diff options
Diffstat (limited to 'docs/docbook/projdoc')
20 files changed, 580 insertions, 890 deletions
diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index 887ecd74c2..3e34d53c0a 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -14,8 +14,7 @@ This is a rough guide to setting up Samba 3.0 with kerberos authentication again Windows2000 KDC. </para> -<para>Pieces you need before you begin:</para> -<para> +<para>Pieces you need before you begin: <simplelist> <member>a Windows 2000 server.</member> <member>samba 3.0 or higher.</member> @@ -27,8 +26,7 @@ Windows2000 KDC. <sect1> <title>Installing the required packages for Debian</title> -<para>On Debian you need to install the following packages:</para> -<para> +<para>On Debian you need to install the following packages: <simplelist> <member>libkrb5-dev</member> <member>krb5-user</member> @@ -39,8 +37,7 @@ Windows2000 KDC. <sect1> <title>Installing the required packages for RedHat</title> -<para>On RedHat this means you should have at least: </para> -<para> +<para>On RedHat this means you should have at least: <simplelist> <member>krb5-workstation (for kinit)</member> <member>krb5-libs (for linking with)</member> @@ -60,8 +57,7 @@ to get them off CD2.</para> <para>If your kerberos libraries are in a non-standard location then remember to add the configure option --with-krb5=DIR.</para> -<para>After you run configure make sure that include/config.h it - generates contains +<para>After you run configure make sure that include/config.h contains lines like this:</para> <para><programlisting> @@ -90,10 +86,9 @@ In case samba can't figure out your ads server using your realm name, use the </programlisting> </para> -<para>You do *not* need a smbpasswd file, and older clients will - be authenticated as if "security = domain", although it won't do any harm - and allows you to have local users not in the domain. - I expect that the above +<para>You do *not* need a smbpasswd file, although it won't do any harm + and if you have one then Samba will be able to fall back to normal + password security for older clients. I expect that the above required options will change soon when we get better active directory integration.</para> </sect1> @@ -104,7 +99,7 @@ In case samba can't figure out your ads server using your realm name, use the <para>The minimal configuration for krb5.conf is:</para> <para><programlisting> -[realms] + [realms] YOUR.KERBEROS.REALM = { kdc = your.kerberos.server } @@ -133,7 +128,7 @@ to join the realm. <para> If all you want is kerberos support in smbclient then you can skip straight to step 5 now. Step 3 is only needed if you want kerberos -support for smbd and winbindd. +support in smbd. </para> </sect1> @@ -142,7 +137,9 @@ support for smbd and winbindd. <title>Create the computer account</title> <para> -As a user that has write permission on the Samba private directory +Do a "kinit" as a user that has authority to change arbitrary +passwords on the KDC ("Administrator" is a good choice). Then as a +user that has write permission on the Samba private directory (usually root) run: <command>net ads join</command> </para> @@ -152,6 +149,8 @@ As a user that has write permission on the Samba private directory <para> <variablelist> +<varlistentry><term>"bash: kinit: command not found"</term> +<listitem><para>kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</para></listitem></varlistentry> <varlistentry><term>"ADS support not compiled in"</term> <listitem><para>Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</para></listitem></varlistentry> </variablelist> diff --git a/docs/docbook/projdoc/Browsing-Quickguide.sgml b/docs/docbook/projdoc/Browsing-Quickguide.sgml index 8e3fbce6d3..8ecc795966 100644 --- a/docs/docbook/projdoc/Browsing-Quickguide.sgml +++ b/docs/docbook/projdoc/Browsing-Quickguide.sgml @@ -126,9 +126,8 @@ simultaneously the LMB on it's network segment. <para> The syntax of the "remote browse sync" parameter is: - <programlisting> -remote browse sync = a.b.c.d + remote browse sync = a.b.c.d </programlisting> where a.b.c.d is either the IP address of the remote LMB or else is the network broadcast address of the remote segment. @@ -244,35 +243,36 @@ The safest rule of all to follow it this - USE ONLY ONE PROTOCOL! <para> Resolution of NetBIOS names to IP addresses can take place using a number of methods. The only ones that can provide NetBIOS name_type information -are:</para> - +are: <simplelist> <member>WINS: the best tool!</member> <member>LMHOSTS: is static and hard to maintain.</member> <member>Broadcast: uses UDP and can not resolve names across remote segments.</member> </simplelist> +</para> <para> -Alternative means of name resolution includes:</para> +Alternative means of name resolution includes: <simplelist> <member>/etc/hosts: is static, hard to maintain, and lacks name_type info</member> <member>DNS: is a good choice but lacks essential name_type info.