you really need is a + copy of the cvs client binary. + </para> +</listitem> + + +<listitem> + <para> + Run the command + </para> + + <para> + <command>cvs -d :pserver:cvs@samba.org:/cvsroot login</command> + </para> + + <para> + When it asks you for a password type <userinput>cvs</userinput>. + </para> +</listitem> + + +<listitem> + <para> + Run the command + </para> + + <para> + <command>cvs -d :pserver:cvs@samba.org:/cvsroot co samba</command> + </para> + + <para> + This will create a directory called samba containing the + latest samba source code (i.e. the HEAD tagged cvs branch). This + currently corresponds to the 3.0 development tree. + </para> + + <para> + CVS branches other HEAD can be obtained by using the <parameter>-r</parameter> + and defining a tag name. A list of branch tag names can be found on the + "Development" page of the samba web site. A common request is to obtain the + latest 2.2 release code. This could be done by using the following command. + </para> + + <para> + <command>cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</command> + </para> +</listitem> + +<listitem> + <para> + Whenever you want to merge in the latest code changes use + the following command from within the samba directory: + </para> + + <para> + <command>cvs update -d -P</command> + </para> +</listitem> +</orderedlist> + +</sect2> +</sect1> + +</chapter> diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index b178bfd2c2..8a30a5527d 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -25,29 +25,79 @@ </chapterinfo> -<title>Samba as a NT4 or Win2k domain member</title> +<title>Samba as a NT4 domain member</title> <sect1> - <title>Joining an NT Domain with Samba 3.0</title> + <title>Joining an NT Domain with Samba 2.2</title> - <para>Assume you have a Samba 3.0 server with a NetBIOS name of - <constant>SERV1</constant> and are joining an or Win2k NT domain called + <para>Assume you have a Samba 2.x server with a NetBIOS name of + <constant>SERV1</constant> and are joining an NT domain called <constant>DOM</constant>, which has a PDC with a NetBIOS name of <constant>DOMPDC</constant> and two backup domain controllers with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2 </constant>.</para> - <para>Firstly, you must edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename> + <para>In order to join the domain, first stop all Samba daemons + and run the command:</para> + + <para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC + -U<replaceable>Administrator%password</replaceable></userinput></para> + + <para>as we are joining the domain DOM and the PDC for that domain + (the only machine that has write access to the domain SAM database) + is DOMPDC. The <replaceable>Administrator%password</replaceable> is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message:</para> + + <para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput> + </para> + + <para>in your terminal window. See the <ulink url="smbpasswd.8.html"> + smbpasswd(8)</ulink> man page for more details.</para> + + <para>There is existing development code to join a domain + without having to create the machine trust account on the PDC + beforehand. This code will hopefully be available soon + in release branches as well.</para> + + <para>This command goes through the machine account password + change protocol, then writes the new (random) machine account + password for this Samba server into a file in the same directory + in which an smbpasswd file would be stored - normally :</para> + + <para><filename>/usr/local/samba/private</filename></para> + + <para>In Samba 2.0.x, the filename looks like this:</para> + + <para><filename><replaceable><NT DOMAIN NAME></replaceable>.<replaceable><Samba + Server Name></replaceable>.mac</filename></para> + + <para>The <filename>.mac</filename> suffix stands for machine account + password file. So in our example above, the file would be called:</para> + + <para><filename>DOM.SERV1.mac</filename></para> + + <para>In Samba 2.2, this file has been replaced with a TDB + (Trivial Database) file named <filename>secrets.tdb</filename>. + </para> + + + <para>This file is created and owned by root and is not + readable by any other user. It is the key to the domain-level + security for your system, and should be treated as carefully + as a shadow password file.</para> + + <para>Now, before restarting the Samba daemons you must + edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename> </ulink> file to tell Samba it should now use domain security.</para> <para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY"> <parameter>security =</parameter></ulink> line in the [global] section of your smb.conf to read:</para> - <para><command>security = domain</command> or - <command>security = ads</command> depending on if the PDC is - NT4 or running Active Directory respectivly.</para> + <para><command>security = domain</command></para> <para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter> workgroup =</parameter></ulink> line in the [global] section to read: </para> @@ -78,47 +128,11 @@ <para><command>password server = *</command></para> - <para>This method, allows Samba to use exactly the same - mechanism that NT does. This + <para>This method, which was introduced in Samba 2.0.6, + allows Samba to use exactly the same mechanism that NT does. This method either broadcasts or uses a WINS database in order to find domain controllers to authenticate against.</para> - <para>In order to actually join the domain, you must run this - command:</para> - - <para><prompt>root# </prompt><userinput>net join -S DOMPDC - -U<replaceable>Administrator%password</replaceable></userinput></para> - - <para>as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. The <replaceable>Administrator%password</replaceable> is - the login name and password for an account which has the necessary - privilege to add machines to the domain. If this is successful - you will see the message:</para> - - <para><computeroutput>Joined domain DOM.</computeroutput> - or <computeroutput>Joined 'SERV1' to realm 'MYREALM'</computeroutput> - </para> - - <para>in your terminal window. See the <ulink url="net.8.html"> - net(8)</ulink> man page for more details.</para> - - <para>This process joins the server to thedomain - without having to create the machine trust account on the PDC - beforehand.</para> - - <para>This command goes through the machine account password - change protocol, then writes the new (random) machine account - password for this Samba server into a file in the same directory - in which an smbpasswd file would be stored - normally :</para> - - <para><filename>/usr/local/samba/private/secrets.tdb</filename></para> - - <para>This file is created and owned by root and is not - readable by any other user. It is the key to the domain-level - security for your system, and should be treated as carefully - as a shadow password file.</para> - <para>Finally, restart your Samba daemons and get ready for clients to begin using domain security!</para> </sect1> @@ -130,8 +144,23 @@ <para> Many people have asked regarding the state of Samba's ability to participate in a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows -2000 domain operating in mixed or native mode. The steps above apply -to both NT4 and Windows 2000. +2000 domain operating in mixed or native mode. +</para> + +<para> +There is much confusion between the circumstances that require a "mixed" mode +Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode +Win2k domain controller is only needed if Windows NT BDCs must exist in the same +domain. By default, a Win2k DC in "native" mode will still support +NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and +NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server. +</para> + +<para> +The steps for adding a Samba 2.2 host to a Win2k domain are the same as those +for adding a Samba server to a Windows NT 4.0 domain. The only exception is that +the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and +Computers" MMC (Microsoft Management Console) plugin. </para> </sect1> @@ -176,7 +205,13 @@ to both NT4 and Windows 2000. <para>And finally, acting in the same manner as an NT server authenticating to a PDC means that as part of the authentication reply, the Samba server gets the user identification information such - as the user SID, the list of NT groups the user belongs to, etc. </para> + as the user SID, the list of NT groups the user belongs to, etc. All + this information will allow Samba to be extended in the future into + a mode the developers currently call appliance mode. In this mode, + no local Unix users will be necessary, and Samba will generate Unix + uids and gids from the information passed back from the PDC when a + user is authenticated, making a Samba server truly plug and play + in an NT domain environment. Watch for this code soon.