summaryrefslogtreecommitdiff
path: root/docs/docbook/projdoc
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook/projdoc')
-rw-r--r--docs/docbook/projdoc/CVS-Access.sgml157
-rw-r--r--docs/docbook/projdoc/ENCRYPTION.sgml189
2 files changed, 346 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/CVS-Access.sgml b/docs/docbook/projdoc/CVS-Access.sgml
new file mode 100644
index 0000000000..98ef925f20
--- /dev/null
+++ b/docs/docbook/projdoc/CVS-Access.sgml
@@ -0,0 +1,157 @@
+<chapter id="cvs-access">
+
+
+<chapterinfo>
+ <author>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ </affiliation>
+ </author>
+
+
+ <pubdate> (22 May 2001) </pubdate>
+</chapterinfo>
+
+<title>HOWTO Access Samba source code via CVS</title>
+
+<sect1>
+<title>Introduction</title>
+
+<para>
+Samba is developed in an open environment. Developers use CVS
+(Concurrent Versioning System) to "checkin" (also known as
+"commit") new source code. Samba's various CVS branches can
+be accessed via anonymous CVS using the instructions
+detailed in this chapter.
+</para>
+
+<para>
+This document is a modified version of the instructions found at
+<ulink url="http://samba.org/samba/cvs.html">http://samba.org/samba/cvs.html</ulink>
+</para>
+
+</sect1>
+
+
+<sect1>
+<title>CVS Access to samba.org</title>
+
+<para>
+The machine samba.org runs a publicly accessible CVS
+repository for access to the source code of several packages,
+including samba, rsync and jitterbug. There are two main ways of
+accessing the CVS server on this host.
+</para>
+
+<sect2>
+<title>Access via CVSweb</title>
+
+<para>
+You can access the source code via your
+favourite WWW browser. This allows you to access the contents of
+individual files in the repository and also to look at the revision
+history and commit logs of individual files. You can also ask for a diff
+listing between any two versions on the repository.
+</para>
+
+<para>
+Use the URL : <ulink
+url="http://samba.org/cgi-bin/cvsweb">http://samba.org/cgi-bin/cvsweb</ulink>
+</para>
+</sect2>
+
+<sect2>
+<title>Access via cvs</title>
+
+<para>
+You can also access the source code via a
+normal cvs client. This gives you much more control over you can
+do with the repository and allows you to checkout whole source trees
+and keep them up to date via normal cvs commands. This is the
+preferred method of access if you are a developer and not
+just a casual browser.
+</para>
+
+<para>
+To download the latest cvs source code, point your
+browser at the URL : <ulink url="http://www.cyclic.com/">http://www.cyclic.com/</ulink>.
+and click on the 'How to get cvs' link. CVS is free software under
+the GNU GPL (as is Samba). Note that there are several graphical CVS clients
+which provide a graphical interface to the sometimes mundane CVS commands.
+Links to theses clients are also available from http://www.cyclic.com.
+</para>
+
+<para>
+To gain access via anonymous cvs use the following steps.
+For this example it is assumed that you want a copy of the
+samba source code. For the other source code repositories
+on this system just substitute the correct package name
+</para>
+
+<orderedlist>
+<listitem>
+ <para>
+ Install a recent copy of cvs. All you really need is a
+ copy of the cvs client binary.
+ </para>
+</listitem>
+
+
+<listitem>
+ <para>
+ Run the command
+ </para>
+
+ <para>
+ <command>cvs -d :pserver:cvs@samba.org:/cvsroot login</command>
+ </para>
+
+ <para>
+ When it asks you for a password type <userinput>cvs</userinput>.
+ </para>
+</listitem>
+
+
+<listitem>
+ <para>
+ Run the command
+ </para>
+
+ <para>
+ <command>cvs -d :pserver:cvs@samba.org:/cvsroot co samba</command>
+ </para>
+
+ <para>
+ This will create a directory called samba containing the
+ latest samba source code (i.e. the HEAD tagged cvs branch). This
+ currently corresponds to the 3.0 development tree.
