summaryrefslogtreecommitdiff
path: root/docs/docbook/projdoc
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook/projdoc')
-rw-r--r--docs/docbook/projdoc/ADS-HOWTO.sgml29
-rw-r--r--docs/docbook/projdoc/Browsing-Quickguide.sgml80
-rw-r--r--docs/docbook/projdoc/Browsing.sgml68
-rw-r--r--docs/docbook/projdoc/CVS-Access.sgml157
-rw-r--r--docs/docbook/projdoc/DOMAIN_MEMBER.sgml133
-rw-r--r--docs/docbook/projdoc/Diagnosis.sgml2
-rw-r--r--docs/docbook/projdoc/ENCRYPTION.sgml189
-rw-r--r--docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml1
-rw-r--r--docs/docbook/projdoc/Integrating-with-Windows.sgml18
-rw-r--r--docs/docbook/projdoc/NT_Security.sgml6
-rw-r--r--docs/docbook/projdoc/Other-Clients.sgml10
-rw-r--r--docs/docbook/projdoc/Portability.sgml12
-rw-r--r--docs/docbook/projdoc/Samba-BDC-HOWTO.sgml21
-rw-r--r--docs/docbook/projdoc/Samba-LDAP-HOWTO.sgml593
-rw-r--r--docs/docbook/projdoc/Samba-PDC-HOWTO.sgml188
-rw-r--r--docs/docbook/projdoc/UNIX_INSTALL.sgml290
-rw-r--r--docs/docbook/projdoc/msdfs_setup.sgml2
-rw-r--r--docs/docbook/projdoc/pdb_mysql.sgml146
-rw-r--r--docs/docbook/projdoc/pdb_xml.sgml42
-rw-r--r--docs/docbook/projdoc/printer_driver2.sgml6
-rw-r--r--docs/docbook/projdoc/samba-doc.sgml26
-rw-r--r--docs/docbook/projdoc/security_level.sgml2
-rw-r--r--docs/docbook/projdoc/upgrading-to-3.0.sgml20
-rw-r--r--docs/docbook/projdoc/winbind.sgml90
24 files changed, 1652 insertions, 479 deletions
diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml
index 887ecd74c2..3e34d53c0a 100644
--- a/docs/docbook/projdoc/ADS-HOWTO.sgml
+++ b/docs/docbook/projdoc/ADS-HOWTO.sgml
@@ -14,8 +14,7 @@ This is a rough guide to setting up Samba 3.0 with kerberos authentication again
Windows2000 KDC.
</para>
-<para>Pieces you need before you begin:</para>
-<para>
+<para>Pieces you need before you begin:
<simplelist>
<member>a Windows 2000 server.</member>
<member>samba 3.0 or higher.</member>
@@ -27,8 +26,7 @@ Windows2000 KDC.
<sect1>
<title>Installing the required packages for Debian</title>
-<para>On Debian you need to install the following packages:</para>
-<para>
+<para>On Debian you need to install the following packages:
<simplelist>
<member>libkrb5-dev</member>
<member>krb5-user</member>
@@ -39,8 +37,7 @@ Windows2000 KDC.
<sect1>
<title>Installing the required packages for RedHat</title>
-<para>On RedHat this means you should have at least: </para>
-<para>
+<para>On RedHat this means you should have at least:
<simplelist>
<member>krb5-workstation (for kinit)</member>
<member>krb5-libs (for linking with)</member>
@@ -60,8 +57,7 @@ to get them off CD2.</para>
<para>If your kerberos libraries are in a non-standard location then
remember to add the configure option --with-krb5=DIR.</para>
-<para>After you run configure make sure that include/config.h it
- generates contains
+<para>After you run configure make sure that include/config.h contains
lines like this:</para>
<para><programlisting>
@@ -90,10 +86,9 @@ In case samba can't figure out your ads server using your realm name, use the
</programlisting>
</para>
-<para>You do *not* need a smbpasswd file, and older clients will
- be authenticated as if "security = domain", although it won't do any harm
- and allows you to have local users not in the domain.
- I expect that the above
+<para>You do *not* need a smbpasswd file, although it won't do any harm
+ and if you have one then Samba will be able to fall back to normal
+ password security for older clients. I expect that the above
required options will change soon when we get better active
directory integration.</para>
</sect1>
@@ -104,7 +99,7 @@ In case samba can't figure out your ads server using your realm name, use the
<para>The minimal configuration for krb5.conf is:</para>
<para><programlisting>
-[realms]
+ [realms]
YOUR.KERBEROS.REALM = {
kdc = your.kerberos.server
}
@@ -133,7 +128,7 @@ to join the realm.
<para>
If all you want is kerberos support in smbclient then you can skip
straight to step 5 now. Step 3 is only needed if you want kerberos
-support for smbd and winbindd.
+support in smbd.
</para>
</sect1>
@@ -142,7 +137,9 @@ support for smbd and winbindd.
<title>Create the computer account</title>
<para>
-As a user that has write permission on the Samba private directory
+Do a "kinit" as a user that has authority to change arbitrary
+passwords on the KDC ("Administrator" is a good choice). Then as a
+user that has write permission on the Samba private directory
(usually root) run:
<command>net ads join</command>
</para>
@@ -152,6 +149,8 @@ As a user that has write permission on the Samba private directory
<para>
<variablelist>
+<varlistentry><term>"bash: kinit: command not found"</term>
+<listitem><para>kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</para></listitem></varlistentry>
<varlistentry><term>"ADS support not compiled in"</term>
<listitem><para>Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</para></listitem></varlistentry>
</variablelist>
diff --git a/docs/docbook/projdoc/Browsing-Quickguide.sgml b/docs/docbook/projdoc/Browsing-Quickguide.sgml
index 0a5cf72038..8ecc795966 100644
--- a/docs/docbook/projdoc/Browsing-Quickguide.sgml
+++ b/docs/docbook/projdoc/Browsing-Quickguide.sgml
@@ -1,10 +1,9 @@
<chapter id="Browsing-Quick">
<chapterinfo>
<author>
- <firstname>John H</firstname><surname>Terpstra</surname>
+ <firstname>John</firstname><surname>Terpstra</surname>
</author>
<pubdate>July 5, 1998</pubdate>
- <pubdate>Updated: March 15, 2003</pubdate>
</chapterinfo>
<title>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</title>
@@ -17,22 +16,16 @@ of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling
except by way of name to address mapping.
</para>
-<para>
-Note: MS Windows 2000 and later can be configured to operate with NO NetBIOS
-over TCP/IP. Samba-3 and later also supports this mode of operation.
-</para>
-
-
<sect1>
<title>Discussion</title>
<para>
Firstly, all MS Windows networking is based on SMB (Server Message
-Block) based messaging. SMB messaging may be implemented using NetBIOS or
-without NetBIOS. Samba implements NetBIOS by encapsulating it over TCP/IP.
-MS Windows products can do likewise. NetBIOS based networking uses broadcast
-messaging to affect browse list management. When running NetBIOS over
-TCP/IP this uses UDP based messaging. UDP messages can be broadcast or unicast.
+Block) based messaging. SMB messaging is implemented using NetBIOS. Samba
+implements NetBIOS by encapsulating it over TCP/IP. MS Windows products can
+do likewise. NetBIOS based networking uses broadcast messaging to affect
+browse list management. When running NetBIOS over TCP/IP this uses UDP
+based messaging. UDP messages can be broadcast or unicast.
</para>
<para>
@@ -52,27 +45,20 @@ the "remote browse sync" parameters to your smb.conf file.
</para>
<para>
-If only one WINS server is used for an entire multi-segment network then
-the use of the "remote announce" and the "remote browse sync" parameters
-should NOT be necessary.
-</para>
-
-<para>
-As of Samba-3 WINS replication is being worked on. The bulk of the code has
-been committed, but it still needs maturation.
+If only one WINS server is used then the use of the "remote announce" and the
+"remote browse sync" parameters should NOT be necessary.
</para>
<para>
-Right now samba WINS does not support MS-WINS replication. This means that
-when setting up Samba as a WINS server there must only be one nmbd configured
-as a WINS server on the network. Some sites have used multiple Samba WINS
-servers for redundancy (one server per subnet) and then used "remote browse
-sync" and "remote announce" to affect browse list collation across all
-segments. Note that this means clients will only resolve local names,
-and must be configured to use DNS to resolve names on other subnets in
-order to resolve the IP addresses of the servers they can see on other
-subnets. This setup is not recommended, but is mentioned as a practical
-consideration (ie: an 'if all else fails' scenario).
+Samba WINS does not support MS-WINS replication. This means that when setting up
+Samba as a WINS server there must only be one nmbd configured as a WINS server
+on the network. Some sites have used multiple Samba WINS servers for redundancy
+(one server per subnet) and then used "remote browse sync" and "remote announce"
+to affect browse list collation across all segments. Note that this means
+clients will only resolve local names, and must be configured to use DNS to
+resolve names on other subnets in order to resolve the IP addresses of the
+servers they can see on other subnets. This setup is not recommended, but is
+mentioned as a practical consideration (ie: an 'if all else fails' scenario).
</para>
<para>
@@ -140,9 +126,8 @@ simultaneously the LMB on it's network segment.
<para>
The syntax of the "remote browse sync" parameter is:
-
<programlisting>
-remote browse sync = a.b.c.d
+ remote browse sync = a.b.c.d
</programlisting>
where a.b.c.d is either the IP address of the remote LMB or else is the network broadcast address of the remote segment.
@@ -212,9 +197,8 @@ To configure Samba to register with a WINS server just add
</para>
<para>
-<emphasis>DO NOT EVER</emphasis> use both "wins support = yes" together
-with "wins server = a.b.c.d" particularly not using it's own IP address.
-Specifying both will cause nmbd to refuse to start!
+<emphasis>DO NOT EVER</emphasis> use both "wins support = yes" together with "wins server = a.b.c.d"
+particularly not using it's own IP address.
</para>
</sect1>
@@ -228,7 +212,7 @@ one protocol on an MS Windows machine.
</para>
<para>
-Every NetBIOS machine takes part in a process of electing the LMB (and DMB)
+Every NetBIOS machine take part in a process of electing the LMB (and DMB)
every 15 minutes. A set of election criteria is used to determine the order
of precidence for winning this election process. A machine running Samba or
Windows NT will be biased so that the most suitable machine will predictably
@@ -247,15 +231,6 @@ as an LMB and thus browse list operation on all TCP/IP only machines will
fail.
</para>
-<para><emphasis>
-Windows 95, 98, 98se, Me are referred to generically as Windows 9x.
-The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly
-referred to as the WinNT family, but it should be recognised that 2000 and
-XP/2003 introduce new protocol extensions that cause them to behave
-differently from MS Windows NT4. Generally, where a server does NOT support
-the newer or extended protocol, these will fall back to the NT4 protocols.
-</emphasis></para>
-
<para>
The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!
</para>
@@ -268,35 +243,36 @@ The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!
<para>
Resolution of NetBIOS names to IP addresses can take place using a number
of methods. The only ones that can provide NetBIOS name_type information
-are:</para>
-
+are:
<simplelist>
<member>WINS: the best tool!</member>
<member>LMHOSTS: is static and hard to maintain.</member>
<member>Broadcast: uses UDP and can not resolve names across remote segments.</member>
</simplelist>
+</para>
<para>
-Alternative means of name resolution includes:</para>
+Alternative means of name resolution includes:
<simplelist>
<member>/etc/hosts: is static, hard to maintain, and lacks name_type info</member>
<member>DNS: is a good choice but lacks essential name_type info.</member>
</simplelist>
+</para>
<para>
Many sites want to restrict DNS lookups and want to avoid broadcast name
resolution traffic. The "name resolve order" parameter is of great help here.
The syntax of the "name resolve order" parameter is:
<programlisting>
-name resolve order = wins lmhosts bcast host
+ name resolve order = wins lmhosts bcast host
</programlisting>
_or_
<programlisting>
-name resolve order = wins lmhosts (eliminates bcast and host)
+ name resolve order = wins lmhosts (eliminates bcast and host)
</programlisting>
The default is:
<programlisting>
-name resolve order = host lmhost wins bcast
+ name resolve order = host lmhost wins bcast
</programlisting>.
where "host" refers the the native methods used by the Unix system
to implement the gethostbyname() function call. This is normally
diff --git a/docs/docbook/projdoc/Browsing.sgml b/docs/docbook/projdoc/Browsing.sgml
index aeb3b477c5..13d6fce917 100644
--- a/docs/docbook/projdoc/Browsing.sgml
+++ b/docs/docbook/projdoc/Browsing.sgml
@@ -27,15 +27,8 @@ document.
</para>
<para>
-MS Windows 2000 and later, as with Samba-3 and later, can be
-configured to not use NetBIOS over TCP/IP. When configured this way
-it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
-configured and operative. Browsing will NOT work if name resolution
-from SMB machine names to IP addresses does not function correctly.
-</para>
-
-<para>
-Where NetBIOS over TCP/IP is enabled use of a WINS server is highly
+Browsing will NOT work if name resolution from NetBIOS names to IP
+addresses does not function correctly. Use of a WINS server is highly
recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
WINS allows remote segment clients to obtain NetBIOS name_type information
that can NOT be provided by any other means of name resolution.
@@ -47,10 +40,14 @@ that can NOT be provided by any other means of name resolution.
<title>Browsing support in samba</title>
<para>
-Samba facilitates browsing. The browsing is supported by nmbd
+Samba now fully supports browsing. The browsing is supported by nmbd
and is also controlled by options in the smb.conf file (see smb.conf(5)).
+</para>
+
+<para>
Samba can act as a local browse master for a workgroup and the ability
-for samba to support domain logons and scripts is now available.
+for samba to support domain logons and scripts is now available. See
+DOMAIN.txt for more information on domain logons.
</para>
<para>
@@ -71,12 +68,12 @@ that is providing this service.