</para> <para><emphasis>NOTE:</emphasis> Much of the text of this document was first published in the Web magazine <ulink url="http://www.linuxworld.com"> diff --git a/docs/docbook/projdoc/Diagnosis.sgml b/docs/docbook/projdoc/Diagnosis.sgml index 1e2e6d7598..8c1b784433 100644 --- a/docs/docbook/projdoc/Diagnosis.sgml +++ b/docs/docbook/projdoc/Diagnosis.sgml @@ -17,7 +17,7 @@ <pubdate>Wed Jan 15</pubdate> </chapterinfo> -<title>The samba checklist</title> +<title>Diagnosing your samba server</title> <sect1> <title>Introduction</title> diff --git a/docs/docbook/projdoc/ENCRYPTION.sgml b/docs/docbook/projdoc/ENCRYPTION.sgml new file mode 100644 index 0000000000..f903d7d334 --- /dev/null +++ b/docs/docbook/projdoc/ENCRYPTION.sgml @@ -0,0 +1,189 @@ +<chapter id="pwencrypt"> + + +<chapterinfo> + <author> + <firstname>Jeremy</firstname><surname>Allison</surname> + <affiliation> + <orgname>Samba Team</orgname> + <address> + <email>jra@samba.org</email> + </address> + </affiliation> + </author> + + <author> + <firstname>Jelmer</firstname><surname>Vernooij</surname> + <affiliation> + <orgname>Samba Team</orgname> + <address> + <email>jelmer@samba.org</email> + </address> + </affiliation> + </author> + + <pubdate>4 November 2002</pubdate> +</chapterinfo> + +<title>LanMan and NT Password Encryption in Samba</title> + + +<sect1> + <title>Introduction</title> + + <para>Newer windows clients send encrypted passwords over + the wire, instead of plain text passwords. The newest clients + will only send encrypted passwords and refuse to send plain text + passwords, unless their registry is tweaked.</para> + + <para>These passwords can't be converted to unix style encrypted + passwords. Because of that you can't use the standard unix + user database, and you have to store the Lanman and NT hashes + somewhere else. For more information, see the documentation + about the <command>passdb backend = </command> parameter. + </para> + +</sect1> + +<sect1> + <title>Important Notes About Security</title> + + <para>The unix and SMB password encryption techniques seem similar + on the surface. This similarity is, however, only skin deep. The unix + scheme typically sends clear text passwords over the network when + logging in. This is bad. The SMB encryption scheme never sends the + cleartext password over the network but it does store the 16 byte + hashed values on disk. This is also bad. Why? Because the 16 byte hashed + values are a "password equivalent". You cannot derive the user's + password from them, but they could potentially be used in a modified + client to gain access to a server. This would require considerable + technical knowledge on behalf of the attacker but is perfectly possible. + You should thus treat the smbpasswd file as though it contained the + cleartext passwords of all your users. Its contents must be kept + secret, and the file should be protected accordingly.</para> + + <para>Ideally we would like a password scheme which neither requires + plain text passwords on the net or on disk. Unfortunately this + is not available as Samba is stuck with being compatible with + other SMB systems (WinNT, WfWg, Win95 etc). </para> + + <warning> + <para>Note that Windows NT 4.0 Service pack 3 changed the + default for permissible authentication so that plaintext + passwords are <emphasis>never</emphasis> sent over the wire. + The solution to this is either to switch to encrypted passwords + with Samba or edit the Windows NT registry to re-enable plaintext + passwords. See the document WinNT.txt for details on how to do + this.</para> + + <para>Other Microsoft operating systems which also exhibit + this behavior includes</para> + + <itemizedlist> + <listitem><para>MS DOS Network client 3.0 with + the basic network redirector installed</para></listitem> + + <listitem><para>Windows 95 with the network redirector + update installed</para></listitem> + + <listitem><para>Windows 98 [se]</para></listitem> + + <listitem><para>Windows 2000</para></listitem> + </itemizedlist> + + <para><emphasis>Note :</emphasis>All current release of + Microsoft SMB/CIFS clients support authentication via the + SMB Challenge/Response mechanism described here. Enabling + clear text authentication does not disable the ability + of the client to participate in encrypted authentication.</para> + </warning> + + <sect2> + <title>Advantages of SMB Encryption</title> + + <itemizedlist> + <listitem><para>plain text passwords are not passed across + the network. Someone using a network sniffer cannot just + record passwords going to the SMB server.</para> + </listitem> + + <listitem><para>WinNT doesn't like talking to a server + that isn't using SMB encrypted passwords. It will refuse + to browse the server if the server is also in user level + security mode. It will insist on prompting the user for the + password on each connection, which is very annoying. The + only things you can do to stop this is to use SMB encryption. + </para></listitem> + </itemizedlist> + </sect2> + + + <sect2> + <title>Advantages of non-encrypted passwords</title> + + <itemizedlist> + <listitem><para>plain text passwords are not kept + on disk. </para></listitem> + + <listitem><para>uses same password file as other unix + services such as login and ftp</para></listitem> + + <listitem><para>you are probably already using other + services (such as telnet and ftp) which send plain text + passwords over the net, so sending them for SMB isn't + such a big deal.</para></listitem> + </itemizedlist> + </sect2> +</sect1> + + +<sect1> + <title>The smbpasswd Command</title> + + <para>The smbpasswd command maintains the two 32 byte password fields + in the smbpasswd file. If you wish to make it similar to the unix + <command>passwd</command> or <command>yppasswd</command> programs, + install it in <filename>/usr/local/samba/bin/</filename> (or your + main Samba binary directory).</para> + + <para><command>smbpasswd</command> now works in a client-server mode + where it contacts the local smbd to change the user's password on its + behalf. This has enormous benefits - as follows.</para> + + <para><command>smbpasswd</command> now has the capability + to change passwords on Windows NT servers (this only works when + the request is sent to the NT Primary Domain Controller if you + are changing an NT Domain user's password).</para> + + <para>To run smbpasswd as a normal user just type :</para> + + <para><prompt>$ </prompt><userinput>smbpasswd</userinput></para> + <para><prompt>Old SMB password: </prompt><userinput><type old value here - + or hit return if there was no old password></userinput></para> + <para><prompt>New SMB Password: </prompt><userinput><type new value> + </userinput></para> + <para><prompt>Repeat New SMB Password: </prompt><userinput><re-type new value + </userinput></para> + + <para>If the old value does not match the current value stored for + that user, or the two new values do not match each other, then the + password will not be changed.</para> + + <para>If invoked by an ordinary user it will only allow the user + to change his or her own Samba password.</para> + + <para>If run by the root user smbpasswd may take an optional + argument, specifying the user name whose SMB password you wish to + change. Note that when run as root smbpasswd does not prompt for + or check the old password value, thus allowing root to set passwords + for users who have forgotten their passwords.</para> + + <para><command>smbpasswd</command> is designed to work in the same way + and be familiar to UNIX users who use the <command>passwd</command> or + <command>yppasswd</command> commands.</para> + + <para>For more details on using <command>smbpasswd</command> refer + to the man page which will always be the definitive reference.</para> +</sect1> + +</chapter> diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml index 06c1d3a87e..6d5a019fcb 100644 --- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml +++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml @@ -1,4 +1,3 @@ -<?xml version="1.0" encoding="iso8859-1"?> <chapter id="groupmapping"> <chapterinfo> <author> diff --git a/docs/docbook/projdoc/Integrating-with-Windows.sgml b/docs/docbook/projdoc/Integrating-with-Windows.sgml index a4e79fd42b..3b0faf81af 100644 --- a/docs/docbook/projdoc/Integrating-with-Windows.sgml +++ b/docs/docbook/projdoc/Integrating-with-Windows.sgml @@ -295,16 +295,16 @@ The following are typical NetBIOS name/service type registrations: <para><programlisting> Unique NetBIOS Names: - MACHINENAME<00> = Server Service is running on MACHINENAME - MACHINENAME<03> = Generic Machine Name (NetBIOS name) - MACHINENAME<20> = LanMan Server service is running on MACHINENAME - WORKGROUP<1b> = Domain Master Browser + MACHINENAME<00> = Server Service is running on MACHINENAME + MACHINENAME<03> = Generic Machine Name (NetBIOS name) + MACHINENAME<20> = LanMan Server service is running on MACHINENAME + WORKGROUP<1b> = Domain Master Browser Group Names: - WORKGROUP<03> = Generic Name registered by all members of WORKGROUP - WORKGROUP<1c> = Domain Controllers / Netlogon Servers - WORKGROUP<1d> = Local Master Browsers - WORKGROUP<1e> = Internet Name Resolvers + WORKGROUP<03> = Generic Name registered by all members of WORKGROUP + WORKGROUP<1c> = Domain Controllers / Netlogon Servers + WORKGROUP<1d> = Local Master Browsers + WORKGROUP<1e> = Internet Name Resolvers </programlisting></para> <para> @@ -323,7 +323,7 @@ be needed. An example of this is what happens when an MS Windows client wants to locate a domain logon server. It find this service and the IP address of a server that provides it by performing a lookup (via a NetBIOS broadcast) for enumeration of all machines that have -registered the name type *<1c>. A logon request is then sent to each +registered the name type *<1c>. A logon request is then sent to each IP address that is returned in the enumerated list of IP addresses. Which ever machine first replies then ends up providing the logon services. </para> diff --git a/docs/docbook/projdoc/NT_Security.sgml b/docs/docbook/projdoc/NT_Security.sgml index 2843331519..2259dae029 100644 --- a/docs/docbook/projdoc/NT_Security.sgml +++ b/docs/docbook/projdoc/NT_Security.sgml @@ -31,6 +31,12 @@ the security of the UNIX host Samba is running on, and still obeys all the file permission rules that a Samba administrator can set.