+ </para>
+
+ <para>
+ CVS branches other HEAD can be obtained by using the <parameter>-r</parameter>
+ and defining a tag name. A list of branch tag names can be found on the
+ "Development" page of the samba web site. A common request is to obtain the
+ latest 2.2 release code. This could be done by using the following command.
+ </para>
+
+ <para>
+ <command>cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</command>
+ </para>
+</listitem>
+
+<listitem>
+ <para>
+ Whenever you want to merge in the latest code changes use
+ the following command from within the samba directory:
+ </para>
+
+ <para>
+ <command>cvs update -d -P</command>
+ </para>
+</listitem>
+</orderedlist>
+
+</sect2>
+</sect1>
+
+</chapter>
diff --git a/docs/docbook/projdoc/ENCRYPTION.sgml b/docs/docbook/projdoc/ENCRYPTION.sgml
new file mode 100644
index 0000000000..f903d7d334
--- /dev/null
+++ b/docs/docbook/projdoc/ENCRYPTION.sgml
@@ -0,0 +1,189 @@
+<chapter id="pwencrypt">
+
+
+<chapterinfo>
+ <author>
+ <firstname>Jeremy</firstname><surname>Allison</surname>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ <address>
+ <email>jra@samba.org</email>
+ </address>
+ </affiliation>
+ </author>
+
+ <author>
+ <firstname>Jelmer</firstname><surname>Vernooij</surname>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ <address>
+ <email>jelmer@samba.org</email>
+ </address>
+ </affiliation>
+ </author>
+
+ <pubdate>4 November 2002</pubdate>
+</chapterinfo>
+
+<title>LanMan and NT Password Encryption in Samba</title>
+
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>Newer windows clients send encrypted passwords over
+ the wire, instead of plain text passwords. The newest clients
+ will only send encrypted passwords and refuse to send plain text
+ passwords, unless their registry is tweaked.</para>
+
+ <para>These passwords can't be converted to unix style encrypted
+ passwords. Because of that you can't use the standard unix
+ user database, and you have to store the Lanman and NT hashes
+ somewhere else. For more information, see the documentation
+ about the <command>passdb backend = </command> parameter.
+ </para>
+
+</sect1>
+
+<sect1>
+ <title>Important Notes About Security</title>
+
+ <para>The unix and SMB password encryption techniques seem similar
+ on the surface. This similarity is, however, only skin deep. The unix
+ scheme typically sends clear text passwords over the network when
+ logging in. This is bad. The SMB encryption scheme never sends the
+ cleartext password over the network but it does store the 16 byte
+ hashed values on disk. This is also bad. Why? Because the 16 byte hashed
+ values are a "password equivalent". You cannot derive the user's
+ password from them, but they could potentially be used in a modified
+ client to gain access to a server. This would require considerable
+ technical knowledge on behalf of the attacker but is perfectly possible.
+ You should thus treat the smbpasswd file as though it contained the
+ cleartext passwords of all your users. Its contents must be kept
+ secret, and the file should be protected accordingly.</para>
+
+ <para>Ideally we would like a password scheme which neither requires
+ plain text passwords on the net or on disk. Unfortunately this
+ is not available as Samba is stuck with being compatible with
+ other SMB systems (WinNT, WfWg, Win95 etc). </para>
+
+ <warning>
+ <para>Note that Windows NT 4.0 Service pack 3 changed the
+ default for permissible authentication so that plaintext
+ passwords are <emphasis>never</emphasis> sent over the wire.