<para>
[Note that nmbd can be configured as a WINS server, but it is not
-necessary to specifically use samba as your WINS server. MS Windows
-NT4, Server or Advanced Server 2000 or 2003 can be configured as
-your WINS server. In a mixed NT/2000/2003 server and samba environment on
-a Wide Area Network, it is recommended that you use the Microsoft
-WINS server capabilities. In a samba-only environment, it is
-recommended that you use one and only one Samba server as your WINS server.
+necessary to specifically use samba as your WINS server. NTAS can
+be configured as your WINS server. In a mixed NT server and
+samba environment on a Wide Area Network, it is recommended that
+you use the NT server's WINS server capabilities. In a samba-only
+environment, it is recommended that you use one and only one nmbd
+as your WINS server].
</para>
<para>
@@ -116,15 +113,6 @@ connection that lists the shares is done as guest, and thus you must
have a valid guest account.
</para>
-<para><emphasis>
-MS Windows 2000 and upwards (as with Samba) can be configured to disallow
-anonymous (ie: Guest account) access to the IPC$ share. In that case, the
-MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the
-name of the currently logged in user to query the IPC$ share. MS Windows
-9X clients are not able to do this and thus will NOT be able to browse
-server resources.
-</emphasis></para>
-
<para>
Also, a lot of people are getting bitten by the problem of too many
parameters on the command line of nmbd in inetd.conf. This trick is to
@@ -144,7 +132,7 @@ in smb.conf)
<sect1>
<title>Browsing across subnets</title>
<para>
-Since the release of Samba 1.9.17(alpha1) Samba has been
+With the release of Samba 1.9.17(alpha1 and above) Samba has been
updated to enable it to support the replication of browse lists
across subnet boundaries. New code and options have been added to
achieve this. This section describes how to set this feature up
@@ -179,7 +167,8 @@ settings) for Samba this is in the smb.conf file.
Cross subnet browsing is a complicated dance, containing multiple
moving parts. It has taken Microsoft several years to get the code
that achieves this correct, and Samba lags behind in some areas.
-Samba is capable of cross subnet browsing when configured correctly.
+However, with the 1.9.17 release, Samba is capable of cross subnet
+browsing when configured correctly.
</para>
<para>
@@ -430,9 +419,9 @@ in the [globals] section add the line
</para>
<para>
-Versions of Samba prior to 1.9.17 had this parameter default to
+Versions of Samba previous to 1.9.17 had this parameter default to
yes. If you have any older versions of Samba on your network it is
-strongly suggested you upgrade to a recent version, or at the very
+strongly suggested you upgrade to 1.9.17 or above, or at the very
least set the parameter to 'no' on all these machines.
</para>
@@ -484,7 +473,7 @@ machine or its IP address.
Note that this line MUST NOT BE SET in the smb.conf file of the Samba
server acting as the WINS server itself. If you set both the
"<command>wins support = yes</command>" option and the
-"<command>wins server = &lt;name&gt;</command>" option then
+"<command>wins server = &gt;name&lt;</command>" option then
nmbd will fail to start.
</para>
@@ -549,12 +538,11 @@ server, if you require.
<para>
Next, you should ensure that each of the subnets contains a
machine that can act as a local master browser for the
-workgroup. Any MS Windows NT/2K/XP/2003 machine should be
-able to do this, as will Windows 9x machines (although these
-tend to get rebooted more often, so it's not such a good idea
-to use these). To make a Samba server a local master browser
-set the following options in the [global] section of the
-smb.conf file :
+workgroup. Any NT machine should be able to do this, as will
+Windows 95 machines (although these tend to get rebooted more
+often, so it's not such a good idea to use these). To make a
+Samba server a local master browser set the following
+options in the [global] section of the smb.conf file :
</para>
<para>
@@ -606,7 +594,7 @@ you must not set up a Samba server as a domain master browser.
By default, a Windows NT Primary Domain Controller for a Domain
name is also the Domain master browser for that name, and many
things will break if a Samba server registers the Domain master
-browser NetBIOS name (DOMAIN&lt;1B&gt;) with WINS instead of the PDC.
+browser NetBIOS name (DOMAIN&gt;1B&lt;) with WINS instead of the PDC.
</para>
<para>
@@ -673,8 +661,8 @@ samba systems!)
</para>
<para>
-A "os level" of 2 would make it beat WfWg and Win95, but not MS Windows
-NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32.
+A "os level" of 2 would make it beat WfWg and Win95, but not NTAS. A
+NTAS domain controller uses level 32.
</para>
<para>The maximum os level is 255</para>
diff --git a/docs/docbook/projdoc/CVS-Access.sgml b/docs/docbook/projdoc/CVS-Access.sgml
new file mode 100644
index 0000000000..98ef925f20
--- /dev/null
+++ b/docs/docbook/projdoc/CVS-Access.sgml
@@ -0,0 +1,157 @@
+<chapter id="cvs-access">
+
+
+<chapterinfo>
+ <author>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ </affiliation>
+ </author>
+
+
+ <pubdate> (22 May 2001) </pubdate>
+</chapterinfo>
+
+<title>HOWTO Access Samba source code via CVS</title>
+
+<sect1>
+<title>Introduction</title>
+
+<para>
+Samba is developed in an open environment. Developers use CVS
+(Concurrent Versioning System) to "checkin" (also known as
+"commit") new source code. Samba's various CVS branches can
+be accessed via anonymous CVS using the instructions
+detailed in this chapter.
+</para>
+
+<para>
+This document is a modified version of the instructions found at
+<ulink url="http://samba.org/samba/cvs.html">http://samba.org/samba/cvs.html</ulink>
+</para>
+
+</sect1>
+
+
+<sect1>
+<title>CVS Access to samba.org</title>
+
+<para>
+The machine samba.org runs a publicly accessible CVS
+repository for access to the source code of several packages,
+including samba, rsync and jitterbug. There are two main ways of
+accessing the CVS server on this host.
+</para>
+
+<sect2>
+<title>Access via CVSweb</title>
+
+<para>
+You can access the source code via your
+favourite WWW browser. This allows you to access the contents of
+individual files in the repository and also to look at the revision
+history and commit logs of individual files. You can also ask for a diff
+listing between any two versions on the repository.
+</para>
+
+<para>
+Use the URL : <ulink
+url="http://samba.org/cgi-bin/cvsweb">http://samba.org/cgi-bin/cvsweb</ulink>
+</para>
+</sect2>
+
+<sect2>
+<title>Access via cvs</title>
+
+<para>
+You can also access the source code via a
+normal cvs client. This gives you much more control over you can
+do with the repository and allows you to checkout whole source trees
+and keep them up to date via normal cvs commands. This is the
+preferred method of access if you are a developer and not
+just a casual browser.
+</para>
+
+<para>
+To download the latest cvs source code, point your
+browser at the URL : <ulink url="http://www.cyclic.com/">http://www.cyclic.com/</ulink>.
+and click on the 'How to get cvs' link. CVS is free software under
+the GNU GPL (as is Samba). Note that there are several graphical CVS clients
+which provide a graphical interface to the sometimes mundane CVS commands.
+Links to theses clients are also available from http://www.cyclic.com.
+</para>
+
+<para>
+To gain access via anonymous cvs use the following steps.
+For this example it is assumed that you want a copy of the
+samba source code. For the other source code repositories
+on this system just substitute the correct package name
+</para>
+
+<orderedlist>
+<listitem>
+ <para>
+ Install a recent copy of cvs. All you really need is a
+ copy of the cvs client binary.
+ </para>
+</listitem>
+
+
+<listitem>
+ <para>
+ Run the command
+ </para>
+
+ <para>
+ <command>cvs -d :pserver:cvs@samba.org:/cvsroot login</command>
+ </para>
+
+ <para>
+ When it asks you for a password type <userinput>cvs</userinput>.
+ </para>
+</listitem>
+
+
+<listitem>
+ <para>
+ Run the command
+ </para>
+
+ <para>
+ <command>cvs -d :pserver:cvs@samba.org:/cvsroot co samba</command>
+ </para>
+
+ <para>
+ This will create a directory called samba containing the
+ latest samba source code (i.e. the HEAD tagged cvs branch). This
+ currently corresponds to the 3.0 development tree.
+ </para>
+
+ <para>
+ CVS branches other HEAD can be obtained by using the <parameter>-r</parameter>
+ and defining a tag name. A list of branch tag names can be found on the
+ "Development" page of the samba web site. A common request is to obtain the
+ latest 2.2 release code. This could be done by using the following command.
+ </para>
+
+ <para>
+ <command>cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</command>
+ </para>
+</listitem>
+
+<listitem>
+ <para>
+ Whenever you want to merge in the latest code changes use
+ the following command from within the samba directory:
+ </para>
+
+ <para>
+ <command>cvs update -d -P</command>
+ </para>
+</listitem>
+</orderedlist>
+
+</sect2>
+</sect1>
+
+</chapter>
diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
index b178bfd2c2..8a30a5527d 100644
--- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
+++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
@@ -25,29 +25,79 @@
</chapterinfo>
-<title>Samba as a NT4 or Win2k domain member</title>
+<title>Samba as a NT4 domain member</title>
<sect1>
- <title>Joining an NT Domain with Samba 3.0</title>
+ <title>Joining an NT Domain with Samba 2.2</title>
- <para>Assume you have a Samba 3.0 server with a NetBIOS name of
- <constant>SERV1</constant> and are joining an or Win2k NT domain called
+ <para>Assume you have a Samba 2.x server with a NetBIOS name of
+ <constant>SERV1</constant> and are joining an NT domain called
<constant>DOM</constant>, which has a PDC with a NetBIOS name
of <constant>DOMPDC</constant> and two backup domain controllers
with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2
</constant>.</para>
- <para>Firstly, you must edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
+ <para>In order to join the domain, first stop all Samba daemons
+ and run the command:</para>
+
+ <para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC
+ -U<replaceable>Administrator%password</replaceable></userinput></para>
+
+ <para>as we are joining the domain DOM and the PDC for that domain
+ (the only machine that has write access to the domain SAM database)
+ is DOMPDC. The <replaceable>Administrator%password</replaceable> is
+ the login name and password for an account which has the necessary
+ privilege to add machines to the domain. If this is successful
+ you will see the message:</para>
+
+ <para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput>
+ </para>
+
+ <para>in your terminal window. See the <ulink url="smbpasswd.8.html">
+ smbpasswd(8)</ulink> man page for more details.</para>
+
+ <para>There is existing development code to join a domain
+ without having to create the machine trust account on the PDC
+ beforehand. This code will hopefully be available soon
+ in release branches as well.</para>
+
+ <para>This command goes through the machine account password
+ change protocol, then writes the new (random) machine account
+ password for this Samba server into a file in the same directory
+ in which an smbpasswd file would be stored - normally :</para>
+
+ <para><filename>/usr/local/samba/private</filename></para>
+
+ <para>In Samba 2.0.x, the filename looks like this:</para>
+
+ <para><filename><replaceable>&lt;NT DOMAIN NAME&gt;</replaceable>.<replaceable>&lt;Samba
+ Server Name&gt;</replaceable>.mac</filename></para>
+
+ <para>The <filename>.mac</filename> suffix stands for machine account
+ password file. So in our example above, the file would be called:</para>
+
+ <para><filename>DOM.SERV1.mac</filename></para>
+
+ <para>In Samba 2.2, this file has been replaced with a TDB
+ (Trivial Database) file named <filename>secrets.tdb</filename>.
+ </para>
+
+
+ <para>This file is created and owned by root and is not
+ readable by any other user. It is the key to the domain-level
+ security for your system, and should be treated as carefully
+ as a shadow password file.</para>
+
+ <para>Now, before restarting the Samba daemons you must
+ edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
</ulink> file to tell Samba it should now use domain security.</para>
<para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
<parameter>security =</parameter></ulink> line in the [global] section
of your smb.conf to read:</para>
- <para><command>security = domain</command> or
- <command>security = ads</command> depending on if the PDC is
- NT4 or running Active Directory respectivly.</para>
+ <para><command>security = domain</command></para>
<para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter>
workgroup =</parameter></ulink> line in the [global] section to read: </para>
@@ -78,47 +128,11 @@
<para><command>password server = *</command></para>
- <para>This method, allows Samba to use exactly the same
- mechanism that NT does. This
+ <para>This method, which was introduced in Samba 2.0.6,
+ allows Samba to use exactly the same mechanism that NT does. This
method either broadcasts or uses a WINS database in order to
find domain controllers to authenticate against.</para>
- <para>In order to actually join the domain, you must run this
- command:</para>
-
- <para><prompt>root# </prompt><userinput>net join -S DOMPDC
- -U<replaceable>Administrator%password</replaceable></userinput></para>
-
- <para>as we are joining the domain DOM and the PDC for that domain
- (the only machine that has write access to the domain SAM database)
- is DOMPDC. The <replaceable>Administrator%password</replaceable> is
- the login name and password for an account which has the necessary
- privilege to add machines to the domain. If this is successful
- you will see the message:</para>
-
- <para><computeroutput>Joined domain DOM.</computeroutput>
- or <computeroutput>Joined 'SERV1' to realm 'MYREALM'</computeroutput>
- </para>
-
- <para>in your terminal window. See the <ulink url="net.8.html">
- net(8)</ulink> man page for more details.</para>
-
- <para>This process joins the server to thedomain
- without having to create the machine trust account on the PDC
- beforehand.</para>
-
- <para>This command goes through the machine account password
- change protocol, then writes the new (random) machine account
- password for this Samba server into a file in the same directory
- in which an smbpasswd file would be stored - normally :</para>
-
- <para><filename>/usr/local/samba/private/secrets.tdb</filename></para>
-
- <para>This file is created and owned by root and is not
- readable by any other user. It is the key to the domain-level
- security for your system, and should be treated as carefully
- as a shadow password file.</para>
-
<para>Finally, restart your Samba daemons and get ready for
clients to begin using domain security!</para>
</sect1>
@@ -130,8 +144,23 @@
<para>
Many people have asked regarding the state of Samba's ability to participate in
a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows
-2000 domain operating in mixed or native mode. The steps above apply
-to both NT4 and Windows 2000.