</para> + + <para>In Samba 2.0.4 and above the default value of the + parameter <ulink url="smb.conf.5.html#NTACLSUPPORT"><parameter> + nt acl support</parameter></ulink> has been changed from + <constant>false</constant> to <constant>true</constant>, so + manipulation of permissions is turned on by default.</para> </sect1> <sect1> diff --git a/docs/docbook/projdoc/Other-Clients.sgml b/docs/docbook/projdoc/Other-Clients.sgml index 6ba04b01d3..f790024c3a 100644 --- a/docs/docbook/projdoc/Other-Clients.sgml +++ b/docs/docbook/projdoc/Other-Clients.sgml @@ -233,16 +233,6 @@ for use with <command>security = user</command> </sect2> -<sect2> -<title>Use TCP/IP as default protocol</title> - -<para>To support print queue reporting you may find -that you have to use TCP/IP as the default protocol under -WfWg. For some reason if you leave Netbeui as the default -it may break the print queue reporting on some systems. -It is presumably a WfWg bug.</para> - -</sect2> </sect1> <sect1> diff --git a/docs/docbook/projdoc/Portability.sgml b/docs/docbook/projdoc/Portability.sgml index dae267e8b5..afafacc5e4 100644 --- a/docs/docbook/projdoc/Portability.sgml +++ b/docs/docbook/projdoc/Portability.sgml @@ -175,16 +175,4 @@ Corrective Action: Delete the entry after the word loopback in the line starting 127.0.0.1 </para> </sect1> - -<sect1> -<title>AIX</title> -<sect2> -<title>Sequential Read Ahead</title> -<!-- From an email by William Jojo <jojowil@hvcc.edu> --> -<para> -Disabling Sequential Read Ahead using "vmtune -r 0" improves -samba performance significally. -</para> -</sect2> -</sect1> </chapter> diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml index e3bee32db0..7653e3d1c0 100644 --- a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml @@ -128,7 +128,7 @@ the password change is done. <sect1> -<title>Can Samba be a Backup Domain Controller to an NT PDC?</title> +<title>Can Samba be a Backup Domain Controller?</title> <para> With version 2.2, no. The native NT SAM replication protocols have @@ -138,12 +138,6 @@ been finished for version 2.2. </para> <para> -With version 3.0, the work on both the replication protocols and a -suitable storage mechanism has progressed, and some form of NT4 BDC -support is expected soon. -</para> - -<para> Can I get the benefits of a BDC with Samba? Yes. The main reason for implementing a BDC is availability. If the PDC is a Samba machine, a second Samba machine can be set up to @@ -184,8 +178,7 @@ whenever changes are made, or the PDC is set up as a NIS master server and the BDC as a NIS slave server. To set up the BDC as a mere NIS client would not be enough, as the BDC would not be able to access its user database in case of a PDC failure. -</para> -</listitem> +</para></listitem> <listitem><para> The Samba password database in the file private/smbpasswd has to be @@ -243,15 +236,5 @@ password. </sect2> -<sect2> -<title>Can I do this all with LDAP?</title> -<para>The simple answer is YES. Samba's pdb_ldap code supports -binding to a replica LDAP server, and will also follow referrals and -rebind to the master if it ever needs to make a modification to the -database. (Normally BDCs are read only, so this will not occur -often). -</para> -</sect2> - </sect1> </chapter> diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/Samba-LDAP-HOWTO.sgml index 222b4010ab..f294ddd1ff 100644 --- a/docs/docbook/projdoc/passdb.sgml +++ b/docs/docbook/projdoc/Samba-LDAP-HOWTO.sgml @@ -1,244 +1,27 @@ -<chapter id="passdb"> +<chapter id="samba-ldap-howto"> + <chapterinfo> <author> - <firstname>Jelmer</firstname><surname>Vernooij</surname> - <affiliation> - <orgname>The Samba Team</orgname> - <address><email>jelmer@samba.org</email></address> - </affiliation> - </author> - <author> <firstname>Gerald (Jerry)</firstname><surname>Carter</surname> <affiliation> <orgname>Samba Team</orgname> <address><email>jerry@samba.org</email></address> </affiliation> - </author> - <author> <firstname>Olivier (lem)</firstname><surname>Lemaire</surname> <affiliation> <orgname>IDEALX</orgname> <address><email>olem@IDEALX.org</email></address> </affiliation> </author> - <author> - <firstname>Jeremy</firstname><surname>Allison</surname> - <affiliation> - <orgname>Samba Team</orgname> - <address> - <email>jra@samba.org</email> - </address> - </affiliation> - </author> - <pubdate>February 2003</pubdate> -</chapterinfo> - -<title>User information database</title> - -<sect1> - <title>Introduction</title> - - <para>Old windows clients send plain text passwords over the wire. - Samba can check these passwords by crypting them and comparing them - to the hash stored in the unix user database. - </para> - - <para> - Newer windows clients send encrypted passwords (so-called - Lanman and NT hashes) over - the wire, instead of plain text passwords. The newest clients - will only send encrypted passwords and refuse to send plain text - passwords, unless their registry is tweaked. - </para> - - <para>These passwords can't be converted to unix style encrypted - passwords. Because of that you can't use the standard unix - user database, and you have to store the Lanman and NT hashes - somewhere else. </para> - - <para>Next to a differently encrypted passwords, - windows also stores certain data for each user - that is not stored in a unix user database, e.g. - workstations the user may logon from, the location where his/her - profile is stored, etc. - Samba retrieves and stores this information using a "passdb backend". - Commonly - available backends are LDAP, plain text file, MySQL and nisplus. - For more information, see the documentation about the - <command>passdb backend = </command> parameter. - </para> -</sect1> - -<sect1> - <title>Important Notes About Security</title> - - <para>The unix and SMB password encryption techniques seem similar - on the surface. This similarity is, however, only skin deep. The unix - scheme typically sends clear text passwords over the network when - logging in. This is bad. The SMB encryption scheme never sends the - cleartext password over the network but it does store the 16 byte - hashed values on disk. This is also bad. Why? Because the 16 byte hashed - values are a "password equivalent". You cannot derive the user's - password from them, but they could potentially be used in a modified - client to gain access to a server. This would require considerable - technical knowledge on behalf of the attacker but is perfectly possible. - You should thus treat the data stored in whatever - passdb backend you use (smbpasswd file, ldap, mysql) as though it contained the - cleartext passwords of all your users. Its contents must be kept - secret, and the file should be protected accordingly.</para> - - <para>Ideally we would like a password scheme which neither requires - plain text passwords on the net or on disk. Unfortunately this - is not available as Samba is stuck with being compatible with - other SMB systems (WinNT, WfWg, Win95 etc). </para> - - <warning> - <para>Note that Windows NT 4.0 Service pack 3 changed the - default for permissible authentication so that plaintext - passwords are <emphasis>never</emphasis> sent over the wire. - The solution to this is either to switch to encrypted passwords - with Samba or edit the Windows NT registry to re-enable plaintext - passwords. See the document WinNT.txt for details on how to do - this.</para> - - <para>Other Microsoft operating systems which also exhibit - this behavior includes</para> - - <simplelist> - <member>MS DOS Network client 3.0 with - the basic network redirector installed</member> - - <member>Windows 95 with the network redirector - update installed</member> - - <member>Windows 98 [se]</member> - - <member>Windows 2000</member> - </simplelist> - - <para><emphasis>Note :</emphasis>All current release of - Microsoft SMB/CIFS clients support authentication via the - SMB Challenge/Response mechanism described here. Enabling - clear text authentication does not disable the ability - of the client to participate in encrypted authentication.</para> - </warning> - - <sect2> - <title>Advantages of SMB Encryption</title> - - <simplelist> - <member>plain text passwords are not passed across - the network. Someone using a network sniffer cannot just - record passwords going to the SMB server.