+ The solution to this is either to switch to encrypted passwords
+ with Samba or edit the Windows NT registry to re-enable plaintext
+ passwords. See the document WinNT.txt for details on how to do
+ this.</para>
+
+ <para>Other Microsoft operating systems which also exhibit
+ this behavior includes</para>
+
+ <itemizedlist>
+ <listitem><para>MS DOS Network client 3.0 with
+ the basic network redirector installed</para></listitem>
+
+ <listitem><para>Windows 95 with the network redirector
+ update installed</para></listitem>
+
+ <listitem><para>Windows 98 [se]</para></listitem>
+
+ <listitem><para>Windows 2000</para></listitem>
+ </itemizedlist>
+
+ <para><emphasis>Note :</emphasis>All current release of
+ Microsoft SMB/CIFS clients support authentication via the
+ SMB Challenge/Response mechanism described here. Enabling
+ clear text authentication does not disable the ability
+ of the client to participate in encrypted authentication.</para>
+ </warning>
+
+ <sect2>
+ <title>Advantages of SMB Encryption</title>
+
+ <itemizedlist>
+ <listitem><para>plain text passwords are not passed across
+ the network. Someone using a network sniffer cannot just
+ record passwords going to the SMB server.</para>
+ </listitem>
+
+ <listitem><para>WinNT doesn't like talking to a server
+ that isn't using SMB encrypted passwords. It will refuse
+ to browse the server if the server is also in user level
+ security mode. It will insist on prompting the user for the
+ password on each connection, which is very annoying. The
+ only things you can do to stop this is to use SMB encryption.
+ </para></listitem>
+ </itemizedlist>
+ </sect2>
+
+
+ <sect2>
+ <title>Advantages of non-encrypted passwords</title>
+
+ <itemizedlist>
+ <listitem><para>plain text passwords are not kept
+ on disk. </para></listitem>
+
+ <listitem><para>uses same password file as other unix
+ services such as login and ftp</para></listitem>
+
+ <listitem><para>you are probably already using other
+ services (such as telnet and ftp) which send plain text
+ passwords over the net, so sending them for SMB isn't
+ such a big deal.</para></listitem>
+ </itemizedlist>
+ </sect2>
+</sect1>
+
+
+<sect1>
+ <title>The smbpasswd Command</title>
+
+ <para>The smbpasswd command maintains the two 32 byte password fields
+ in the smbpasswd file. If you wish to make it similar to the unix
+ <command>passwd</command> or <command>yppasswd</command> programs,
+ install it in <filename>/usr/local/samba/bin/</filename> (or your
+ main Samba binary directory).</para>
+
+ <para><command>smbpasswd</command> now works in a client-server mode
+ where it contacts the local smbd to change the user's password on its
+ behalf. This has enormous benefits - as follows.</para>
+
+ <para><command>smbpasswd</command> now has the capability
+ to change passwords on Windows NT servers (this only works when
+ the request is sent to the NT Primary Domain Controller if you
+ are changing an NT Domain user's password).</para>
+
+ <para>To run smbpasswd as a normal user just type :</para>
+
+ <para><prompt>$ </prompt><userinput>smbpasswd</userinput></para>
+ <para><prompt>Old SMB password: </prompt><userinput>&lt;type old value here -
+ or hit return if there was no old password&gt;</userinput></para>
+ <para><prompt>New SMB Password: </prompt><userinput>&lt;type new value&gt;
+ </userinput></para>
+ <para><prompt>Repeat New SMB Password: </prompt><userinput>&lt;re-type new value
+ </userinput></para>
+
+ <para>If the old value does not match the current value stored for
+ that user, or the two new values do not match each other, then the
+ password will not be changed.</para>
+
+ <para>If invoked by an ordinary user it will only allow the user
+ to change his or her own Samba password.</para>
+
+ <para>If run by the root user smbpasswd may take an optional
+ argument, specifying the user name whose SMB password you wish to
+ change. Note that when run as root smbpasswd does not prompt for
+ or check the old password value, thus allowing root to set passwords
+ for users who have forgotten their passwords.</para>
+
+ <para><command>smbpasswd</command> is designed to work in the same way
+ and be familiar to UNIX users who use the <command>passwd</command> or
+ <command>yppasswd</command> commands.</para>
+
+ <para>For more details on using <command>smbpasswd</command> refer
+ to the man page which will always be the definitive reference.</para>
+</sect1>
+
+</chapter>