+2000 domain operating in mixed or native mode.
+</para>
+
+<para>
+There is much confusion between the circumstances that require a "mixed" mode
+Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode
+Win2k domain controller is only needed if Windows NT BDCs must exist in the same
+domain. By default, a Win2k DC in "native" mode will still support
+NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and
+NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.
+</para>
+
+<para>
+The steps for adding a Samba 2.2 host to a Win2k domain are the same as those
+for adding a Samba server to a Windows NT 4.0 domain. The only exception is that
+the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and
+Computers" MMC (Microsoft Management Console) plugin.
</para>
</sect1>
@@ -176,7 +205,13 @@ to both NT4 and Windows 2000.
<para>And finally, acting in the same manner as an NT server
authenticating to a PDC means that as part of the authentication
reply, the Samba server gets the user identification information such
- as the user SID, the list of NT groups the user belongs to, etc. </para>
+ as the user SID, the list of NT groups the user belongs to, etc. All
+ this information will allow Samba to be extended in the future into
+ a mode the developers currently call appliance mode. In this mode,
+ no local Unix users will be necessary, and Samba will generate Unix
+ uids and gids from the information passed back from the PDC when a
+ user is authenticated, making a Samba server truly plug and play
+ in an NT domain environment. Watch for this code soon.</para>
<para><emphasis>NOTE:</emphasis> Much of the text of this document
was first published in the Web magazine <ulink url="http://www.linuxworld.com">
diff --git a/docs/docbook/projdoc/Diagnosis.sgml b/docs/docbook/projdoc/Diagnosis.sgml
index 1e2e6d7598..8c1b784433 100644
--- a/docs/docbook/projdoc/Diagnosis.sgml
+++ b/docs/docbook/projdoc/Diagnosis.sgml
@@ -17,7 +17,7 @@
<pubdate>Wed Jan 15</pubdate>
</chapterinfo>
-<title>The samba checklist</title>
+<title>Diagnosing your samba server</title>
<sect1>
<title>Introduction</title>
diff --git a/docs/docbook/projdoc/ENCRYPTION.sgml b/docs/docbook/projdoc/ENCRYPTION.sgml
new file mode 100644
index 0000000000..f903d7d334
--- /dev/null
+++ b/docs/docbook/projdoc/ENCRYPTION.sgml
@@ -0,0 +1,189 @@
+<chapter id="pwencrypt">
+
+
+<chapterinfo>
+ <author>
+ <firstname>Jeremy</firstname><surname>Allison</surname>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ <address>
+ <email>jra@samba.org</email>
+ </address>
+ </affiliation>
+ </author>
+
+ <author>
+ <firstname>Jelmer</firstname><surname>Vernooij</surname>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ <address>
+ <email>jelmer@samba.org</email>
+ </address>
+ </affiliation>
+ </author>
+
+ <pubdate>4 November 2002</pubdate>
+</chapterinfo>
+
+<title>LanMan and NT Password Encryption in Samba</title>
+
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>Newer windows clients send encrypted passwords over
+ the wire, instead of plain text passwords. The newest clients
+ will only send encrypted passwords and refuse to send plain text
+ passwords, unless their registry is tweaked.</para>
+
+ <para>These passwords can't be converted to unix style encrypted
+ passwords. Because of that you can't use the standard unix
+ user database, and you have to store the Lanman and NT hashes
+ somewhere else. For more information, see the documentation
+ about the <command>passdb backend = </command> parameter.
+ </para>
+
+</sect1>
+
+<sect1>
+ <title>Important Notes About Security</title>
+
+ <para>The unix and SMB password encryption techniques seem similar
+ on the surface. This similarity is, however, only skin deep. The unix
+ scheme typically sends clear text passwords over the network when
+ logging in. This is bad. The SMB encryption scheme never sends the
+ cleartext password over the network but it does store the 16 byte
+ hashed values on disk. This is also bad. Why? Because the 16 byte hashed
+ values are a "password equivalent". You cannot derive the user's
+ password from them, but they could potentially be used in a modified
+ client to gain access to a server. This would require considerable
+ technical knowledge on behalf of the attacker but is perfectly possible.
+ You should thus treat the smbpasswd file as though it contained the
+ cleartext passwords of all your users. Its contents must be kept
+ secret, and the file should be protected accordingly.</para>
+
+ <para>Ideally we would like a password scheme which neither requires
+ plain text passwords on the net or on disk. Unfortunately this
+ is not available as Samba is stuck with being compatible with
+ other SMB systems (WinNT, WfWg, Win95 etc). </para>
+
+ <warning>
+ <para>Note that Windows NT 4.0 Service pack 3 changed the
+ default for permissible authentication so that plaintext
+ passwords are <emphasis>never</emphasis> sent over the wire.
+ The solution to this is either to switch to encrypted passwords
+ with Samba or edit the Windows NT registry to re-enable plaintext
+ passwords. See the document WinNT.txt for details on how to do
+ this.</para>
+
+ <para>Other Microsoft operating systems which also exhibit
+ this behavior includes</para>
+
+ <itemizedlist>
+ <listitem><para>MS DOS Network client 3.0 with
+ the basic network redirector installed</para></listitem>
+
+ <listitem><para>Windows 95 with the network redirector
+ update installed</para></listitem>
+
+ <listitem><para>Windows 98 [se]</para></listitem>
+
+ <listitem><para>Windows 2000</para></listitem>
+ </itemizedlist>
+
+ <para><emphasis>Note :</emphasis>All current release of
+ Microsoft SMB/CIFS clients support authentication via the
+ SMB Challenge/Response mechanism described here. Enabling
+ clear text authentication does not disable the ability
+ of the client to participate in encrypted authentication.</para>
+ </warning>
+
+ <sect2>
+ <title>Advantages of SMB Encryption</title>
+
+ <itemizedlist>
+ <listitem><para>plain text passwords are not passed across
+ the network. Someone using a network sniffer cannot just
+ record passwords going to the SMB server.</para>
+ </listitem>
+
+ <listitem><para>WinNT doesn't like talking to a server
+ that isn't using SMB encrypted passwords. It will refuse
+ to browse the server if the server is also in user level
+ security mode. It will insist on prompting the user for the
+ password on each connection, which is very annoying. The
+ only things you can do to stop this is to use SMB encryption.
+ </para></listitem>
+ </itemizedlist>
+ </sect2>
+
+
+ <sect2>
+ <title>Advantages of non-encrypted passwords</title>
+
+ <itemizedlist>
+ <listitem><para>plain text passwords are not kept
+ on disk. </para></listitem>
+
+ <listitem><para>uses same password file as other unix
+ services such as login and ftp</para></listitem>
+
+ <listitem><para>you are probably already using other
+ services (such as telnet and ftp) which send plain text
+ passwords over the net, so sending them for SMB isn't
+ such a big deal.</para></listitem>
+ </itemizedlist>
+ </sect2>
+</sect1>
+
+
+<sect1>
+ <title>The smbpasswd Command</title>
+
+ <para>The smbpasswd command maintains the two 32 byte password fields
+ in the smbpasswd file. If you wish to make it similar to the unix
+ <command>passwd</command> or <command>yppasswd</command> programs,
+ install it in <filename>/usr/local/samba/bin/</filename> (or your
+ main Samba binary directory).</para>
+
+ <para><command>smbpasswd</command> now works in a client-server mode
+ where it contacts the local smbd to change the user's password on its
+ behalf. This has enormous benefits - as follows.</para>
+
+ <para><command>smbpasswd</command> now has the capability
+ to change passwords on Windows NT servers (this only works when
+ the request is sent to the NT Primary Domain Controller if you
+ are changing an NT Domain user's password).</para>
+
+ <para>To run smbpasswd as a normal user just type :</para>
+
+ <para><prompt>$ </prompt><userinput>smbpasswd</userinput></para>
+ <para><prompt>Old SMB password: </prompt><userinput>&lt;type old value here -
+ or hit return if there was no old password&gt;</userinput></para>
+ <para><prompt>New SMB Password: </prompt><userinput>&lt;type new value&gt;
+ </userinput></para>
+ <para><prompt>Repeat New SMB Password: </prompt><userinput>&lt;re-type new value
+ </userinput></para>
+
+ <para>If the old value does not match the current value stored for
+ that user, or the two new values do not match each other, then the
+ password will not be changed.</para>
+
+ <para>If invoked by an ordinary user it will only allow the user
+ to change his or her own Samba password.</para>
+
+ <para>If run by the root user smbpasswd may take an optional
+ argument, specifying the user name whose SMB password you wish to
+ change. Note that when run as root smbpasswd does not prompt for
+ or check the old password value, thus allowing root to set passwords
+ for users who have forgotten their passwords.</para>
+
+ <para><command>smbpasswd</command> is designed to work in the same way
+ and be familiar to UNIX users who use the <command>passwd</command> or
+ <command>yppasswd</command> commands.</para>
+
+ <para>For more details on using <command>smbpasswd</command> refer
+ to the man page which will always be the definitive reference.</para>
+</sect1>
+
+</chapter>
diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml
index 06c1d3a87e..6d5a019fcb 100644
--- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml
+++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml
@@ -1,4 +1,3 @@
-<?xml version="1.0" encoding="iso8859-1"?>
<chapter id="groupmapping">
<chapterinfo>
<author>
diff --git a/docs/docbook/projdoc/Integrating-with-Windows.sgml b/docs/docbook/projdoc/Integrating-with-Windows.sgml
index a4e79fd42b..3b0faf81af 100644
--- a/docs/docbook/projdoc/Integrating-with-Windows.sgml
+++ b/docs/docbook/projdoc/Integrating-with-Windows.sgml
@@ -295,16 +295,16 @@ The following are typical NetBIOS name/service type registrations:
<para><programlisting>
Unique NetBIOS Names:
- MACHINENAME&lt;00&gt; = Server Service is running on MACHINENAME
- MACHINENAME&lt;03&gt; = Generic Machine Name (NetBIOS name)
- MACHINENAME&lt;20&gt; = LanMan Server service is running on MACHINENAME
- WORKGROUP&lt;1b&gt; = Domain Master Browser
+ MACHINENAME<00> = Server Service is running on MACHINENAME
+ MACHINENAME<03> = Generic Machine Name (NetBIOS name)
+ MACHINENAME<20> = LanMan Server service is running on MACHINENAME
+ WORKGROUP<1b> = Domain Master Browser
Group Names:
- WORKGROUP&lt;03&gt; = Generic Name registered by all members of WORKGROUP
- WORKGROUP&lt;1c&gt; = Domain Controllers / Netlogon Servers
- WORKGROUP&lt;1d&gt; = Local Master Browsers
- WORKGROUP&lt;1e&gt; = Internet Name Resolvers
+ WORKGROUP<03> = Generic Name registered by all members of WORKGROUP
+ WORKGROUP<1c> = Domain Controllers / Netlogon Servers
+ WORKGROUP<1d> = Local Master Browsers
+ WORKGROUP<1e> = Internet Name Resolvers
</programlisting></para>
<para>
@@ -323,7 +323,7 @@ be needed. An example of this is what happens when an MS Windows client
wants to locate a domain logon server. It find this service and the IP
address of a server that provides it by performing a lookup (via a
NetBIOS broadcast) for enumeration of all machines that have
-registered the name type *&lt;1c&gt;. A logon request is then sent to each
+registered the name type *<1c>. A logon request is then sent to each
IP address that is returned in the enumerated list of IP addresses. Which
ever machine first replies then ends up providing the logon services.
</para>
diff --git a/docs/docbook/projdoc/NT_Security.sgml b/docs/docbook/projdoc/NT_Security.sgml
index 2843331519..2259dae029 100644
--- a/docs/docbook/projdoc/NT_Security.sgml
+++ b/docs/docbook/projdoc/NT_Security.sgml
@@ -31,6 +31,12 @@
the security of the UNIX host Samba is running on, and
still obeys all the file permission rules that a Samba
administrator can set.</para>
+
+ <para>In Samba 2.0.4 and above the default value of the
+ parameter <ulink url="smb.conf.5.html#NTACLSUPPORT"><parameter>
+ nt acl support</parameter></ulink> has been changed from
+ <constant>false</constant> to <constant>true</constant>, so
+ manipulation of permissions is turned on by default.</para>
</sect1>
<sect1>
diff --git a/docs/docbook/projdoc/Other-Clients.sgml b/docs/docbook/projdoc/Other-Clients.sgml
index 6ba04b01d3..f790024c3a 100644
--- a/docs/docbook/projdoc/Other-Clients.sgml
+++ b/docs/docbook/projdoc/Other-Clients.sgml
@@ -233,16 +233,6 @@ for use with <command>security = user</command>
</sect2>
-<sect2>
-<title>Use TCP/IP as default protocol</title>
-
-<para>To support print queue reporting you may find
-that you have to use TCP/IP as the default protocol under
-WfWg. For some reason if you leave Netbeui as the default
-it may break the print queue reporting on some systems.
-It is presumably a WfWg bug.</para>
-
-</sect2>
</sect1>
<sect1>
diff --git a/docs/docbook/projdoc/Portability.sgml b/docs/docbook/projdoc/Portability.sgml
index dae267e8b5..afafacc5e4 100644
--- a/docs/docbook/projdoc/Portability.sgml
+++ b/docs/docbook/projdoc/Portability.sgml
@@ -175,16 +175,4 @@ Corrective Action: Delete the entry after the word loopback
in the line starting 127.0.0.1
</para>
</sect1>
-
-<sect1>
-<title>AIX</title>
-<sect2>
-<title>Sequential Read Ahead</title>
-<!-- From an email by William Jojo <jojowil@hvcc.edu> -->
-<para>
-Disabling Sequential Read Ahead using "vmtune -r 0" improves
-samba performance significally.
-</para>
-</sect2>
-</sect1>
</chapter>
diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml
index e3bee32db0..7653e3d1c0 100644
--- a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml
+++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml
@@ -128,7 +128,7 @@ the password change is done.