</member> - - <member>WinNT doesn't like talking to a server - that isn't using SMB encrypted passwords. It will refuse - to browse the server if the server is also in user level - security mode. It will insist on prompting the user for the - password on each connection, which is very annoying. The - only things you can do to stop this is to use SMB encryption. - </member> - </simplelist> - </sect2> - - - <sect2> - <title>Advantages of non-encrypted passwords</title> - - <simplelist> - <member>plain text passwords are not kept - on disk. </member> - - <member>uses same password file as other unix - services such as login and ftp</member> - - <member>you are probably already using other - services (such as telnet and ftp) which send plain text - passwords over the net, so sending them for SMB isn't - such a big deal.</member> - </simplelist> - </sect2> -</sect1> -<sect1> - <title>The smbpasswd Command</title> - - <para>The smbpasswd utility is a utility similar to the - <command>passwd</command> or <command>yppasswd</command> programs. - It maintains the two 32 byte password fields - in the passdb backend. </para> - - <para><command>smbpasswd</command> works in a client-server mode - where it contacts the local smbd to change the user's password on its - behalf. This has enormous benefits - as follows.</para> - - <para><command>smbpasswd</command> has the capability - to change passwords on Windows NT servers (this only works when - the request is sent to the NT Primary Domain Controller if you - are changing an NT Domain user's password).</para> - - <para>To run smbpasswd as a normal user just type :</para> - - <para><prompt>$ </prompt><userinput>smbpasswd</userinput></para> - <para><prompt>Old SMB password: </prompt><userinput><type old value here - - or hit return if there was no old password></userinput></para> - <para><prompt>New SMB Password: </prompt><userinput><type new value> - </userinput></para> - <para><prompt>Repeat New SMB Password: </prompt><userinput><re-type new value - </userinput></para> - - <para>If the old value does not match the current value stored for - that user, or the two new values do not match each other, then the - password will not be changed.</para> - - <para>If invoked by an ordinary user it will only allow the user - to change his or her own Samba password.</para> - - <para>If run by the root user smbpasswd may take an optional - argument, specifying the user name whose SMB password you wish to - change. Note that when run as root smbpasswd does not prompt for - or check the old password value, thus allowing root to set passwords - for users who have forgotten their passwords.</para> - - <para><command>smbpasswd</command> is designed to work in the same way - and be familiar to UNIX users who use the <command>passwd</command> or - <command>yppasswd</command> commands.</para> - - <para>For more details on using <command>smbpasswd</command> refer - to the man page which will always be the definitive reference.</para> -</sect1> - -<!-- -<sect1> -<title>The <command>pdbedit</command> command</title> -FIXME -</sect1> ---> - -<sect1> -<title>Plain text</title> -<para> -Older versions of samba retrieved user information from the unix user database -and eventually some other fields from the file <filename>/etc/samba/smbpasswd</filename> -or <filename>/etc/smbpasswd</filename>. When password encryption is disabled, no -data is stored at all. -</para> -</sect1> + <pubdate> (13 Jan 2002) </pubdate> +</chapterinfo> -<sect1> -<title>TDB</title> -<para>Samba can also store the user data in a "TDB" (Trivial Database). Using this backend -doesn't require any additional configuration. This backend is recommended for new installations who -don't require LDAP. -</para> -</sect1> +<title>Storing Samba's User/Machine Account information in an LDAP Directory</title> <sect1> -<title>LDAP</title> - -<sect2> -<title>Introduction</title> +<title>Purpose</title> <para> This document describes how to use an LDAP directory for storing Samba user @@ -272,9 +55,10 @@ Two additional Samba resources which may prove to be helpful are </para></listitem> </itemizedlist> -</sect2> +</sect1> -<sect2> + +<sect1> <title>Introduction</title> <para> @@ -346,9 +130,9 @@ versions of these libraries can be obtained from PADL Software the details of configuring these packages are beyond the scope of this document. </para> -</sect2> +</sect1> -<sect2> +<sect1> <title>Supported LDAP Servers</title> <para> @@ -361,15 +145,20 @@ hard to fix. If you are so inclined, please be sure to forward all patches to <ulink url="jerry@samba.org">jerry@samba.org</ulink>. </para> -</sect2> +</sect1> -<sect2> + + + +<sect1> <title>Schema and Relationship to the RFC 2307 posixAccount</title> <para> -Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in -<filename>examples/LDAP/samba.schema</filename>. The sambaAccount objectclass is given here: +Samba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in +<filename>examples/LDAP/samba.schema</filename>. (Note that this schema +file has been modified since the experimental support initially included +in 2.2.2). The sambaAccount objectclass is given here: </para> <para><programlisting> @@ -412,13 +201,13 @@ and functioning correctly. This division of information makes it possible to store all Samba account information in LDAP, but still maintain UNIX account information in NIS while the network is transitioning to a full LDAP infrastructure. </para> -</sect2> +</sect1> -<sect2> +<sect1> <title>Configuring Samba with LDAP</title> -<sect3> +<sect2> <title>OpenLDAP configuration</title> <para> @@ -477,10 +266,10 @@ index rid eq ##index cn eq ##index memberUid eq </programlisting></para> -</sect3> +</sect2> -<sect3> +<sect2> <title>Configuring Samba</title> <!--lem: <title>smb.conf LDAP parameters</title> --> @@ -541,11 +330,11 @@ use with an LDAP directory could appear as </programlisting></para> -</sect3> </sect2> +</sect1> -<sect2> +<sect1> <title>Accounts and Groups management</title> <para> @@ -564,15 +353,15 @@ file). </para> <para> -In Samba release 3.0, the group management system is based on posix -groups. This means that Samba make usage of the posixGroup objectclass. +In Samba release 2.2.3, the group management system is based on posix +groups. This meand that Samba make usage of the posixGroup objectclass. For now, there is no NT-like group system management (global and local groups). </para> -</sect2> +</sect1> -<sect2> +<sect1> <title>Security and sambaAccount</title> @@ -625,11 +414,11 @@ access to attrs=lmPassword,ntPassword </programlisting></para> -</sect2> +</sect1> -<sect2> +<sect1> <title>LDAP specials attributes for sambaAccounts</title> <para> @@ -722,11 +511,11 @@ something other than the default (e.g. \\MOBY\becky). </para> -</sect2> +</sect1> -<sect2> +<sect1> <title>Example LDIF Entries for a sambaAccount</title> @@ -781,189 +570,24 @@ pwdMustChange: 2147483647 ntPassword: 878D8014606CDA29677A44EFA1353FC7 </programlisting></para> -</sect2> -</sect1> -<sect1> -<title>MySQL</title> - -<sect2> -<title>Building</title> - -<para>To build the plugin, run <command>make bin/pdb_mysql.so</command> -in the <filename>source/</filename> directory of samba distribution. -</para> - -<para>Next, copy pdb_mysql.so to any location you want. I -strongly recommend installing it in $PREFIX/lib or /usr/lib/samba/</para> - -</sect2> - -<sect2> -<title>Creating the database</title> - -<para> -You either can set up your own table and specify the field names to pdb_mysql (see below -for the column names) or use the default table. The file <filename>examples/pdb/mysql/mysql.dump</filename> -contains the correct queries to create the required tables. Use the command : - -<command>mysql -u<replaceable>username</replaceable> -h<replaceable>hostname</replaceable> -p<replaceable>password</replaceable> <replaceable>databasename</replaceable> < <filename>/path/to/samba/examples/pdb/mysql/mysql.dump</filename></command> - -</para> -</sect2> - -<sect2> -<title>Configuring</title> - -<para>This plugin lacks some good documentation, but here is some short info:</para> - -<para>Add a the following to the <command>passdb backend</command> variable in your <filename>smb.conf</filename>: -<programlisting> -passdb backend = [other-plugins] plugin:/location/to/pdb_mysql.so:identifier [other-plugins] -</programlisting> -</para> - -<para>The identifier can be any string you like, as long as it doesn't collide with -the identifiers of other plugins or other instances of pdb_mysql. If you -specify multiple pdb_mysql.so entries in 'passdb backend', you also need to -use different identifiers! -</para> - -<para> -Additional options can be given thru the smb.conf file in the [global] section. -</para> - -<para><programlisting> -identifier:mysql host - host name, defaults to 'localhost' -identifier:mysql password -identifier:mysql user - defaults to 'samba' -identifier:mysql database - defaults to 'samba' -identifier:mysql port - defaults to 3306 -identifier:table - Name of the table containing users -</programlisting></para> - -<warning> -<para> -Since