</member> </simplelist> +</para> <para> Many sites want to restrict DNS lookups and want to avoid broadcast name resolution traffic. The "name resolve order" parameter is of great help here. The syntax of the "name resolve order" parameter is: <programlisting> -name resolve order = wins lmhosts bcast host + name resolve order = wins lmhosts bcast host </programlisting> _or_ <programlisting> -name resolve order = wins lmhosts (eliminates bcast and host) + name resolve order = wins lmhosts (eliminates bcast and host) </programlisting> The default is: <programlisting> -name resolve order = host lmhost wins bcast + name resolve order = host lmhost wins bcast </programlisting>. where "host" refers the the native methods used by the Unix system to implement the gethostbyname() function call. This is normally diff --git a/docs/docbook/projdoc/CVS-Access.sgml b/docs/docbook/projdoc/CVS-Access.sgml index 3c1adfd17a..98ef925f20 100644 --- a/docs/docbook/projdoc/CVS-Access.sgml +++ b/docs/docbook/projdoc/CVS-Access.sgml @@ -12,7 +12,7 @@ <pubdate> (22 May 2001) </pubdate> </chapterinfo> -<title>Access Samba source code via CVS</title> +<title>HOWTO Access Samba source code via CVS</title> <sect1> <title>Introduction</title> diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index b178bfd2c2..8a30a5527d 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -25,29 +25,79 @@ </chapterinfo> -<title>Samba as a NT4 or Win2k domain member</title> +<title>Samba as a NT4 domain member</title> <sect1> - <title>Joining an NT Domain with Samba 3.0</title> + <title>Joining an NT Domain with Samba 2.2</title> - <para>Assume you have a Samba 3.0 server with a NetBIOS name of - <constant>SERV1</constant> and are joining an or Win2k NT domain called + <para>Assume you have a Samba 2.x server with a NetBIOS name of + <constant>SERV1</constant> and are joining an NT domain called <constant>DOM</constant>, which has a PDC with a NetBIOS name of <constant>DOMPDC</constant> and two backup domain controllers with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2 </constant>.</para> - <para>Firstly, you must edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename> + <para>In order to join the domain, first stop all Samba daemons + and run the command:</para> + + <para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC + -U<replaceable>Administrator%password</replaceable></userinput></para> + + <para>as we are joining the domain DOM and the PDC for that domain + (the only machine that has write access to the domain SAM database) + is DOMPDC. The <replaceable>Administrator%password</replaceable> is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message:</para> + + <para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput> + </para> + + <para>in your terminal window. See the <ulink url="smbpasswd.8.html"> + smbpasswd(8)</ulink> man page for more details.</para> + + <para>There is existing development code to join a domain + without having to create the machine trust account on the PDC + beforehand. This code will hopefully be available soon + in release branches as well.</para> + + <para>This command goes through the machine account password + change protocol, then writes the new (random) machine account + password for this Samba server into a file in the same directory + in which an smbpasswd file would be stored - normally :</para> + + <para><filename>/usr/local/samba/private</filename></para> + + <para>In Samba 2.0.x, the filename looks like this:</para> + + <para><filename><replaceable><NT DOMAIN NAME></replaceable>.<replaceable><Samba + Server Name></replaceable>.mac</filename></para> + + <para>The <filename>.mac</filename> suffix stands for machine account + password file. So in our example above, the file would be called:</para> + + <para><filename>DOM.SERV1.mac</filename></para> + + <para>In Samba 2.2, this file has been replaced with a TDB + (Trivial Database) file named <filename>secrets.tdb</filename>. + </para> + + + <para>This file is created and owned by root and is not + readable by any other user. It is the key to the domain-level + security for your system, and should be treated as carefully + as a shadow password file.</para> + + <para>Now, before restarting the Samba daemons you must + edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename> </ulink> file to tell Samba it should now use domain security.</para> <para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY"> <parameter>security =</parameter></ulink> line in the [global] section of your smb.conf to read:</para> - <para><command>security = domain</command> or - <command>security = ads</command> depending on if the PDC is - NT4 or running Active Directory respectivly.</para> + <para><command>security = domain</command></para> <para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter> workgroup =</parameter></ulink> line in the [global] section to read: </para> @@ -78,47 +128,11 @@ <para><command>password server = *</command></para> - <para>This method, allows Samba to use exactly the same - mechanism that NT does. This + <para>This method, which was introduced in Samba 2.0.6, + allows Samba to use exactly the same mechanism that NT does. This method either broadcasts or uses a WINS database in order to find domain controllers to authenticate against.</para> - <para>In order to actually join the domain, you must run this - command:</para> - - <para><prompt>root# </prompt><userinput>net join -S DOMPDC - -U<replaceable>Administrator%password</replaceable></userinput></para> - - <para>as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. The <replaceable>Administrator%password</replaceable> is - the login name and password for an account which has the necessary - privilege to add machines to the domain. If this is successful - you will see the message:</para> - - <para><computeroutput>Joined domain DOM.