<sect1>
-<title>Can Samba be a Backup Domain Controller to an NT PDC?</title>
+<title>Can Samba be a Backup Domain Controller?</title>
<para>
With version 2.2, no. The native NT SAM replication protocols have
@@ -138,12 +138,6 @@ been finished for version 2.2.
</para>
<para>
-With version 3.0, the work on both the replication protocols and a
-suitable storage mechanism has progressed, and some form of NT4 BDC
-support is expected soon.
-</para>
-
-<para>
Can I get the benefits of a BDC with Samba? Yes. The main reason for
implementing a BDC is availability. If the PDC is a Samba machine,
a second Samba machine can be set up to
@@ -184,8 +178,7 @@ whenever changes are made, or the PDC is set up as a NIS master
server and the BDC as a NIS slave server. To set up the BDC as a
mere NIS client would not be enough, as the BDC would not be able to
access its user database in case of a PDC failure.
-</para>
-</listitem>
+</para></listitem>
<listitem><para>
The Samba password database in the file private/smbpasswd has to be
@@ -243,15 +236,5 @@ password.
</sect2>
-<sect2>
-<title>Can I do this all with LDAP?</title>
-<para>The simple answer is YES. Samba's pdb_ldap code supports
-binding to a replica LDAP server, and will also follow referrals and
-rebind to the master if it ever needs to make a modification to the
-database. (Normally BDCs are read only, so this will not occur
-often).
-</para>
-</sect2>
-
</sect1>
</chapter>
diff --git a/docs/docbook/projdoc/Samba-LDAP-HOWTO.sgml b/docs/docbook/projdoc/Samba-LDAP-HOWTO.sgml
new file mode 100644
index 0000000000..f294ddd1ff
--- /dev/null
+++ b/docs/docbook/projdoc/Samba-LDAP-HOWTO.sgml
@@ -0,0 +1,593 @@
+<chapter id="samba-ldap-howto">
+
+<chapterinfo>
+ <author>
+ <firstname>Gerald (Jerry)</firstname><surname>Carter</surname>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ <address><email>jerry@samba.org</email></address>
+ </affiliation>
+ <firstname>Olivier (lem)</firstname><surname>Lemaire</surname>
+ <affiliation>
+ <orgname>IDEALX</orgname>
+ <address><email>olem@IDEALX.org</email></address>
+ </affiliation>
+ </author>
+
+
+ <pubdate> (13 Jan 2002) </pubdate>
+</chapterinfo>
+
+<title>Storing Samba's User/Machine Account information in an LDAP Directory</title>
+
+<sect1>
+<title>Purpose</title>
+
+<para>
+This document describes how to use an LDAP directory for storing Samba user
+account information traditionally stored in the smbpasswd(5) file. It is
+assumed that the reader already has a basic understanding of LDAP concepts
+and has a working directory server already installed. For more information
+on LDAP architectures and Directories, please refer to the following sites.
+</para>
+
+<itemizedlist>
+ <listitem><para>OpenLDAP - <ulink url="http://www.openldap.org/">http://www.openldap.org/</ulink></para></listitem>
+ <listitem><para>iPlanet Directory Server - <ulink url="http://iplanet.netscape.com/directory">http://iplanet.netscape.com/directory</ulink></para></listitem>
+</itemizedlist>
+
+<para>
+Note that <ulink url="http://www.ora.com/">O'Reilly Publishing</ulink> is working on
+a guide to LDAP for System Administrators which has a planned release date of
+early summer, 2002.
+</para>
+
+<para>
+Two additional Samba resources which may prove to be helpful are
+</para>
+
+<itemizedlist>
+ <listitem><para>The <ulink url="http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html">Samba-PDC-LDAP-HOWTO</ulink>
+ maintained by Ignacio Coupeau.</para></listitem>
+
+ <listitem><para>The NT migration scripts from <ulink url="http://samba.idealx.org/">IDEALX</ulink> that are
+ geared to manage users and group in such a Samba-LDAP Domain Controller configuration.
+ </para></listitem>
+</itemizedlist>
+
+</sect1>
+
+
+<sect1>
+<title>Introduction</title>
+
+<para>
+Traditionally, when configuring <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">"encrypt
+passwords = yes"</ulink> in Samba's <filename>smb.conf</filename> file, user account
+information such as username, LM/NT password hashes, password change times, and account
+flags have been stored in the <filename>smbpasswd(5)</filename> file. There are several
+disadvantages to this approach for sites with very large numbers of users (counted
+in the thousands).
+</para>
+
+<itemizedlist>
+<listitem><para>
+The first is that all lookups must be performed sequentially. Given that
+there are approximately two lookups per domain logon (one for a normal
+session connection such as when mapping a network drive or printer), this
+is a performance bottleneck for lareg sites. What is needed is an indexed approach
+such as is used in databases.
+</para></listitem>
+
+<listitem><para>
+The second problem is that administrators who desired to replicate a
+smbpasswd file to more than one Samba server were left to use external
+tools such as <command>rsync(1)</command> and <command>ssh(1)</command>
+and wrote custom, in-house scripts.
+</para></listitem>
+
+<listitem><para>
+And finally, the amount of information which is stored in an
+smbpasswd entry leaves no room for additional attributes such as
+a home directory, password expiration time, or even a Relative
+Identified (RID).
+</para></listitem>
+</itemizedlist>
+
+<para>
+As a result of these defeciencies, a more robust means of storing user attributes
+used by smbd was developed. The API which defines access to user accounts
+is commonly referred to as the samdb interface (previously this was called the passdb
+API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support
+for a samdb backend (e.g. <parameter>--with-ldapsam</parameter> or
+<parameter>--with-tdbsam</parameter>) requires compile time support.
+</para>
+
+<para>
+When compiling Samba to include the <parameter>--with-ldapsam</parameter> autoconf
+option, smbd (and associated tools) will store and lookup user accounts in
+an LDAP directory. In reality, this is very easy to understand. If you are
+comfortable with using an smbpasswd file, simply replace "smbpasswd" with
+"LDAP directory" in all the documentation.
+</para>
+
+<para>
+There are a few points to stress about what the <parameter>--with-ldapsam</parameter>
+does not provide. The LDAP support referred to in the this documentation does not
+include:
+</para>
+
+<itemizedlist>
+ <listitem><para>A means of retrieving user account information from
+ an Windows 2000 Active Directory server.</para></listitem>
+ <listitem><para>A means of replacing /etc/passwd.</para></listitem>
+</itemizedlist>
+
+<para>
+The second item can be accomplished by using LDAP NSS and PAM modules. LGPL
+versions of these libraries can be obtained from PADL Software
+(<ulink url="http://www.padl.com/">http://www.padl.com/</ulink>). However,
+the details of configuring these packages are beyond the scope of this document.
+</para>
+
+</sect1>
+
+<sect1>
+<title>Supported LDAP Servers</title>
+
+<para>
+The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP
+2.0 server and client libraries. The same code should be able to work with
+Netscape's Directory Server and client SDK. However, due to lack of testing
+so far, there are bound to be compile errors and bugs. These should not be
+hard to fix. If you are so inclined, please be sure to forward all patches to
+<ulink url="samba-patches@samba.org">samba-patches@samba.org</ulink> and
+<ulink url="jerry@samba.org">jerry@samba.org</ulink>.
+</para>
+
+</sect1>
+
+
+
+
+<sect1>
+<title>Schema and Relationship to the RFC 2307 posixAccount</title>
+
+
+<para>
+Samba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in
+<filename>examples/LDAP/samba.schema</filename>. (Note that this schema
+file has been modified since the experimental support initially included
+in 2.2.2). The sambaAccount objectclass is given here:
+</para>
+
+<para><programlisting>
+objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
+ DESC 'Samba Account'
+ MUST ( uid $ rid )
+ MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
+ logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
+ displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
+ description $ userWorkstations $ primaryGroupID $ domain ))
+</programlisting></para>
+
+<para>
+The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are
+owned by the Samba Team and as such is legal to be openly published.
+If you translate the schema to be used with Netscape DS, please
+submit the modified schema file as a patch to <ulink
+url="jerry@samba.org">jerry@samba.org</ulink>
+</para>
+
+<para>
+Just as the smbpasswd file is mean to store information which supplements a
+user's <filename>/etc/passwd</filename> entry, so is the sambaAccount object
+meant to supplement the UNIX user account information. A sambaAccount is a
+<constant>STRUCTURAL</constant> objectclass so it can be stored individually
+in the directory. However, there are several fields (e.g. uid) which overlap
+with the posixAccount objectclass outlined in RFC2307. This is by design.
+</para>
+
+<!--olem: we should perhaps have a note about shadowAccounts too as many
+systems use them, isn'it ? -->
+
+<para>
+In order to store all user account information (UNIX and Samba) in the directory,
+it is necessary to use the sambaAccount and posixAccount objectclasses in
+combination. However, smbd will still obtain the user's UNIX account
+information via the standard C library calls (e.g. getpwnam(), et. al.).
+This means that the Samba server must also have the LDAP NSS library installed
+and functioning correctly. This division of information makes it possible to
+store all Samba account information in LDAP, but still maintain UNIX account
+information in NIS while the network is transitioning to a full LDAP infrastructure.
+</para>
+</sect1>
+
+<sect1>
+<title>Configuring Samba with LDAP</title>
+
+
+<sect2>
+<title>OpenLDAP configuration</title>
+
+<para>
+To include support for the sambaAccount object in an OpenLDAP directory
+server, first copy the samba.schema file to slapd's configuration directory.
+</para>
+
+<para>
+<prompt>root# </prompt><command>cp samba.schema /etc/openldap/schema/</command>
+</para>
+
+<para>
+Next, include the <filename>samba.schema</filename> file in <filename>slapd.conf</filename>.
+The sambaAccount object contains two attributes which depend upon other schema
+files. The 'uid' attribute is defined in <filename>cosine.schema</filename> and
+the 'displayName' attribute is defined in the <filename>inetorgperson.schema</filename>
+file. Both of these must be included before the <filename>samba.schema</filename> file.
+</para>
+
+<para><programlisting>
+## /etc/openldap/slapd.conf
+
+## schema files (core.schema is required by default)
+include /etc/openldap/schema/core.schema
+
+## needed for sambaAccount
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/samba.schema
+
+## uncomment this line if you want to support the RFC2307 (NIS) schema
+## include /etc/openldap/schema/nis.schema
+
+....
+</programlisting></para>
+
+<para>
+It is recommended that you maintain some indices on some of the most usefull attributes,
+like in the following example, to speed up searches made on sambaAccount objectclasses
+(and possibly posixAccount and posixGroup as well).
+</para>
+<para><programlisting>
+# Indices to maintain
+## required by OpenLDAP 2.0
+index objectclass eq
+
+## support pb_getsampwnam()
+index uid pres,eq
+## support pdb_getsambapwrid()
+index rid eq
+
+## uncomment these if you are storing posixAccount and
+## posixGroup entries in the directory as well
+##index uidNumber eq
+##index gidNumber eq
+##index cn eq
+##index memberUid eq
+</programlisting></para>
+</sect2>
+
+
+<sect2>
+<title>Configuring Samba</title>
+<!--lem: <title>smb.conf LDAP parameters</title> -->
+
+<para>
+The following parameters are available in smb.conf only with <parameter>--with-ldapsam</parameter>
+was included with compiling Samba.
+</para>
+
+<itemizedlist>
+ <listitem><para><ulink url="smb.conf.5.html#LDAPSSL">ldap ssl</ulink></para></listitem>
+ <listitem><para><ulink url="smb.conf.5.html#LDAPSERVER">ldap server</ulink></para></listitem>
+ <listitem><para><ulink url="smb.conf.5.html#LDAPADMINDN">ldap admin dn</ulink></para></listitem>
+ <listitem><para><ulink url="smb.conf.5.html#LDAPSUFFIX">ldap suffix</ulink></para></listitem>
+ <listitem><para><ulink url="smb.conf.5.html#LDAPFILTER">ldap filter</ulink></para></listitem>
+ <listitem><para><ulink url="smb.conf.5.html#LDAPPORT">ldap port</ulink></para></listitem>
+</itemizedlist>
+
+<para>
+These are described in the <ulink url="smb.conf.5.html">smb.conf(5)</ulink> man
+page and so will not be repeated here. However, a sample smb.conf file for
+use with an LDAP directory could appear as
+</para>
+
+<para><programlisting>
+## /usr/local/samba/lib/smb.conf
+[global]
+ security = user
+ encrypt passwords = yes
+
+ netbios name = TASHTEGO
+ workgroup = NARNIA
+
+ # ldap related parameters
+
+ # define the DN to use when binding to the directory servers
+ # The password for this DN is not stored in smb.conf. Rather it
+ # must be set by using 'smbpasswd -w <replaceable>secretpw</replaceable>' to store the
+ # passphrase in the secrets.tdb file. If the "ldap admin dn" values
+ # changes, this password will need to be reset.
+ ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org"
+
+ # specify the LDAP server's hostname (defaults to locahost)
+ ldap server = ahab.samba.org
+
+ # Define the SSL option when connecting to the directory
+ # ('off', 'start tls', or 'on' (default))
+ ldap ssl = start tls
+
+ # define the port to use in the LDAP session (defaults to 636 when
+ # "ldap ssl = on")
+ ldap port = 389
+
+ # specify the base DN to use when searching the directory
+ ldap suffix = "ou=people,dc=samba,dc=org"
+
+ # generally the default ldap search filter is ok
+ # ldap filter = "(&amp;(uid=%u)(objectclass=sambaAccount))"
+</programlisting></para>
+
+
+</sect2>
+</sect1>
+
+
+<sect1>
+<title>Accounts and Groups management</title>
+
+<para>
+As users accounts are managed thru the sambaAccount objectclass, you should
+modify you existing administration tools to deal with sambaAccount attributes.