the password for the mysql user is stored in the -smb.conf file, you should make the the smb.conf file -readable only to the user that runs samba. This is considered a security -bug and will be fixed soon. -</para> -</warning> - -<para>Names of the columns in this table(I've added column types those columns should have first):</para> - -<para><programlisting> -identifier:logon time column - int(9) -identifier:logoff time column - int(9) -identifier:kickoff time column - int(9) -identifier:pass last set time column - int(9) -identifier:pass can change time column - int(9) -identifier:pass must change time column - int(9) -identifier:username column - varchar(255) - unix username -identifier:domain column - varchar(255) - NT domain user is part of -identifier:nt username column - varchar(255) - NT username -identifier:fullname column - varchar(255) - Full name of user -identifier:home dir column - varchar(255) - Unix homedir path -identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:') -identifier:logon script column - varchar(255) - Batch file to run on client side when logging on -identifier:profile path column - varchar(255) - Path of profile -identifier:acct desc column - varchar(255) - Some ASCII NT user data -identifier:workstations column - varchar(255) - Workstations user can logon to (or NULL for all) -identifier:unknown string column - varchar(255) - unknown string -identifier:munged dial column - varchar(255) - ? -identifier:uid column - int(9) - Unix user ID (uid) -identifier:gid column - int(9) - Unix user group (gid) -identifier:user sid column - varchar(255) - NT user SID -identifier:group sid column - varchar(255) - NT group ID -identifier:lanman pass column - varchar(255) - encrypted lanman password -identifier:nt pass column - varchar(255) - encrypted nt passwd -identifier:plain pass column - varchar(255) - plaintext password -identifier:acct control column - int(9) - nt user data -identifier:unknown 3 column - int(9) - unknown -identifier:logon divs column - int(9) - ? -identifier:hours len column - int(9) - ? -identifier:unknown 5 column - int(9) - unknown -identifier:unknown 6 column - int(9) - unknown -</programlisting></para> - -<para> -Eventually, you can put a colon (:) after the name of each column, which -should specify the column to update when updating the table. You can also -specify nothing behind the colon - then the data from the field will not be -updated. -</para> - -</sect2> - -<sect2> -<title>Using plaintext passwords or encrypted password</title> +</sect1> -<para> -I strongly discourage the use of plaintext passwords, however, you can use them: -</para> -<para> -If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords. -</para> -<para> -If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default. -</para> +<sect1> +<title>Comments</title> -</sect2> - -<sect2> -<title>Getting non-column data from the table</title> <para> -It is possible to have not all data in the database and making some 'constant'. -</para> +Please mail all comments regarding this HOWTO to <ulink +url="mailto:jerry@samba.org">jerry@samba.org</ulink>. This documents was +last updated to reflect the Samba 2.2.3 release. -<para> -For example, you can set 'identifier:fullname column' to : -<command>CONCAT(First_name,' ',Sur_name)</command> </para> -<para> -Or, set 'identifier:workstations column' to : -<command>NULL</command></para> - -<para>See the MySQL documentation for more language constructs.</para> -</sect2> </sect1> -<sect1> -<title>Passdb XML plugin</title> - -<sect2> -<title>Building</title> - -<para>This module requires libxml2 to be installed.</para> - -<para>To build pdb_xml, run: <command>make bin/pdb_xml.so</command> in -the directory <filename>source/</filename>. </para> - -</sect2> - -<sect2> -<title>Usage</title> - -<para>The usage of pdb_xml is pretty straightforward. To export data, use: - -<command>pdbedit -e plugin:/usr/lib/samba/pdb_xml.so:filename</command> - -(where filename is the name of the file to put the data in) -</para> - -<para> -To import data, use: -<command>pdbedit -i plugin:/usr/lib/samba/pdb_xml.so:filename -e current-pdb</command> - -Where filename is the name to read the data from and current-pdb to put it in. -</para> -</sect2> -</sect1> </chapter> diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index c0be81d989..7cf3e5735c 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -19,7 +19,7 @@ </chapterinfo> <title> -Samba as a NT4 or Win2k Primary Domain Controller +How to Configure Samba as a NT4 Primary Domain Controller </title> @@ -142,7 +142,7 @@ Implementing a Samba PDC can basically be divided into 2 broad steps. </para> -<orderedlist numeration="arabic"> +<orderedlist numeration="Arabic"> <listitem><para> Configuring the Samba PDC </para></listitem> @@ -426,7 +426,7 @@ be created manually. <para><programlisting> [global] - # <...remainder of parameters...> + # <...remainder of parameters...> add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </programlisting></para> @@ -496,7 +496,7 @@ version of Windows. </para> <para> - A 'machine name' in (typically) <filename>/etc/passwd</filename> + A 'machine name' in (typically) <filename>/etc/passwd</> of the machine name with a '$' appended. FreeBSD (and other BSD systems?) won't create a user with a '$' in their name. </para> @@ -504,7 +504,7 @@ version of Windows. <para> The problem is only in the program used to make the entry, once made, it works perfectly. So create a user without the '$' and - use <command>vipw</command> to edit the entry, adding the '$'. Or create + use <command>vipw</> to edit the entry, adding the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID ! </para> @@ -673,8 +673,8 @@ Here are some additional details: Policy Editor can be installed on an NT Workstation/Server, it will not work with NT policies because the registry key that are set by the policy templates. However, the files from the NT Server will run happily enough on an NTws. - You need <filename>poledit.exe, common.adm</filename> and <filename>winnt.adm</filename>. It is convenient - to put the two *.adm files in <filename>c:\winnt\inf</filename> which is where + You need <filename>poledit.exe, common.adm</> and <filename>winnt.adm</>. It is convenient + to put the two *.adm files in <filename>c:\winnt\inf</> which is where the binary will look for them unless told otherwise. Note also that that directory is 'hidden'. </para> @@ -928,7 +928,7 @@ general SMB topics such as browsing.</para> <listitem><para>See how Scott Merrill simulates a BDC behavior at <ulink url="http://www.skippy.net/linux/smb-howto.html"> - http://www.skippy.net/linux/smb-howto.html</ulink>. </para></listitem> + http://www.skippy.net/linux/smb-howto.html</>. </para></listitem> <listitem><para>Although 2.0.7 has almost had its day as a PDC, David Bannon will keep the 2.0.7 PDC pages at <ulink url="http://bioserve.latrobe.edu.au/samba"> @@ -958,8 +958,8 @@ general SMB topics such as browsing.</para> <para> There are a number of Samba related mailing lists. Go to <ulink url="http://samba.org">http://samba.org</ulink>, click on your nearest mirror - and then click on <command>Support</command> and then click on <command> - Samba related mailing lists</command>. + and then click on <command>Support</> and then click on <command> + Samba related mailing lists</>. </para> <para> @@ -1028,8 +1028,8 @@ general SMB topics such as browsing.</para> <para>To have your name removed from a samba mailing list, go to the same place you went to to get on it. Go to <ulink url="http://lists.samba.org/">http://lists.samba.org</ulink>, - click on your nearest mirror and then click on <command>Support</command> and - then click on <command> Samba related mailing lists</command>. Or perhaps see + click on your nearest mirror and then click on <command>Support</> and + then click on <command> Samba related mailing lists</>. Or perhaps see <ulink url="http://lists.samba.org/mailman/roster/samba-ntdom">here</ulink> </para> @@ -1112,7 +1112,7 @@ worthwhile lookingat how a Windows 9x/ME client performs a logon: <listitem> <para> The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -1704,7 +1704,7 @@ contrast to w95, where it _does_ transfer / update profiles correctly]. <sect1> <title> -DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba +DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba </title> <warning> diff --git a/docs/docbook/projdoc/UNIX_INSTALL.sgml b/docs/docbook/projdoc/UNIX_INSTALL.sgml index 5d0d388c08..1ff735a656 100644 --- a/docs/docbook/projdoc/UNIX_INSTALL.sgml +++ b/docs/docbook/projdoc/UNIX_INSTALL.sgml @@ -3,30 +3,81 @@ <title>How to Install and Test SAMBA</title> <sect1> - <title>Obtaining and installing samba</title> - - <para>Binary packages of samba are included in almost any Linux or - Unix distribution. There are also some packages available at - <ulink url="http://samba.org/">the samba homepage</ulink> - </para> - - <para>If you need to compile samba from source, check the - appropriate appendix chapter.