+</para>
+
+<para>
+Machines accounts are managed with the sambaAccount objectclass, just
+like users accounts. However, it's up to you to stored thoses accounts
+in a different tree of you LDAP namespace: you should use
+"ou=Groups,dc=plainjoe,dc=org" to store groups and
+"ou=People,dc=plainjoe,dc=org" to store users. Just configure your
+NSS and PAM accordingly (usually, in the /etc/ldap.conf configuration
+file).
+</para>
+
+<para>
+In Samba release 2.2.3, the group management system is based on posix
+groups. This meand that Samba make usage of the posixGroup objectclass.
+For now, there is no NT-like group system management (global and local
+groups).
+</para>
+
+</sect1>
+
+<sect1>
+<title>Security and sambaAccount</title>
+
+
+<para>
+There are two important points to remember when discussing the security
+of sambaAccount entries in the directory.
+</para>
+
+<itemizedlist>
+ <listitem><para><emphasis>Never</emphasis> retrieve the lmPassword or
+ ntPassword attribute values over an unencrypted LDAP session.</para></listitem>
+ <listitem><para><emphasis>Never</emphasis> allow non-admin users to
+ view the lmPassword or ntPassword attribute values.</para></listitem>
+</itemizedlist>
+
+<para>
+These password hashes are clear text equivalents and can be used to impersonate
+the user without deriving the original clear text strings. For more information
+on the details of LM/NT password hashes, refer to the <ulink
+url="ENCRYPTION.html">ENCRYPTION chapter</ulink> of the Samba-HOWTO-Collection.
+</para>
+
+<para>
+To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults
+to require an encrypted session (<command>ldap ssl = on</command>) using
+the default port of 636
+when contacting the directory server. When using an OpenLDAP 2.0 server, it
+is possible to use the use the StartTLS LDAP extended operation in the place of
+LDAPS. In either case, you are strongly discouraged to disable this security
+(<command>ldap ssl = off</command>).
+</para>
+
+<para>
+Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS
+extended operation. However, the OpenLDAP library still provides support for
+the older method of securing communication between clients and servers.
+</para>
+
+<para>
+The second security precaution is to prevent non-administrative users from
+harvesting password hashes from the directory. This can be done using the
+following ACL in <filename>slapd.conf</filename>:
+</para>
+
+<para><programlisting>
+## allow the "ldap admin dn" access, but deny everyone else
+access to attrs=lmPassword,ntPassword
+ by dn="cn=Samba Admin,ou=people,dc=plainjoe,dc=org" write
+ by * none
+</programlisting></para>
+
+
+</sect1>
+
+
+
+<sect1>
+<title>LDAP specials attributes for sambaAccounts</title>
+
+<para>
+The sambaAccount objectclass is composed of the following attributes:
+</para>
+
+<itemizedlist>
+
+ <listitem><para><constant>lmPassword</constant>: the LANMAN password 16-byte hash stored as a character
+ representation of a hexidecimal string.</para></listitem>
+
+ <listitem><para><constant>ntPassword</constant>: the NT password hash 16-byte stored as a character
+ representation of a hexidecimal string.</para></listitem>
+
+ <listitem><para><constant>pwdLastSet</constant>: The integer time in seconds since 1970 when the
+ <constant>lmPassword</constant> and <constant>ntPassword</constant> attributes were last set.
+ </para></listitem>
+
+ <listitem><para><constant>acctFlags</constant>: string of 11 characters surrounded by square brackets []
+ representing account flags such as U (user), W(workstation), X(no password expiration), and
+ D(disabled).</para></listitem>
+
+ <listitem><para><constant>logonTime</constant>: Integer value currently unused</para></listitem>
+
+ <listitem><para><constant>logoffTime</constant>: Integer value currently unused</para></listitem>
+
+ <listitem><para><constant>kickoffTime</constant>: Integer value currently unused</para></listitem>
+
+ <listitem><para><constant>pwdCanChange</constant>: Integer value currently unused</para></listitem>
+
+ <listitem><para><constant>pwdMustChange</constant>: Integer value currently unused</para></listitem>
+
+ <listitem><para><constant>homeDrive</constant>: specifies the drive letter to which to map the
+ UNC path specified by homeDirectory. The drive letter must be specified in the form "X:"
+ where X is the letter of the drive to map. Refer to the "logon drive" parameter in the
+ smb.conf(5) man page for more information.</para></listitem>
+
+ <listitem><para><constant>scriptPath</constant>: The scriptPath property specifies the path of
+ the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path
+ is relative to the netlogon share. Refer to the "logon script" parameter in the
+ smb.conf(5) man page for more information.</para></listitem>
+
+ <listitem><para><constant>profilePath</constant>: specifies a path to the user's profile.
+ This value can be a null string, a local absolute path, or a UNC path. Refer to the
+ "logon path" parameter in the smb.conf(5) man page for more information.</para></listitem>
+
+ <listitem><para><constant>smbHome</constant>: The homeDirectory property specifies the path of
+ the home directory for the user. The string can be null. If homeDrive is set and specifies
+ a drive letter, homeDirectory should be a UNC path. The path must be a network
+ UNC path of the form \\server\share\directory. This value can be a null string.
+ Refer to the "logon home" parameter in the smb.conf(5) man page for more information.
+ </para></listitem>
+
+ <listitem><para><constant>userWorkstation</constant>: character string value currently unused.
+ </para></listitem>
+
+ <listitem><para><constant>rid</constant>: the integer representation of the user's relative identifier
+ (RID).</para></listitem>
+
+ <listitem><para><constant>primaryGroupID</constant>: the relative identifier (RID) of the primary group
+ of the user.</para></listitem>
+
+</itemizedlist>
+
+<para>
+The majority of these parameters are only used when Samba is acting as a PDC of
+a domain (refer to the <ulink url="Samba-PDC-HOWTO.html">Samba-PDC-HOWTO</ulink> for details on
+how to configure Samba as a Primary Domain Controller). The following four attributes
+are only stored with the sambaAccount entry if the values are non-default values:
+</para>
+
+<itemizedlist>
+ <listitem><para>smbHome</para></listitem>
+ <listitem><para>scriptPath</para></listitem>
+ <listitem><para>logonPath</para></listitem>
+ <listitem><para>homeDrive</para></listitem>
+</itemizedlist>
+
+<para>
+These attributes are only stored with the sambaAccount entry if
+the values are non-default values. For example, assume TASHTEGO has now been
+configured as a PDC and that <command>logon home = \\%L\%u</command> was defined in
+its <filename>smb.conf</filename> file. When a user named "becky" logons to the domain,
+the <parameter>logon home</parameter> string is expanded to \\TASHTEGO\becky.
+If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org",
+this value is used. However, if this attribute does not exist, then the value
+of the <parameter>logon home</parameter> parameter is used in its place. Samba
+will only write the attribute value to the directory entry is the value is
+something other than the default (e.g. \\MOBY\becky).
+</para>
+
+
+</sect1>
+
+
+
+<sect1>
+<title>Example LDIF Entries for a sambaAccount</title>
+
+
+<para>
+The following is a working LDIF with the inclusion of the posixAccount objectclass:
+</para>
+
+<para><programlisting>
+dn: uid=guest2, ou=people,dc=plainjoe,dc=org
+ntPassword: 878D8014606CDA29677A44EFA1353FC7
+pwdMustChange: 2147483647
+primaryGroupID: 1201
+lmPassword: 552902031BEDE9EFAAD3B435B51404EE
+pwdLastSet: 1010179124
+logonTime: 0
+objectClass: sambaAccount
+uid: guest2
+kickoffTime: 2147483647
+acctFlags: [UX ]
+logoffTime: 2147483647
+rid: 19006
+pwdCanChange: 0
+</programlisting></para>
+
+<para>
+The following is an LDIF entry for using both the sambaAccount and
+posixAccount objectclasses:
+</para>
+
+<para><programlisting>
+dn: uid=gcarter, ou=people,dc=plainjoe,dc=org
+logonTime: 0
+displayName: Gerald Carter
+lmPassword: 552902031BEDE9EFAAD3B435B51404EE
+primaryGroupID: 1201
+objectClass: posixAccount
+objectClass: sambaAccount
+acctFlags: [UX ]
+userPassword: {crypt}BpM2ej8Rkzogo
+uid: gcarter
+uidNumber: 9000
+cn: Gerald Carter
+loginShell: /bin/bash
+logoffTime: 2147483647
+gidNumber: 100
+kickoffTime: 2147483647
+pwdLastSet: 1010179230
+rid: 19000
+homeDirectory: /home/tashtego/gcarter
+pwdCanChange: 0
+pwdMustChange: 2147483647
+ntPassword: 878D8014606CDA29677A44EFA1353FC7
+</programlisting></para>
+
+
+</sect1>
+
+
+
+<sect1>
+<title>Comments</title>
+
+
+<para>
+Please mail all comments regarding this HOWTO to <ulink
+url="mailto:jerry@samba.org">jerry@samba.org</ulink>. This documents was
+last updated to reflect the Samba 2.2.3 release.
+
+</para>
+
+
+</sect1>
+
+
+</chapter>
diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
index 53dae21775..7cf3e5735c 100644
--- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
+++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
@@ -13,18 +13,13 @@
<orgname>Samba Team</orgname>
<address><email>dbannon@samba.org</email></address>
</affiliation>
- <firstname>John H</firstname><surname>Terpstra</surname>
- <affiliation>
- <orgname>Samba Team</orgname>
- <address><email>jht@samba.org</email></address>
- </affiliation>
</author>
<pubdate> (26 Apr 2001) </pubdate>
</chapterinfo>
<title>
-Samba as an NT4 or Win2k Primary Domain Controller
+How to Configure Samba as a NT4 Primary Domain Controller
</title>
@@ -42,7 +37,8 @@ that you are comfortable with configuring basic files services
in smb.conf and how to enable and administer password
encryption in Samba. Theses two topics are covered in the
<ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename></ulink>
-manpage.
+manpage and the <ulink url="ENCRYPTION.html">Encryption chapter</ulink>
+of this HOWTO Collection.
</para>
@@ -60,28 +56,46 @@ manpage.
Background
</title>
+<note>
<para>
-This article outlines the steps necessary for configuring Samba as a PDC.
-It is necessary to have a working Samba server prior to implementing the
-PDC functionality.
+<emphasis>Author's Note:</emphasis> This document is a combination
+of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ".
+Both documents are superseded by this one.
+</para>
+</note>
+
+<para>
+Versions of Samba prior to release 2.2 had marginal capabilities to act
+as a Windows NT 4.0 Primary Domain Controller
+<indexterm><primary>Primary Domain Controller</primary></indexterm>
+(PDC). With Samba 2.2.0, we are proud to announce official support for
+Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows
+2000 clients. This article outlines the steps
+necessary for configuring Samba as a PDC. It is necessary to have a
+working Samba server prior to implementing the PDC functionality. If
+you have not followed the steps outlined in <ulink
+url="UNIX_INSTALL.html"> UNIX_INSTALL.html</ulink>, please make sure
+that your server is configured correctly before proceeding. Another
+good resource in the <ulink url="smb.conf.5.html">smb.conf(5) man
+page</ulink>. The following functionality should work in 2.2:
</para>
<itemizedlist>
<listitem><para>
- domain logons for Windows NT 4.0 / 200x / XP Professional clients.
+ domain logons for Windows NT 4.0/2000 clients.
</para></listitem>
<listitem><para>
- placing Windows 9x / Me clients in user level security
+ placing a Windows 9x client in user level security
</para></listitem>
<listitem><para>
retrieving a list of users and groups from a Samba PDC to
- Windows 9x / Me / NT / 200x / XP Professional clients
+ Windows 9x/NT/2000 clients
</para></listitem>
<listitem><para>
- roaming user profiles
+ roving (roaming) user profiles
</para></listitem>
<listitem><para>
@@ -91,7 +105,7 @@ PDC functionality.
<para>
-The following functionalities are new to the Samba 3.0 release:
+The following pieces of functionality are not included in the 2.2 release:
</para>
<itemizedlist>
@@ -100,56 +114,42 @@ The following functionalities are new to the Samba 3.0 release:
</para></listitem>
<listitem><para>
- Adding users via the User Manager for Domains
- </para></listitem>
-</itemizedlist>
-
-<para>
-The following functionalities are NOT provided by Samba 3.0:
-</para>
-
-<itemizedlist>
- <listitem><para>
SAM replication with Windows NT 4.0 Domain Controllers
(i.e. a Samba PDC and a Windows NT BDC or vice versa)
</para></listitem>
<listitem><para>
+ Adding users via the User Manager for Domains
+ </para></listitem>
+
+ <listitem><para>
Acting as a Windows 2000 Domain Controller (i.e. Kerberos and
Active Directory)
</para></listitem>
</itemizedlist>
<para>
-Please note that Windows 9x / Me / XP Home clients are not true members of a domain
+Please note that Windows 9x clients are not true members of a domain
for reasons outlined in this article. Therefore the protocol for
support Windows 9x-style domain logons is completely different
-from NT4 / Win2k type domain logons and has been officially supported for some
+from NT4 domain logons and has been officially supported for some
time.
</para>
-<para><emphasis>
-MS Windows XP Home edition is NOT able to join a domain and does not permit
-the use of domain logons.</emphasis>
-</para>
-
<para>
-Implementing a Samba PDC can basically be divided into 3 broad
+Implementing a Samba PDC can basically be divided into 2 broad
steps.
</para>
-<orderedlist numeration="arabic">
+<orderedlist numeration="Arabic">
<listitem><para>
Configuring the Samba PDC
</para></listitem>
<listitem><para>
- Creating machine trust accounts and joining clients to the domain
- </para></listitem>
-
- <listitem><para>
- Adding and managing domain user accounts
+ Creating machine trust accounts and joining clients
+ to the domain
</para></listitem>
</orderedlist>
@@ -157,7 +157,7 @@ steps.
There are other minor details such as user profiles, system
policies, etc... However, these are not necessarily specific
to a Samba PDC as much as they are related to Windows NT networking
-concepts.
+concepts. They will be mentioned only briefly here.
</para>
</sect1>
@@ -174,10 +174,11 @@ concepts.
<para>
The first step in creating a working Samba PDC is to
-understand the parameters necessary in smb.conf. Here we
-attempt to explain the parameters that are covered in
-<ulink url="smb.conf.5.html"> the smb.conf
-man page</ulink>.
+understand the parameters necessary in smb.conf. I will not
+attempt to re-explain the parameters here as they are more that
+adequately covered in <ulink url="smb.conf.5.html"> the smb.conf
+man page</ulink>. For convenience, the parameters have been
+linked with the actual smb.conf description.
</para>
<para>
@@ -208,7 +209,8 @@ Here is an example <filename>smb.conf</filename> for acting as a PDC:
; where to store user profiles?
<ulink url="smb.conf.5.html#LOGONPATH">logon path</ulink> = \\%N\profiles\%u
- ; where is a user's home directory and where should it be mounted at?
+ ; where is a user's home directory and where should it
+ ; be mounted at?
<ulink url="smb.conf.5.html#LOGONDRIVE">logon drive</ulink> = H:
<ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u
@@ -254,16 +256,20 @@ There are a couple of points to emphasize in the above configuration.
</itemizedlist>
<para>
-Samba 3.0 offers a complete implementation of group mapping
+As Samba 2.2 does not offer a complete implementation of group mapping
between Windows NT groups and Unix groups (this is really quite
-complicated to explain in a short space).
+complicated to explain in a short space), you should refer to the
+<ulink url="smb.conf.5.html#DOMAINADMINGROUP">domain admin
+group</ulink> smb.conf parameter for information of creating "Domain
+Admins" style accounts.
</para>
</sect1>
<sect1>
-<title>Creating Machine Trust Accounts and Joining Clients to the Domain</title>
+<title>Creating Machine Trust Accounts and Joining Clients to the
+Domain</title>
<para>
A machine trust account is a Samba account that is used to
@@ -276,65 +282,15 @@ The password of a machine trust account acts as the shared secret for
secure communication with the Domain Controller. This is a security
feature to prevent an unauthorized machine with the same NetBIOS name
from joining the domain and gaining access to domain user/group
-accounts. Windows NT, 200x, XP Professional clients use machine trust
-accounts, but Windows 9x / Me / XP Home clients do not. Hence, a
-Windows 9x / Me / XP Home client is never a true member of a domain
-because it does not possess a machine trust account, and thus has no
-shared secret with the domain controller.
+accounts. Windows NT and 2000 clients use machine trust accounts, but
+Windows 9x clients do not. Hence, a Windows 9x client is never a true
+member of a domain because it does not possess a machine trust
+account, and thus has no shared secret with the domain controller.
</para>
<para>A Windows PDC stores each machine trust account in the Windows
-Registry. A Samba-3 PDC also has to stoe machine trust account information
-in a suitable back-end data store. With Samba-3 there can be multiple back-ends
-for this including:
-</para>
-
-<itemizedlist>
- <listitem><para>
- <emphasis>smbpaswd</emphasis> - the plain ascii file stored used by
- earlier versions of Samba. This file configuration option requires
- a Unix/Linux system account for EVERY entry (ie: both for user and for
- machine accounts). This file will be located in the <emphasis>private</emphasis>
- directory (default is /usr/local/samba/lib/private or on linux /etc/samba).
- </para></listitem>
-
- <listitem><para>
- <emphasis>smbpasswd_nua</emphasis> - This file is independant of the
- system wide user accounts. The use of this back-end option requires
- specification of the "non unix account range" option also. It is called
- smbpasswd and will be located in the <filename>private</filename> directory.
- </para></listitem>
-
- <listitem><para>
- <emphasis>tdbsam</emphasis> - a binary database backend that will be
- stored in the <emphasis>private</emphasis> directory in a file called
- <emphasis>passwd.tdb</emphasis>. The key benefit of this binary format
- file is that it can store binary objects that can not be accomodated
- in the traditional plain text smbpasswd file.
- </para></listitem>
-
- <listitem><para>
- <emphasis>tdbsam_nua</emphasis> like the smbpasswd_nua option above, this
- file allows the creation of arbitrary user and machine accounts without
- requiring that account to be added to the system (/etc/passwd) file. It
- too requires the specification of the "non unix account range" option
- in the [globals] section of the smb.conf file.
- </para></listitem>
-
- <listitem><para>
- <emphasis>ldapsam</emphasis> - An LDAP based back-end. Permits the
- LDAP server to be specified. eg: ldap://localhost or ldap://frodo.murphy.com
- </para></listitem>
-
- <listitem><para>
- <emphasis>ldapsam_nua</emphasis> - LDAP based back-end with no unix
- account requirement, like smbpasswd_nua and tdbsam_nua above.
- </para></listitem>
-</itemizedlist>
-
-<para>
-A Samba PDC, however, stores each machine trust account in two parts,
-as follows:
+Registry. A Samba PDC, however, stores each machine trust account
+in two parts, as follows:
<itemizedlist>
<listitem><para>A Samba account, stored in the same location as user
@@ -470,7 +426,7 @@ be created manually.
<para><programlisting>
[global]
- # &lt;...remainder of parameters...&gt;
+ # <...remainder of parameters...>
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
</programlisting></para>
@@ -540,7 +496,7 @@ version of Windows.
</para>
<para>
- A 'machine name' in (typically) <filename>/etc/passwd</filename>
+ A 'machine name' in (typically) <filename>/etc/passwd</>
of the machine name with a '$' appended. FreeBSD (and other BSD
systems?) won't create a user with a '$' in their name.
</para>
@@ -548,7 +504,7 @@ version of Windows.
<para>
The problem is only in the program used to make the entry, once
made, it works perfectly. So create a user without the '$' and
- use <command>vipw</command> to edit the entry, adding the '$'. Or create
+ use <command>vipw</> to edit the entry, adding the '$'. Or create
the whole entry with vipw if you like, make sure you use a
unique User ID !
</para>
@@ -717,8 +673,8 @@ Here are some additional details:
Policy Editor can be installed on an NT Workstation/Server, it will not
work with NT policies because the registry key that are set by the policy templates.
However, the files from the NT Server will run happily enough on an NTws.
- You need <filename>poledit.exe, common.adm</filename> and <filename>winnt.adm</filename>. It is convenient
- to put the two *.adm files in <filename>c:\winnt\inf</filename> which is where
+ You need <filename>poledit.exe, common.adm</> and <filename>winnt.adm</>. It is convenient
+ to put the two *.adm files in <filename>c:\winnt\inf</> which is where
the binary will look for them unless told otherwise. Note also that that
directory is 'hidden'.
</para>
@@ -972,7 +928,7 @@ general SMB topics such as browsing.</para>
<listitem><para>See how Scott Merrill simulates a BDC behavior at
<ulink url="http://www.skippy.net/linux/smb-howto.html">
- http://www.skippy.net/linux/smb-howto.html</ulink>. </para></listitem>
+ http://www.skippy.net/linux/smb-howto.html</>. </para></listitem>
<listitem><para>Although 2.0.7 has almost had its day as a PDC, David Bannon will
keep the 2.0.7 PDC pages at <ulink url="http://bioserve.latrobe.edu.au/samba">
@@ -1002,8 +958,8 @@ general SMB topics such as browsing.</para>
<para>
There are a number of Samba related mailing lists. Go to <ulink
url="http://samba.org">http://samba.org</ulink>, click on your nearest mirror
- and then click on <command>Support</command> and then click on <command>
- Samba related mailing lists</command>.
+ and then click on <command>Support</> and then click on <command>
+ Samba related mailing lists</>.
</para>
<para>
@@ -1072,8 +1028,8 @@ general SMB topics such as browsing.</para>
<para>To have your name removed from a samba mailing list, go to the
same place you went to to get on it. Go to <ulink
url="http://lists.samba.org/">http://lists.samba.org</ulink>,
- click on your nearest mirror and then click on <command>Support</command> and
- then click on <command> Samba related mailing lists</command>. Or perhaps see
+ click on your nearest mirror and then click on <command>Support</> and
+ then click on <command> Samba related mailing lists</>. Or perhaps see
<ulink url="http://lists.samba.org/mailman/roster/samba-ntdom">here</ulink>
</para>
@@ -1156,7 +1112,7 @@ worthwhile lookingat how a Windows 9x/ME client performs a logon:
<listitem>
<para>
The client broadcasts (to the IP broadcast address of the subnet it is in)
- a NetLogon request. This is sent to the NetBIOS name DOMAIN&lt;1c&gt; at the
+ a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the
NetBIOS layer. The client chooses the first response it receives, which
contains the NetBIOS name of the logon server to use in the format of
\\SERVER.
@@ -1748,7 +1704,7 @@ contrast to w95, where it _does_ transfer / update profiles correctly].
<sect1>
<title>
-DOMAIN_CONTROL.txt : Windows NT Domain Control &amp; Samba
+DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
</title>
<warning>
diff --git a/docs/docbook/projdoc/UNIX_INSTALL.sgml b/docs/docbook/projdoc/UNIX_INSTALL.sgml
index 5d0d388c08..1ff735a656 100644
--- a/docs/docbook/projdoc/UNIX_INSTALL.sgml
+++ b/docs/docbook/projdoc/UNIX_INSTALL.sgml
@@ -3,30 +3,81 @@
<title>How to Install and Test SAMBA</title>
<sect1>
- <title>Obtaining and installing samba</title>
-
- <para>Binary packages of samba are included in almost any Linux or
- Unix distribution. There are also some packages available at
- <ulink url="http://samba.org/">the samba homepage</ulink>
- </para>
-
- <para>If you need to compile samba from source, check the
- appropriate appendix chapter.</para>
+ <title>Read the man pages</title>
+
+ <para>The man pages distributed with SAMBA contain
+ lots of useful info that will help to get you started.
+ If you don't know how to read man pages then try
+ something like:</para>
+
+ <para><prompt>$ </prompt><userinput>man smbd.8</userinput>
+ or
+ <prompt>$ </prompt><userinput>nroff -man smbd.8 | more
+ </userinput> on older unixes.</para>
+
+ <para>Other sources of information are pointed to
+ by the Samba web site,<ulink url="http://www.samba.org/">
+ http://www.samba.org</ulink></para>
</sect1>
<sect1>
- <title>Configuring samba</title>
+ <title>Building the Binaries</title>
+
+ <para>To do this, first run the program <command>./configure
+ </command> in the source directory. This should automatically
+ configure Samba for your operating system. If you have unusual
+ needs then you may wish to run</para>
+
+ <para><prompt>root# </prompt><userinput>./configure --help
+ </userinput></para>
+
+ <para>first to see what special options you can enable.
+ Then executing</para>
+
+ <para><prompt>root# </prompt><userinput>make</userinput></para>
+
+ <para>will create the binaries. Once it's successfully
+ compiled you can use </para>
+
+ <para><prompt>root# </prompt><userinput>make install</userinput></para>
+
+ <para>to install the binaries and manual pages. You can
+ separately install the binaries and/or man pages using</para>
+
+ <para><prompt>root# </prompt><userinput>make installbin
+ </userinput></para>
+
+ <para>and</para>
+
+ <para><prompt>root# </prompt><userinput>make installman
+ </userinput></para>
- <para>Samba's configuration is stored in the smb.conf file,
- that usually resides in <filename>/etc/samba/smb.conf</filename>
- or <filename>/usr/local/samba/lib/smb.conf</filename>. You can either
- edit this file yourself or do it using one of the many graphical
- tools that are available, such as the web-based interface swat, that
- is included with samba.</para>
+ <para>Note that if you are upgrading for a previous version
+ of Samba you might like to know that the old versions of
+ the binaries will be renamed with a ".old" extension. You
+ can go back to the previous version with</para>
+
+ <para><prompt>root# </prompt><userinput>make revert
+ </userinput></para>
-<sect2>
- <title>Editing the smb.conf file</title>
+ <para>if you find this version a disaster!</para>
+</sect1>
+
+<sect1>
+ <title>The all important step</title>
+ <para>At this stage you must fetch yourself a
+ coffee or other drink you find stimulating. Getting the rest
+ of the install right can sometimes be tricky, so you will
+ probably need it.</para>
+
+ <para>If you have installed samba before then you can skip
+ this step.</para>
+</sect1>
+
+<sect1>
+ <title>Create the smb configuration file. </title>
+
<para>There are sample configuration files in the examples
subdirectory in the distribution. I suggest you read them
carefully so you can see how the options go together in
@@ -59,8 +110,9 @@
<para>For more information about security settings for the
[homes] share please refer to the document UNIX_SECURITY.txt.</para>
+</sect1>
-<sect3>
+<sect1>
<title>Test your config file with
<command>testparm</command></title>
@@ -75,27 +127,105 @@
<para>Always run testparm again when you change
<filename>smb.conf</filename>!</para>
-</sect3>
-</sect2>
+</sect1>
+
+<sect1>
+ <title>Starting the smbd and nmbd</title>
+
+ <para>You must choose to start smbd and nmbd either
+ as daemons or from <command>inetd</command>. Don't try
+ to do both! Either you can put them in <filename>
+ inetd.conf</filename> and have them started on demand
+ by <command>inetd</command>, or you can start them as
+ daemons either from the command line or in <filename>
+ /etc/rc.local</filename>. See the man pages for details
+ on the command line options. Take particular care to read
+ the bit about what user you need to be in order to start
+ Samba. In many cases you must be root.</para>
+
+ <para>The main advantage of starting <command>smbd</command>
+ and <command>nmbd</command> using the recommended daemon method
+ is that they will respond slightly more quickly to an initial connection
+ request.</para>
<sect2>
- <title>SWAT</title>
-
- <para>
- SWAT is a web-based interface that helps you configure samba.
- SWAT might not be available in the samba package on your platform,
- but in a seperate package. Please read the swat manpage
- on compiling, installing and configuring swat from source.