</para> + <title>Read the man pages</title> + + <para>The man pages distributed with SAMBA contain + lots of useful info that will help to get you started. + If you don't know how to read man pages then try + something like:</para> + + <para><prompt>$ </prompt><userinput>man smbd.8</userinput> + or + <prompt>$ </prompt><userinput>nroff -man smbd.8 | more + </userinput> on older unixes.</para> + + <para>Other sources of information are pointed to + by the Samba web site,<ulink url="http://www.samba.org/"> + http://www.samba.org</ulink></para> </sect1> <sect1> - <title>Configuring samba</title> + <title>Building the Binaries</title> + + <para>To do this, first run the program <command>./configure + </command> in the source directory. This should automatically + configure Samba for your operating system. If you have unusual + needs then you may wish to run</para> + + <para><prompt>root# </prompt><userinput>./configure --help + </userinput></para> + + <para>first to see what special options you can enable. + Then executing</para> + + <para><prompt>root# </prompt><userinput>make</userinput></para> + + <para>will create the binaries. Once it's successfully + compiled you can use </para> + + <para><prompt>root# </prompt><userinput>make install</userinput></para> + + <para>to install the binaries and manual pages. You can + separately install the binaries and/or man pages using</para> + + <para><prompt>root# </prompt><userinput>make installbin + </userinput></para> + + <para>and</para> + + <para><prompt>root# </prompt><userinput>make installman + </userinput></para> - <para>Samba's configuration is stored in the smb.conf file, - that usually resides in <filename>/etc/samba/smb.conf</filename> - or <filename>/usr/local/samba/lib/smb.conf</filename>. You can either - edit this file yourself or do it using one of the many graphical - tools that are available, such as the web-based interface swat, that - is included with samba.</para> + <para>Note that if you are upgrading for a previous version + of Samba you might like to know that the old versions of + the binaries will be renamed with a ".old" extension. You + can go back to the previous version with</para> + + <para><prompt>root# </prompt><userinput>make revert + </userinput></para> -<sect2> - <title>Editing the smb.conf file</title> + <para>if you find this version a disaster!</para> +</sect1> + +<sect1> + <title>The all important step</title> + <para>At this stage you must fetch yourself a + coffee or other drink you find stimulating. Getting the rest + of the install right can sometimes be tricky, so you will + probably need it.</para> + + <para>If you have installed samba before then you can skip + this step.</para> +</sect1> + +<sect1> + <title>Create the smb configuration file. </title> + <para>There are sample configuration files in the examples subdirectory in the distribution. I suggest you read them carefully so you can see how the options go together in @@ -59,8 +110,9 @@ <para>For more information about security settings for the [homes] share please refer to the document UNIX_SECURITY.txt.</para> +</sect1> -<sect3> +<sect1> <title>Test your config file with <command>testparm</command></title> @@ -75,27 +127,105 @@ <para>Always run testparm again when you change <filename>smb.conf</filename>!</para> -</sect3> -</sect2> +</sect1> + +<sect1> + <title>Starting the smbd and nmbd</title> + + <para>You must choose to start smbd and nmbd either + as daemons or from <command>inetd</command>. Don't try + to do both! Either you can put them in <filename> + inetd.conf</filename> and have them started on demand + by <command>inetd</command>, or you can start them as + daemons either from the command line or in <filename> + /etc/rc.local</filename>. See the man pages for details + on the command line options. Take particular care to read + the bit about what user you need to be in order to start + Samba. In many cases you must be root.</para> + + <para>The main advantage of starting <command>smbd</command> + and <command>nmbd</command> using the recommended daemon method + is that they will respond slightly more quickly to an initial connection + request.</para> <sect2> - <title>SWAT</title> - - <para> - SWAT is a web-based interface that helps you configure samba. - SWAT might not be available in the samba package on your platform, - but in a seperate package. Please read the swat manpage - on compiling, installing and configuring swat from source. - </para> - - <para>To launch SWAT just run your favorite web browser and - point it at "http://localhost:901/". Replace <replaceable>localhost</replaceable> with the name of the computer you are running samba on if you - are running samba on a different computer then your browser.</para> - - <para>Note that you can attach to SWAT from any IP connected - machine but connecting from a remote machine leaves your - connection open to password sniffing as passwords will be sent - in the clear over the wire. </para> + <title>Starting from inetd.conf</title> + + <para>NOTE; The following will be different if + you use NIS or NIS+ to distributed services maps.</para> + + <para>Look at your <filename>/etc/services</filename>. + What is defined at port 139/tcp. If nothing is defined + then add a line like this:</para> + + <para><userinput>netbios-ssn 139/tcp</userinput></para> + + <para>similarly for 137/udp you should have an entry like:</para> + + <para><userinput>netbios-ns 137/udp</userinput></para> + + <para>Next edit your <filename>/etc/inetd.conf</filename> + and add two lines something like this:</para> + + <para><programlisting> + netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd + netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd + </programlisting></para> + + <para>The exact syntax of <filename>/etc/inetd.conf</filename> + varies between unixes. Look at the other entries in inetd.conf + for a guide.</para> + + <para>NOTE: Some unixes already have entries like netbios_ns + (note the underscore) in <filename>/etc/services</filename>. + You must either edit <filename>/etc/services</filename> or + <filename>/etc/inetd.conf</filename> to make them consistent.</para> + + <para>NOTE: On many systems you may need to use the + "interfaces" option in smb.conf to specify the IP address + and netmask of your interfaces. Run <command>ifconfig</command> + as root if you don't know what the broadcast is for your + net. <command>nmbd</command> tries to determine it at run + time, but fails on some unixes. See the section on "testing nmbd" + for a method of finding if you need to do this.</para> + + <para>!!!WARNING!!! Many unixes only accept around 5 + parameters on the command line in <filename>inetd.conf</filename>. + This means you shouldn't use spaces between the options and + arguments, or you should use a script, and start the script + from <command>inetd</command>.</para> + + <para>Restart <command>inetd</command>, perhaps just send + it a HUP. If you have installed an earlier version of <command> + nmbd</command> then you may need to kill nmbd as well.</para> + </sect2> + + <sect2> + <title>Alternative: starting it as a daemon</title> + + <para>To start the server as a daemon you should create + a script something like this one, perhaps calling + it <filename>startsmb</filename>.</para> + + <para><programlisting> + #!/bin/sh + /usr/local/samba/bin/smbd -D + /usr/local/samba/bin/nmbd -D + </programlisting></para> + + <para>then make it executable with <command>chmod + +x startsmb</command></para> + + <para>You can then run <command>startsmb</command> by + hand or execute it from <filename>/etc/rc.local</filename> + </para> + + <para>To kill it send a kill signal to the processes + <command>nmbd</command> and <command>smbd</command>.</para> + + <para>NOTE: If you use the SVR4 style init system then + you may like to look at the <filename>examples/svr4-startup</filename> + script to make Samba fit into that system.</para> </sect2> </sect1> @@ -150,8 +280,6 @@ <para>Try printing. eg:</para> - - <para><prompt>C:\WINDOWS\> </prompt><userinput>net use lpt1: \\servername\spoolservice</userinput></para> @@ -164,29 +292,90 @@ <sect1> <title>What If Things Don't Work?</title> - <para>Then you might read the file HOWTO chapter Diagnosis and the + <para>If nothing works and you start to think "who wrote + this pile of trash" then I suggest you do step 2 again (and + again) till you calm down.</para> + + <para>Then you might read the file DIAGNOSIS.txt and the FAQ. If you are still stuck then try the mailing list or newsgroup (look in the README for details). Samba has been successfully installed at thousands of sites worldwide, so maybe someone else has hit your problem and has overcome it. You could also use the WWW site to scan back issues of the samba-digest.</para> - <para>When you fix the problem <emphasis>please</emphasis> send some - updates of the documentation (or source code) to one of - the documentation maintainers or the list. - </para> + <para>When you fix the problem PLEASE send me some updates to the + documentation (or source code) so that the next person will find it + easier. </para> <sect2> + <title>Diagnosing Problems</title> + + <para>If you have installation problems then go to the + <ulink url="Diagnosis.html">Diagnosis</ulink> chapter to try to find the + problem.