- </para>
-
- <para>To launch SWAT just run your favorite web browser and
- point it at "http://localhost:901/". Replace <replaceable>localhost</replaceable> with the name of the computer you are running samba on if you
- are running samba on a different computer then your browser.</para>
-
- <para>Note that you can attach to SWAT from any IP connected
- machine but connecting from a remote machine leaves your
- connection open to password sniffing as passwords will be sent
- in the clear over the wire. </para>
+ <title>Starting from inetd.conf</title>
+
+ <para>NOTE; The following will be different if
+ you use NIS or NIS+ to distributed services maps.</para>
+
+ <para>Look at your <filename>/etc/services</filename>.
+ What is defined at port 139/tcp. If nothing is defined
+ then add a line like this:</para>
+
+ <para><userinput>netbios-ssn 139/tcp</userinput></para>
+
+ <para>similarly for 137/udp you should have an entry like:</para>
+
+ <para><userinput>netbios-ns 137/udp</userinput></para>
+
+ <para>Next edit your <filename>/etc/inetd.conf</filename>
+ and add two lines something like this:</para>
+
+ <para><programlisting>
+ netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
+ netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
+ </programlisting></para>
+
+ <para>The exact syntax of <filename>/etc/inetd.conf</filename>
+ varies between unixes. Look at the other entries in inetd.conf
+ for a guide.</para>
+
+ <para>NOTE: Some unixes already have entries like netbios_ns
+ (note the underscore) in <filename>/etc/services</filename>.
+ You must either edit <filename>/etc/services</filename> or
+ <filename>/etc/inetd.conf</filename> to make them consistent.</para>
+
+ <para>NOTE: On many systems you may need to use the
+ "interfaces" option in smb.conf to specify the IP address
+ and netmask of your interfaces. Run <command>ifconfig</command>
+ as root if you don't know what the broadcast is for your
+ net. <command>nmbd</command> tries to determine it at run
+ time, but fails on some unixes. See the section on "testing nmbd"
+ for a method of finding if you need to do this.</para>
+
+ <para>!!!WARNING!!! Many unixes only accept around 5
+ parameters on the command line in <filename>inetd.conf</filename>.
+ This means you shouldn't use spaces between the options and
+ arguments, or you should use a script, and start the script
+ from <command>inetd</command>.</para>
+
+ <para>Restart <command>inetd</command>, perhaps just send
+ it a HUP. If you have installed an earlier version of <command>
+ nmbd</command> then you may need to kill nmbd as well.</para>
+ </sect2>
+
+ <sect2>
+ <title>Alternative: starting it as a daemon</title>
+
+ <para>To start the server as a daemon you should create
+ a script something like this one, perhaps calling
+ it <filename>startsmb</filename>.</para>
+
+ <para><programlisting>
+ #!/bin/sh
+ /usr/local/samba/bin/smbd -D
+ /usr/local/samba/bin/nmbd -D
+ </programlisting></para>
+
+ <para>then make it executable with <command>chmod
+ +x startsmb</command></para>
+
+ <para>You can then run <command>startsmb</command> by
+ hand or execute it from <filename>/etc/rc.local</filename>
+ </para>
+
+ <para>To kill it send a kill signal to the processes
+ <command>nmbd</command> and <command>smbd</command>.</para>
+
+ <para>NOTE: If you use the SVR4 style init system then
+ you may like to look at the <filename>examples/svr4-startup</filename>
+ script to make Samba fit into that system.</para>
</sect2>
</sect1>
@@ -150,8 +280,6 @@
<para>Try printing. eg:</para>
-
-
<para><prompt>C:\WINDOWS\> </prompt><userinput>net use lpt1:
\\servername\spoolservice</userinput></para>
@@ -164,29 +292,90 @@
<sect1>
<title>What If Things Don't Work?</title>
- <para>Then you might read the file HOWTO chapter Diagnosis and the
+ <para>If nothing works and you start to think "who wrote
+ this pile of trash" then I suggest you do step 2 again (and
+ again) till you calm down.</para>
+
+ <para>Then you might read the file DIAGNOSIS.txt and the
FAQ. If you are still stuck then try the mailing list or
newsgroup (look in the README for details). Samba has been
successfully installed at thousands of sites worldwide, so maybe
someone else has hit your problem and has overcome it. You could
also use the WWW site to scan back issues of the samba-digest.</para>
- <para>When you fix the problem <emphasis>please</emphasis> send some
- updates of the documentation (or source code) to one of
- the documentation maintainers or the list.
- </para>
+ <para>When you fix the problem PLEASE send me some updates to the
+ documentation (or source code) so that the next person will find it
+ easier. </para>
<sect2>
+ <title>Diagnosing Problems</title>
+
+ <para>If you have installation problems then go to the
+ <ulink url="Diagnosis.html">Diagnosis</ulink> chapter to try to find the
+ problem.</para>
+ </sect2>
+
+ <sect2>
<title>Scope IDs</title>
<para>By default Samba uses a blank scope ID. This means
all your windows boxes must also have a blank scope ID.
If you really want to use a non-blank scope ID then you will
need to use the 'netbios scope' smb.conf option.
- All your PCs will need to have the same setting for
+ All your PCs will need to have the same setting for
this to work. I do not recommend scope IDs.</para>
</sect2>
+
+ <sect2>
+ <title>Choosing the Protocol Level</title>
+
+ <para>The SMB protocol has many dialects. Currently
+ Samba supports 5, called CORE, COREPLUS, LANMAN1,
+ LANMAN2 and NT1.</para>
+
+ <para>You can choose what maximum protocol to support
+ in the <filename>smb.conf</filename> file. The default is
+ NT1 and that is the best for the vast majority of sites.</para>
+
+ <para>In older versions of Samba you may have found it
+ necessary to use COREPLUS. The limitations that led to
+ this have mostly been fixed. It is now less likely that you
+ will want to use less than LANMAN1. The only remaining advantage
+ of COREPLUS is that for some obscure reason WfWg preserves
+ the case of passwords in this protocol, whereas under LANMAN1,
+ LANMAN2 or NT1 it uppercases all passwords before sending them,
+ forcing you to use the "password level=" option in some cases.</para>
+
+ <para>The main advantage of LANMAN2 and NT1 is support for
+ long filenames with some clients (eg: smbclient, Windows NT
+ or Win95). </para>
+
+ <para>See the smb.conf(5) manual page for more details.</para>
+
+ <para>Note: To support print queue reporting you may find
+ that you have to use TCP/IP as the default protocol under
+ WfWg. For some reason if you leave Netbeui as the default
+ it may break the print queue reporting on some systems.
+ It is presumably a WfWg bug.</para>
+ </sect2>
+
+ <sect2>
+ <title>Printing from UNIX to a Client PC</title>
+
+ <para>To use a printer that is available via a smb-based
+ server from a unix host with LPR you will need to compile the
+ smbclient program. You then need to install the script
+ "smbprint". Read the instruction in smbprint for more details.
+ </para>
+
+ <para>There is also a SYSV style script that does much
+ the same thing called smbprint.sysv. It contains instructions.</para>
+
+ <para>See the CUPS manual for information about setting up
+ printing from a unix host with CUPS to a smb-based server. </para>
+ </sect2>
+
<sect2>
<title>Locking</title>
@@ -243,5 +432,14 @@
<!-- FIXME: Sync this with oplocks.sgml -->
</sect2>
+
+ <sect2>
+ <title>Mapping Usernames</title>
+
+ <para>If you have different usernames on the PCs and
+ the unix server then take a look at the "username map" option.
+ See the smb.conf man page for details.</para>
+ </sect2>
+
</sect1>
</chapter>
diff --git a/docs/docbook/projdoc/msdfs_setup.sgml b/docs/docbook/projdoc/msdfs_setup.sgml
index a86cd74235..6e1609460f 100644
--- a/docs/docbook/projdoc/msdfs_setup.sgml
+++ b/docs/docbook/projdoc/msdfs_setup.sgml
@@ -4,7 +4,7 @@
<author>
<firstname>Shirish</firstname><surname>Kalele</surname>
<affiliation>
- <orgname>Samba Team &amp; Veritas Software</orgname>
+ <orgname>Samba Team & Veritas Software</orgname>
<address>
<email>samba@samba.org</email>
</address>
diff --git a/docs/docbook/projdoc/pdb_mysql.sgml b/docs/docbook/projdoc/pdb_mysql.sgml
new file mode 100644
index 0000000000..59a134a15f
--- /dev/null
+++ b/docs/docbook/projdoc/pdb_mysql.sgml
@@ -0,0 +1,146 @@
+<chapter id="pdb-mysql">
+<chapterinfo>
+ <author>
+ <firstname>Jelmer</firstname><surname>Vernooij</surname>
+ <affiliation>
+ <orgname>The Samba Team</orgname>
+ <address><email>jelmer@samba.org</email></address>
+ </affiliation>
+ </author>
+ <pubdate>November 2002</pubdate>
+</chapterinfo>
+
+<title>Passdb MySQL plugin</title>
+
+<sect1>
+<title>Building</title>
+
+<para>To build the plugin, run <command>make bin/pdb_mysql.so</command>
+in the <filename>source/</filename> directory of samba distribution.
+</para>
+
+<para>Next, copy pdb_mysql.so to any location you want. I
+strongly recommend installing it in $PREFIX/lib or /usr/lib/samba/</para>
+
+</sect1>
+
+<sect1>
+<title>Configuring</title>
+
+<para>This plugin lacks some good documentation, but here is some short info:</para>
+
+<para>Add a the following to the <command>passdb backend</command> variable in your <filename>smb.conf</filename>:
+<programlisting>
+passdb backend = [other-plugins] plugin:/location/to/pdb_mysql.so:identifier [other-plugins]
+</programlisting>
+</para>
+
+<para>The identifier can be any string you like, as long as it doesn't collide with
+the identifiers of other plugins or other instances of pdb_mysql. If you
+specify multiple pdb_mysql.so entries in 'passdb backend', you also need to
+use different identifiers!
+</para>
+
+<para>
+Additional options can be given thru the smb.conf file in the [global] section.
+</para>
+
+<para><programlisting>
+identifier:mysql host - host name, defaults to 'localhost'
+identifier:mysql password
+identifier:mysql user - defaults to 'samba'
+identifier:mysql database - defaults to 'samba'
+identifier:mysql port - defaults to 3306
+identifier:table - Name of the table containing users
+</programlisting></para>
+
+<para>
+<emphasis>
+WARNING: since the password for the mysql user is stored in the
+smb.conf file, you should make the the smb.conf file
+readable only to the user that runs samba. This is considered a security
+bug and will be fixed soon.</emphasis>
+</para>
+
+<para>Names of the columns in this table(I've added column types those columns should have first):</para>
+
+<para><programlisting>
+identifier:logon time column - int(9)
+identifier:logoff time column - int(9)
+identifier:kickoff time column - int(9)
+identifier:pass last set time column - int(9)
+identifier:pass can change time column - int(9)
+identifier:pass must change time column - int(9)
+identifier:username column - varchar(255) - unix username
+identifier:domain column - varchar(255) - NT domain user is part of
+identifier:nt username column - varchar(255) - NT username
+identifier:fullname column - varchar(255) - Full name of user
+identifier:home dir column - varchar(255) - Unix homedir path
+identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:')
+identifier:logon script column - varchar(255) - Batch file to run on client side when logging on
+identifier:profile path column - varchar(255) - Path of profile
+identifier:acct desc column - varchar(255) - Some ASCII NT user data
+identifier:workstations column - varchar(255) - Workstations user can logon to (or NULL for all)
+identifier:unknown string column - varchar(255) - unknown string
+identifier:munged dial column - varchar(255) - ?
+identifier:uid column - int(9) - Unix user ID (uid)
+identifier:gid column - int(9) - Unix user group (gid)
+identifier:user sid column - varchar(255) - NT user SID
+identifier:group sid column - varchar(255) - NT group ID
+identifier:lanman pass column - varchar(255) - encrypted lanman password
+identifier:nt pass column - varchar(255) - encrypted nt passwd
+identifier:plain pass column - varchar(255) - plaintext password
+identifier:acct control column - int(9) - nt user data
+identifier:unknown 3 column - int(9) - unknown
+identifier:logon divs column - int(9) - ?
+identifier:hours len column - int(9) - ?
+identifier:unknown 5 column - int(9) - unknown
+identifier:unknown 6 column - int(9) - unknown
+</programlisting></para>
+
+<para>
+Eventually, you can put a colon (:) after the name of each column, which
+should specify the column to update when updating the table. You can also
+specify nothing behind the colon - then the data from the field will not be
+updated.
+</para>
+
+</sect1>
+
+<sect1>
+<title>Using plaintext passwords or encrypted password</title>
+
+<para>
+I strongly discourage the use of plaintext passwords, however, you can use them:
+</para>
+
+<para>
+If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords.
+</para>
+
+<para>
+If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default.
+</para>
+
+</sect1>
+
+<sect1>
+<title>Getting non-column data from the table</title>
+
+<para>
+It is possible to have not all data in the database and making some 'constant'.
+</para>
+
+<para>
+For example, you can set 'identifier:fullname column' to :
+<command>CONCAT(First_name,' ',Sur_name)</command>
+</para>
+
+<para>
+Or, set 'identifier:workstations column' to :
+<command>NULL</command></para>
+
+<para>See the MySQL documentation for more language constructs.</para>
+
+</sect1>
+</chapter>
diff --git a/docs/docbook/projdoc/pdb_xml.sgml b/docs/docbook/projdoc/pdb_xml.sgml
new file mode 100644
index 0000000000..87afb7b401
--- /dev/null
+++ b/docs/docbook/projdoc/pdb_xml.sgml
@@ -0,0 +1,42 @@
+<chapter id="pdb-xml">
+<chapterinfo>
+ <author>
+ <firstname>Jelmer</firstname><surname>Vernooij</surname>
+ <affiliation>
+ <orgname>The Samba Team</orgname>
+ <address><email>jelmer@samba.org</email></address>
+ </affiliation>
+ </author>
+ <pubdate>November 2002</pubdate>
+</chapterinfo>
+
+<title>Passdb XML plugin</title>
+
+<sect1>
+<title>Building</title>
+
+<para>This module requires libxml2 to be installed.</para>
+
+<para>To build pdb_xml, run: <command>make bin/pdb_xml.so</command> in
+the directory <filename>source/</filename>. </para>
+
+</sect1>
+
+<sect1>
+<title>Usage</title>
+
+<para>The usage of pdb_xml is pretty straightforward. To export data, use:
+
+<command>pdbedit -e plugin:/usr/lib/samba/pdb_xml.so:filename</command>
+
+(where filename is the name of the file to put the data in)
+</para>
+
+<para>
+To import data, use:
+<command>pdbedit -i plugin:/usr/lib/samba/pdb_xml.so:filename -e current-pdb</command>
+
+Where filename is the name to read the data from and current-pdb to put it in.
+</para>
+</sect1>
+</chapter>
diff --git a/docs/docbook/projdoc/printer_driver2.sgml b/docs/docbook/projdoc/printer_driver2.sgml
index 8d15e437b2..7bca8dc6f5 100644
--- a/docs/docbook/projdoc/printer_driver2.sgml
+++ b/docs/docbook/projdoc/printer_driver2.sgml
@@ -409,8 +409,8 @@ echo " :sd=/var/spool/lpd/$2:\\" >> $PRINTCAP
echo " :mx=0:ml=0:sh:\\" >> $PRINTCAP
echo " :lp=/usr/local/samba/var/print/$5.prn:" >> $PRINTCAP
-touch "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&amp;1
-chown $LP "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&amp;1
+touch "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1
+chown $LP "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1
mkdir /var/spool/lpd/$2
chmod 700 /var/spool/lpd/$2
@@ -757,7 +757,7 @@ be:
/usr/bin/id -p >/tmp/tmp.print
# we run the command and save the error messages
# replace the command with the one appropriate for your system
- /usr/bin/lpr -r -P$1 $2 2>>&amp;/tmp/tmp.print
+ /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print
</programlisting></para>
<para>
diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml
index 1a2e285596..8cf16478c8 100644
--- a/docs/docbook/projdoc/samba-doc.sgml
+++ b/docs/docbook/projdoc/samba-doc.sgml
@@ -1,15 +1,17 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [
<!ENTITY UNIX-INSTALL SYSTEM "UNIX_INSTALL.sgml">
+<!ENTITY ENCRYPTION SYSTEM "ENCRYPTION.sgml">
<!ENTITY MS-Dfs-Setup SYSTEM "msdfs_setup.sgml">
<!ENTITY PRINTER-DRIVER2 SYSTEM "printer_driver2.sgml">
<!ENTITY DOMAIN-MEMBER SYSTEM "DOMAIN_MEMBER.sgml">
<!ENTITY WINBIND SYSTEM "winbind.sgml">
<!ENTITY NT-Security SYSTEM "NT_Security.sgml">
-<!ENTITY ServerType SYSTEM "ServerType.sgml">
<!ENTITY Samba-PDC-HOWTO SYSTEM "Samba-PDC-HOWTO.sgml">
<!ENTITY Samba-BDC-HOWTO SYSTEM "Samba-BDC-HOWTO.sgml">
+<!ENTITY CVS-Access SYSTEM "CVS-Access.sgml">
<!ENTITY IntegratingWithWindows SYSTEM "Integrating-with-Windows.sgml">
<!ENTITY Samba-PAM SYSTEM "PAM-Authentication-And-Samba.sgml">
+<!ENTITY Samba-LDAP SYSTEM "Samba-LDAP-HOWTO.sgml">
<!ENTITY Diagnosis SYSTEM "Diagnosis.sgml">
<!ENTITY BUGS SYSTEM "Bugs.sgml">
<!ENTITY SECURITY-LEVEL SYSTEM "security_level.sgml">
@@ -20,13 +22,9 @@
<!ENTITY Portability SYSTEM "Portability.sgml">
<!ENTITY Other-Clients SYSTEM "Other-Clients.sgml">
<!ENTITY ADS-HOWTO SYSTEM "ADS-HOWTO.sgml">
-<!ENTITY Passdb SYSTEM "passdb.sgml">
+<!ENTITY pdb-mysql SYSTEM "pdb_mysql.sgml">
+<!ENTITY pdb-xml SYSTEM "pdb_xml.sgml">
<!ENTITY VFS SYSTEM "VFS.sgml">
-<!ENTITY GroupProfiles SYSTEM "GroupProfiles.sgml">
-<!ENTITY SecuringSamba SYSTEM "securing-samba.sgml">
-<!ENTITY Compiling SYSTEM "Compiling.sgml">
-<!ENTITY unicode SYSTEM "unicode.sgml">
-<!ENTITY CUPS SYSTEM "CUPS-printing.sgml">
]>
<book id="Samba-HOWTO-Collection">
@@ -80,8 +78,9 @@ and how to configure the parts of samba you will most likely need.
PLEASE read this.</para>
</partintro>
&UNIX-INSTALL;
+&BROWSING;
&BROWSING-Quick;
-&Passdb;
+&ENCRYPTION;
</part>
<part id="type">
@@ -93,7 +92,6 @@ Samba can operate in various SMB networks. This part contains information on con
for various environments.
</para>
</partintro>
-&ServerType;
&SECURITY-LEVEL;
&Samba-PDC-HOWTO;
&Samba-BDC-HOWTO;
@@ -113,22 +111,20 @@ part each cover one specific feature.</para>
&Samba-PAM;
&MS-Dfs-Setup;
&PRINTER-DRIVER2;
-&CUPS;
&WINBIND;
-&BROWSING;
+&pdb-mysql;
+&pdb-xml;
&VFS;
+&Samba-LDAP;
+&CVS-Access;
&GROUP-MAPPING-HOWTO;
&SPEED;
-&GroupProfiles;
-&SecuringSamba;
-&unicode;
</part>
<part id="Appendixes">
<title>Appendixes</title>
&Portability;
&Other-Clients;
-&Compiling;
&BUGS;
&Diagnosis;
</part>
diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml
index 00dcc6e83b..e2d9cfbbaa 100644
--- a/docs/docbook/projdoc/security_level.sgml
+++ b/docs/docbook/projdoc/security_level.sgml
@@ -9,7 +9,7 @@
</author>
</chapterinfo>
-<title>Samba as Stand-Alone server (User and Share security level)</title>
+<title>User and Share security level (for servers not in a domain)</title>
<para>
A SMB server tells the client at startup what "security level" it is
diff --git a/docs/docbook/projdoc/upgrading-to-3.0.sgml b/docs/docbook/projdoc/upgrading-to-3.0.sgml
index f227556151..5b6b8dd635 100644
--- a/docs/docbook/projdoc/upgrading-to-3.0.sgml
+++ b/docs/docbook/projdoc/upgrading-to-3.0.sgml
@@ -16,24 +16,4 @@ FIXME
</sect1>
-<sect1>
-<title>Obsolete configuration options</title>
-
-<para>
-In 3.0, the following configuration options have been removed.
-</para>
-
-<simplelist>
-<member>printer driver</member>
-<member>printer driver file</member>
-<member>printer driver location</member>
-<member>use rhosts</member>
-<member>postscript</member>
-</simplelist>
-
-<para>The first three options have been replaced by new driver procedures.
-Please read the printing documentation.</para>
-
-</sect1>
-
</chapter>
diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml
index 2d38ea44d4..d2bfb8ab67 100644
--- a/docs/docbook/projdoc/winbind.sgml
+++ b/docs/docbook/projdoc/winbind.sgml
@@ -2,7 +2,6 @@
<chapterinfo>
- <authorgroup>
<author>
<firstname>Tim</firstname><surname>Potter</surname>
<affiliation>
@@ -11,7 +10,7 @@
</affiliation>
</author>
<author>
- <firstname>Andrew</firstname><surname>Tridgell</surname>
+ <firstname>Andrew</firstname><surname>Trigdell</surname>
<affiliation>
<orgname>Samba Team</orgname>
<address><email>tridge@linuxcare.com.au</email></address>
@@ -36,7 +35,6 @@
<address><email>jelmer@nl.linux.org</email></address>
</affiliation>
</author>
- </authorgroup>
<pubdate>27 June 2002</pubdate>
</chapterinfo>
@@ -175,7 +173,7 @@
<sect2>
<title>Microsoft Remote Procedure Calls</title>
- <para>Over the last few years, efforts have been underway
+ <para>Over the last two years, efforts have been underway
by various Samba Team members to decode various aspects of
the Microsoft Remote Procedure Call (MSRPC) system. This
system is used for most network related operations between
@@ -194,21 +192,6 @@
</sect2>
<sect2>
- <title>Microsoft Active Directory Services</title>
-
- <para>
- Since late 2001, Samba has gained the ability to
- interact with Microsoft Windows 2000 using its 'Native
- Mode' protocols, rather than the NT4 RPC services.
- Using LDAP and Kerberos, a domain member running
- winbind can enumerate users and groups in exactly the
- same way as a Win2k client would, and in so doing
- provide a much more efficient and
- effective winbind implementation.
- </para>
- </sect2>
-
- <sect2>
<title>Name Service Switch</title>
<para>The Name Service Switch, or NSS, is a feature that is
@@ -351,6 +334,15 @@ to control access and authenticate users on your Linux box using
the winbind services which come with SAMBA 2.2.2.
</para>
+<para>
+There is also some Solaris specific information in
+<filename>docs/textdocs/Solaris-Winbind-HOWTO.txt</filename>.
+Future revisions of this document will incorporate that
+information.
+</para>
+
+
+
<sect2>
<title>Introduction</title>
@@ -472,7 +464,7 @@ whether or not you have previously built the Samba binaries.
<prompt>root#</prompt> <command>autoconf</command>
<prompt>root#</prompt> <command>make clean</command>
<prompt>root#</prompt> <command>rm config.cache</command>
-<prompt>root#</prompt> <command>./configure</command>
+<prompt>root#</prompt> <command>./configure --with-winbind</command>
<prompt>root#</prompt> <command>make</command>
<prompt>root#</prompt> <command>make install</command>
</programlisting></para>
@@ -560,7 +552,7 @@ include the following entries in the [global] section:
<para><programlisting>
[global]
- &lt;...&gt;
+ <...>
# separate domain and username with '+', like DOMAIN+username
<ulink url="winbindd.8.html#WINBINDSEPARATOR">winbind separator</ulink> = +
# use uids from 10000 to 20000 for domain users
@@ -590,7 +582,7 @@ a domain user who has administrative privileges in the domain.
<para>
-<prompt>root#</prompt> <command>/usr/local/samba/bin/net join -S PDC -U Administrator</command>
+<prompt>root#</prompt> <command>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</command>
</para>
@@ -619,19 +611,6 @@ command as root:
</para>
<para>
-Winbindd can now also run in 'dual daemon mode'. This will make it
-run as 2 processes. The first will answer all requests from the cache,
-thus making responses to clients faster. The other will
-update the cache for the query that the first has just responded.
-Advantage of this is that responses stay accurate and are faster.
-You can enable dual daemon mode by adding '-B' to the commandline:
-</para>
-
-<para>
-<prompt>root#</prompt> <command>/usr/local/samba/bin/winbindd -B</command>
-</para>
-
-<para>
I'm always paranoid and like to make sure the daemon
is really running...
</para>
@@ -754,28 +733,15 @@ start() {
daemon /usr/local/samba/bin/winbindd
RETVAL3=$?
echo
- [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &amp;&amp; touch /var/lock/subsys/smb || \
+ [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \
RETVAL=1
return $RETVAL
}
</programlisting></para>
-<para>If you would like to run winbindd in dual daemon mode, replace
-the line
-<programlisting>
- daemon /usr/local/samba/bin/winbindd
-</programlisting>
-
-in the example above with:
-
-<programlisting>
- daemon /usr/local/samba/bin/winbindd -B
-</programlisting>.
-</para>
-
<para>
The 'stop' function has a corresponding entry to shut down the
-services and looks like this:
+services and look s like this:
</para>
<para><programlisting>
@@ -794,7 +760,7 @@ stop() {
echo -n $"Shutting down $KIND services: "
killproc winbindd
RETVAL3=$?
- [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &amp;&amp; rm -f /var/lock/subsys/smb
+ [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb
echo ""
return $RETVAL
}
@@ -825,7 +791,7 @@ killproc() { # kill the named process(es)
pid=`/usr/bin/ps -e |
/usr/bin/grep -w $1 |
/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
- [ "$pid" != "" ] &amp;&amp; kill $pid
+ [ "$pid" != "" ] && kill $pid
}
# Start/stop processes required for samba server
@@ -859,19 +825,6 @@ echo Starting Winbind Daemon
;;
esac
</programlisting></para>
-
-<para>Again, if you would like to run samba in dual daemon mode, replace
-<programlisting>
- /usr/local/samba/bin/winbindd
-</programlisting>
-
-in the script above with:
-
-<programlisting>
- /usr/local/samba/bin/winbindd -B
-</programlisting>
-</para>
-
</sect4>
<sect4>
@@ -1089,7 +1042,7 @@ annoying double prompts for passwords.
</para>
<para>
-Now restart your Samba and try connecting through your application that you
+Now restart your Samba & try connecting through your application that you
configured in the pam.conf.
</para>
@@ -1110,7 +1063,7 @@ configured in the pam.conf.
<itemizedlist>
<listitem><para>Winbind is currently only available for
- the Linux, Solaris and IRIX operating systems, although ports to other operating
+ the Linux operating system, although ports to other operating
systems are certainly possible. For such ports to be feasible,
we require the C library of the target operating system to
support the Name Service Switch and Pluggable Authentication
@@ -1126,8 +1079,7 @@ configured in the pam.conf.
<listitem><para>Currently the winbind PAM module does not take
into account possible workstation and logon time restrictions
- that may be been set for Windows NT users, this is
- instead up to the PDC to enforce.</para></listitem>
+ that may be been set for Windows NT users.</para></listitem>
</itemizedlist>
</sect1>