</para> + </sect2> + + <sect2> <title>Scope IDs</title> <para>By default Samba uses a blank scope ID. This means all your windows boxes must also have a blank scope ID. If you really want to use a non-blank scope ID then you will need to use the 'netbios scope' smb.conf option. - All your PCs will need to have the same setting for + All your PCs will need to have the same setting for this to work. I do not recommend scope IDs.</para> </sect2> + + <sect2> + <title>Choosing the Protocol Level</title> + + <para>The SMB protocol has many dialects. Currently + Samba supports 5, called CORE, COREPLUS, LANMAN1, + LANMAN2 and NT1.</para> + + <para>You can choose what maximum protocol to support + in the <filename>smb.conf</filename> file. The default is + NT1 and that is the best for the vast majority of sites.</para> + + <para>In older versions of Samba you may have found it + necessary to use COREPLUS. The limitations that led to + this have mostly been fixed. It is now less likely that you + will want to use less than LANMAN1. The only remaining advantage + of COREPLUS is that for some obscure reason WfWg preserves + the case of passwords in this protocol, whereas under LANMAN1, + LANMAN2 or NT1 it uppercases all passwords before sending them, + forcing you to use the "password level=" option in some cases.</para> + + <para>The main advantage of LANMAN2 and NT1 is support for + long filenames with some clients (eg: smbclient, Windows NT + or Win95). </para> + + <para>See the smb.conf(5) manual page for more details.</para> + + <para>Note: To support print queue reporting you may find + that you have to use TCP/IP as the default protocol under + WfWg. For some reason if you leave Netbeui as the default + it may break the print queue reporting on some systems. + It is presumably a WfWg bug.</para> + </sect2> + + <sect2> + <title>Printing from UNIX to a Client PC</title> + + <para>To use a printer that is available via a smb-based + server from a unix host with LPR you will need to compile the + smbclient program. You then need to install the script + "smbprint". Read the instruction in smbprint for more details. + </para> + + <para>There is also a SYSV style script that does much + the same thing called smbprint.sysv. It contains instructions.</para> + + <para>See the CUPS manual for information about setting up + printing from a unix host with CUPS to a smb-based server. </para> + </sect2> + <sect2> <title>Locking</title> @@ -243,5 +432,14 @@ <!-- FIXME: Sync this with oplocks.sgml --> </sect2> + + <sect2> + <title>Mapping Usernames</title> + + <para>If you have different usernames on the PCs and + the unix server then take a look at the "username map" option. + See the smb.conf man page for details.</para> + </sect2> + </sect1> </chapter> diff --git a/docs/docbook/projdoc/msdfs_setup.sgml b/docs/docbook/projdoc/msdfs_setup.sgml index a86cd74235..6e1609460f 100644 --- a/docs/docbook/projdoc/msdfs_setup.sgml +++ b/docs/docbook/projdoc/msdfs_setup.sgml @@ -4,7 +4,7 @@ <author> <firstname>Shirish</firstname><surname>Kalele</surname> <affiliation> - <orgname>Samba Team & Veritas Software</orgname> + <orgname>Samba Team & Veritas Software</orgname> <address> <email>samba@samba.org</email> </address> diff --git a/docs/docbook/projdoc/pdb_mysql.sgml b/docs/docbook/projdoc/pdb_mysql.sgml new file mode 100644 index 0000000000..59a134a15f --- /dev/null +++ b/docs/docbook/projdoc/pdb_mysql.sgml @@ -0,0 +1,146 @@ +<chapter id="pdb-mysql"> +<chapterinfo> + <author> + <firstname>Jelmer</firstname><surname>Vernooij</surname> + <affiliation> + <orgname>The Samba Team</orgname> + <address><email>jelmer@samba.org</email></address> + </affiliation> + </author> + <pubdate>November 2002</pubdate> +</chapterinfo> + +<title>Passdb MySQL plugin</title> + +<sect1> +<title>Building</title> + +<para>To build the plugin, run <command>make bin/pdb_mysql.so</command> +in the <filename>source/</filename> directory of samba distribution. +</para> + +<para>Next, copy pdb_mysql.so to any location you want. I +strongly recommend installing it in $PREFIX/lib or /usr/lib/samba/</para> + +</sect1> + +<sect1> +<title>Configuring</title> + +<para>This plugin lacks some good documentation, but here is some short info:</para> + +<para>Add a the following to the <command>passdb backend</command> variable in your <filename>smb.conf</filename>: +<programlisting> +passdb backend = [other-plugins] plugin:/location/to/pdb_mysql.so:identifier [other-plugins] +</programlisting> +</para> + +<para>The identifier can be any string you like, as long as it doesn't collide with +the identifiers of other plugins or other instances of pdb_mysql. If you +specify multiple pdb_mysql.so entries in 'passdb backend', you also need to +use different identifiers! +</para> + +<para> +Additional options can be given thru the smb.conf file in the [global] section. +</para> + +<para><programlisting> +identifier:mysql host - host name, defaults to 'localhost' +identifier:mysql password +identifier:mysql user - defaults to 'samba' +identifier:mysql database - defaults to 'samba' +identifier:mysql port - defaults to 3306 +identifier:table - Name of the table containing users +</programlisting></para> + +<para> +<emphasis> +WARNING: since the password for the mysql user is stored in the +smb.conf file, you should make the the smb.conf file +readable only to the user that runs samba. This is considered a security +bug and will be fixed soon.</emphasis> +</para> + +<para>Names of the columns in this table(I've added column types those columns should have first):</para> + +<para><programlisting> +identifier:logon time column - int(9) +identifier:logoff time column - int(9) +identifier:kickoff time column - int(9) +identifier:pass last set time column - int(9) +identifier:pass can change time column - int(9) +identifier:pass must change time column - int(9) +identifier:username column - varchar(255) - unix username +identifier:domain column - varchar(255) - NT domain user is part of +identifier:nt username column - varchar(255) - NT username +identifier:fullname column - varchar(255) - Full name of user +identifier:home dir column - varchar(255) - Unix homedir path +identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:') +identifier:logon script column - varchar(255) - Batch file to run on client side when logging on +identifier:profile path column - varchar(255) - Path of profile +identifier:acct desc column - varchar(255) - Some ASCII NT user data +identifier:workstations column - varchar(255) - Workstations user can logon to (or NULL for all) +identifier:unknown string column - varchar(255) - unknown string +identifier:munged dial column - varchar(255) - ? +identifier:uid column - int(9) - Unix user ID (uid) +identifier:gid column - int(9) - Unix user group (gid) +identifier:user sid column - varchar(255) - NT user SID +identifier:group sid column - varchar(255) - NT group ID +identifier:lanman pass column - varchar(255) - encrypted lanman password +identifier:nt pass column - varchar(255) - encrypted nt passwd +identifier:plain pass column - varchar(255) - plaintext password +identifier:acct control column - int(9) - nt user data +identifier:unknown 3 column - int(9) - unknown +identifier:logon divs column - int(9) - ? +identifier:hours len column - int(9) - ? +identifier:unknown 5 column - int(9) - unknown +identifier:unknown 6 column - int(9) - unknown +</programlisting></para> + +<para> +Eventually, you can put a colon (:) after the name of each column, which +should specify the column to update when updating the table. You can also +specify nothing behind the colon - then the data from the field will not be +updated. +</para> + +</sect1> + +<sect1> +<title>Using plaintext passwords or encrypted password</title> + +<para> +I strongly discourage the use of plaintext passwords, however, you can use them: +</para> + +<para> +If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords. +</para> + +<para> +If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default. +</para> + +</sect1> + +<sect1> +<title>Getting non-column data from the table</title> + +<para> +It is possible to have not all data in the database and making some 'constant'. +</para> + +<para> +For example, you can set 'identifier:fullname column' to : +<command>CONCAT(First_name,' ',Sur_name)</command> +</para> + +<para> +Or, set 'identifier:workstations column' to : +<command>NULL</command></para> + +<para>See the MySQL documentation for more language constructs.</para> + +</sect1> +</chapter> diff --git a/docs/docbook/projdoc/pdb_xml.sgml b/docs/docbook/projdoc/pdb_xml.sgml new file mode 100644 index 0000000000..87afb7b401 --- /dev/null +++ b/docs/docbook/projdoc/pdb_xml.sgml @@ -0,0 +1,42 @@ +<chapter id="pdb-xml"> +<chapterinfo> + <author> + <firstname>Jelmer</firstname><surname>Vernooij</surname> + <affiliation> + <orgname>The Samba Team</orgname> + <address><email>jelmer@samba.org</email></address> + </affiliation> + </author> + <pubdate>November 2002</pubdate> +</chapterinfo> + +<title>Passdb XML plugin</title> + +<sect1> +<title>Building</title> + +<para>This module requires libxml2 to be installed.</para> + +<para>To build pdb_xml, run: <command>make bin/pdb_xml.so</command> in +the directory <filename>source/</filename>. </para> + +</sect1> + +<sect1> +<title>Usage</title> + +<para>The usage of pdb_xml is pretty straightforward. To export data, use: + +<command>pdbedit -e plugin:/usr/lib/samba/pdb_xml.so:filename</command> + +(where filename is the name of the file to put the data in) +</para> + +<para> +To import data, use: +<command>pdbedit -i plugin:/usr/lib/samba/pdb_xml.so:filename -e current-pdb</command> + +Where filename is the name to read the data from and current-pdb to put it in. +</para> +</sect1> +</chapter> diff --git a/docs/docbook/projdoc/printer_driver2.sgml b/docs/docbook/projdoc/printer_driver2.sgml index 8d15e437b2..7bca8dc6f5 100644 --- a/docs/docbook/projdoc/printer_driver2.sgml +++ b/docs/docbook/projdoc/printer_driver2.sgml @@ -409,8 +409,8 @@ echo " :sd=/var/spool/lpd/$2:\\" >> $PRINTCAP echo " :mx=0:ml=0:sh:\\" >> $PRINTCAP echo " :lp=/usr/local/samba/var/print/$5.prn:" >> $PRINTCAP -touch "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1 -chown $LP "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1 +touch "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1 +chown $LP "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1 mkdir /var/spool/lpd/$2 chmod 700 /var/spool/lpd/$2 @@ -757,7 +757,7 @@ be: /usr/bin/id -p >/tmp/tmp.print # we run the command and save the error messages # replace the command with the one appropriate for your system - /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print + /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print </programlisting></para> <para> diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index efb14d4b6c..8cf16478c8 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -1,5 +1,6 @@ <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [ <!ENTITY UNIX-INSTALL SYSTEM "UNIX_INSTALL.sgml"> +<!ENTITY ENCRYPTION SYSTEM "ENCRYPTION.sgml"> <!ENTITY MS-Dfs-Setup SYSTEM "msdfs_setup.sgml"> <!ENTITY PRINTER-DRIVER2 SYSTEM "printer_driver2.sgml"> <!ENTITY DOMAIN-MEMBER SYSTEM "DOMAIN_MEMBER.sgml"> @@ -7,8 +8,10 @@ <!ENTITY NT-Security SYSTEM "NT_Security.sgml"> <!ENTITY Samba-PDC-HOWTO SYSTEM "Samba-PDC-HOWTO.sgml"> <!ENTITY Samba-BDC-HOWTO SYSTEM "Samba-BDC-HOWTO.sgml"> +<!ENTITY CVS-Access SYSTEM "CVS-Access.sgml"> <!ENTITY IntegratingWithWindows SYSTEM "Integrating-with-Windows.sgml"> <!ENTITY Samba-PAM SYSTEM "PAM-Authentication-And-Samba.sgml"> +<!ENTITY Samba-LDAP SYSTEM "Samba-LDAP-HOWTO.sgml"> <!ENTITY Diagnosis SYSTEM "Diagnosis.sgml"> <!ENTITY BUGS SYSTEM "Bugs.sgml"> <!ENTITY SECURITY-LEVEL SYSTEM "security_level.sgml"> @@ -19,11 +22,9 @@ <!ENTITY Portability SYSTEM "Portability.sgml"> <!ENTITY Other-Clients SYSTEM "Other-Clients.sgml"> <!ENTITY ADS-HOWTO SYSTEM "ADS-HOWTO.sgml"> -<!ENTITY Passdb SYSTEM "passdb.sgml"> +<!ENTITY pdb-mysql SYSTEM "pdb_mysql.sgml"> +<!ENTITY pdb-xml SYSTEM "pdb_xml.sgml"> <!ENTITY VFS SYSTEM "VFS.sgml"> -<!ENTITY GroupProfiles SYSTEM "GroupProfiles.sgml"> -<!ENTITY SecuringSamba SYSTEM "securing-samba.sgml"> -<!ENTITY Compiling SYSTEM "Compiling.sgml"> ]> <book id="Samba-HOWTO-Collection"> @@ -77,8 +78,9 @@ and how to configure the parts of samba you will most likely need. PLEASE read this.</para> </partintro> &UNIX-INSTALL; +&BROWSING; &BROWSING-Quick; -&Passdb; +&ENCRYPTION; </part> <part id="type"> @@ -110,19 +112,19 @@ part each cover one specific feature.</para> &MS-Dfs-Setup; &PRINTER-DRIVER2; &WINBIND; -&BROWSING; +&pdb-mysql; +&pdb-xml; &VFS; +&Samba-LDAP; +&CVS-Access; &GROUP-MAPPING-HOWTO; &SPEED; -&GroupProfiles; -&SecuringSamba; </part> <part id="Appendixes"> <title>Appendixes</title> &Portability; &Other-Clients; -&Compiling; &BUGS; &Diagnosis; </part> diff --git a/docs/docbook/projdoc/upgrading-to-3.0.sgml b/docs/docbook/projdoc/upgrading-to-3.0.sgml index f227556151..5b6b8dd635 100644 --- a/docs/docbook/projdoc/upgrading-to-3.0.sgml +++ b/docs/docbook/projdoc/upgrading-to-3.0.sgml @@ -16,24 +16,4 @@ FIXME </sect1> -<sect1> -<title>Obsolete configuration options</title> - -<para> -In 3.0, the following configuration options have been removed. -</para> - -<simplelist> -<member>printer driver</member> -<member>printer driver file</member> -<member>printer driver location</member> -<member>use rhosts</member> -<member>postscript</member> -</simplelist> - -<para>The first three options have been replaced by new driver procedures. -Please read the printing documentation.</para> - -</sect1> - </chapter> diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml index 06579617f5..d2bfb8ab67 100644 --- a/docs/docbook/projdoc/winbind.sgml +++ b/docs/docbook/projdoc/winbind.sgml @@ -2,7 +2,6 @@ <chapterinfo> - <authorgroup> <author> <firstname>Tim</firstname><surname>Potter</surname> <affiliation> @@ -11,7 +10,7 @@ </affiliation> </author> <author> - <firstname>Andrew</firstname><surname>Tridgell</surname> + <firstname>Andrew</firstname><surname>Trigdell</surname> <affiliation> <orgname>Samba Team</orgname> <address><email>tridge@linuxcare.com.au</email></address> @@ -36,7 +35,6 @@ <address><email>jelmer@nl.linux.org</email></address> </affiliation> </author> - </authorgroup> <pubdate>27 June 2002</pubdate> </chapterinfo> @@ -175,7 +173,7 @@ <sect2> <title>Microsoft Remote Procedure Calls</title> - <para>Over the last few years, efforts have been underway + <para>Over the last two years, efforts have been underway by various Samba Team members to decode various aspects of the Microsoft Remote Procedure Call (MSRPC) system. This system is used for most network related operations between @@ -194,21 +192,6 @@ </sect2> <sect2> - <title>Microsoft Active Directory Services</title> - - <para> - Since late 2001, Samba has gained the ability to - interact with Microsoft Windows 2000 using its 'Native - Mode' protocols, rather than the NT4 RPC services. - Using LDAP and Kerberos, a domain member running - winbind can enumerate users and groups in exactly the - same way as a Win2k client would, and in so doing - provide a much more efficient and - effective winbind implementation. - </para> - </sect2> - - <sect2> <title>Name Service Switch</title> <para>The Name Service Switch, or NSS, is a feature that is @@ -481,7 +464,7 @@ whether or not you have previously built the Samba binaries. <prompt>root#</prompt> <command>autoconf</command> <prompt>root#</prompt> <command>make clean</command> <prompt>root#</prompt> <command>rm config.cache</command> -<prompt>root#</prompt> <command>./configure</command> +<prompt>root#</prompt> <command>./configure --with-winbind</command> <prompt>root#</prompt> <command>make</command> <prompt>root#</prompt> <command>make install</command> </programlisting></para> @@ -569,7 +552,7 @@ include the following entries in the [global] section: <para><programlisting> [global] - <...> + <...> # separate domain and username with '+', like DOMAIN+username <ulink url="winbindd.8.html#WINBINDSEPARATOR">winbind separator</ulink> = + # use uids from 10000 to 20000 for domain users @@ -599,7 +582,7 @@ a domain user who has administrative privileges in the domain. <para> -<prompt>root#</prompt> <command>/usr/local/samba/bin/net join -S PDC -U Administrator</command> +<prompt>root#</prompt> <command>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</command> </para> @@ -750,7 +733,7 @@ start() { daemon /usr/local/samba/bin/winbindd RETVAL3=$? echo - [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \ + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \ RETVAL=1 return $RETVAL } @@ -777,7 +760,7 @@ stop() { echo -n $"Shutting down $KIND services: " killproc winbindd RETVAL3=$? - [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb echo "" return $RETVAL } @@ -808,7 +791,7 @@ killproc() { # kill the named process(es) pid=`/usr/bin/ps -e | /usr/bin/grep -w $1 | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` - [ "$pid" != "" ] && kill $pid + [ "$pid" != "" ] && kill $pid } # Start/stop processes required for samba server @@ -1059,7 +1042,7 @@ annoying double prompts for passwords. </para> <para> -Now restart your Samba and try connecting through your application that you +Now restart your Samba & try connecting through your application that you configured in the pam.conf. </para> @@ -1080,7 +1063,7 @@ configured in the pam.conf. <itemizedlist> <listitem><para>Winbind is currently only available for - the Linux, Solaris and IRIX operating systems, although ports to other operating + the Linux operating system, although ports to other operating systems are certainly possible. For such ports to be feasible, we require the C library of the target operating system to support the Name Service Switch and Pluggable Authentication @@ -1096,8 +1079,7 @@ configured in the pam.conf. <listitem><para>Currently the winbind PAM module does not take into account possible workstation and logon time restrictions - that may be been set for Windows NT users, this is - instead up to the PDC to enforce.</para></listitem> + that may be been set for Windows NT users.</para></listitem> </itemizedlist> </sect1> |