</computeroutput> - or <computeroutput>Joined 'SERV1' to realm 'MYREALM'</computeroutput> - </para> - - <para>in your terminal window. See the <ulink url="net.8.html"> - net(8)</ulink> man page for more details.</para> - - <para>This process joins the server to thedomain - without having to create the machine trust account on the PDC - beforehand.</para> - - <para>This command goes through the machine account password - change protocol, then writes the new (random) machine account - password for this Samba server into a file in the same directory - in which an smbpasswd file would be stored - normally :</para> - - <para><filename>/usr/local/samba/private/secrets.tdb</filename></para> - - <para>This file is created and owned by root and is not - readable by any other user. It is the key to the domain-level - security for your system, and should be treated as carefully - as a shadow password file.</para> - <para>Finally, restart your Samba daemons and get ready for clients to begin using domain security!</para> </sect1> @@ -130,8 +144,23 @@ <para> Many people have asked regarding the state of Samba's ability to participate in a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows -2000 domain operating in mixed or native mode. The steps above apply -to both NT4 and Windows 2000. +2000 domain operating in mixed or native mode. +</para> + +<para> +There is much confusion between the circumstances that require a "mixed" mode +Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode +Win2k domain controller is only needed if Windows NT BDCs must exist in the same +domain. By default, a Win2k DC in "native" mode will still support +NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and +NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server. +</para> + +<para> +The steps for adding a Samba 2.2 host to a Win2k domain are the same as those +for adding a Samba server to a Windows NT 4.0 domain. The only exception is that +the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and +Computers" MMC (Microsoft Management Console) plugin. </para> </sect1> @@ -176,7 +205,13 @@ to both NT4 and Windows 2000. <para>And finally, acting in the same manner as an NT server authenticating to a PDC means that as part of the authentication reply, the Samba server gets the user identification information such - as the user SID, the list of NT groups the user belongs to, etc. </para> + as the user SID, the list of NT groups the user belongs to, etc. All + this information will allow Samba to be extended in the future into + a mode the developers currently call appliance mode. In this mode, + no local Unix users will be necessary, and Samba will generate Unix + uids and gids from the information passed back from the PDC when a + user is authenticated, making a Samba server truly plug and play + in an NT domain environment. Watch for this code soon.</para> <para><emphasis>NOTE:</emphasis> Much of the text of this document was first published in the Web magazine <ulink url="http://www.linuxworld.com"> diff --git a/docs/docbook/projdoc/ENCRYPTION.sgml b/docs/docbook/projdoc/ENCRYPTION.sgml new file mode 100644 index 0000000000..f903d7d334 --- /dev/null +++ b/docs/docbook/projdoc/ENCRYPTION.sgml @@ -0,0 +1,189 @@ +<chapter id="pwencrypt"> + + +<chapterinfo> + <author> + <firstname>Jeremy</firstname><surname>Allison</surname> + <affiliation> + <orgname>Samba Team</orgname> + <address> + <email>jra@samba.org</email> + </address> + </affiliation> + </author> + + <author> + <firstname>Jelmer</firstname><surname>Vernooij</surname> + <affiliation> + <orgname>Samba Team</orgname> + <address> + <email>jelmer@samba.org</email> + </address> + </affiliation> + </author> + + <pubdate>4 November 2002</pubdate> +</chapterinfo> + +<title>LanMan and NT Password Encryption in Samba</title> + + +<sect1> + <title>Introduction</title> + + <para>Newer windows clients send encrypted passwords over + the wire, instead of plain text passwords. The newest clients + will only send encrypted passwords and refuse to send plain text + passwords, unless their registry is tweaked.</para> + + <para>These passwords can't be converted to unix style encrypted + passwords. Because of that you can't use the standard unix + user database, and you have to store the Lanman and NT hashes + somewhere else. For more information, see the documentation + about the <command>passdb backend = </command> parameter. + </para> + +</sect1> + +<sect1> + <title>Important Notes About Security</title> + + <para>The unix and SMB password encryption techniques seem similar + on the surface. This similarity is, however, only skin deep. The unix + scheme typically sends clear text passwords over the network when + logging in. This is bad. The SMB encryption scheme never sends the + cleartext password over the network but it does store the 16 byte + hashed values on disk. This is also bad. Why? Because the 16 byte hashed + values are a "password equivalent". You cannot derive the user's + password from them, but they could potentially be used in a modified + client to gain access to a server. This would require considerable + technical knowledge on behalf of the attacker but is perfectly possible. + You should thus treat the smbpasswd file as though it contained the + cleartext passwords of all your users. Its contents must be kept + secret, and the file should be protected accordingly.</para> + + <para>Ideally we would like a password scheme which neither requires + plain text passwords on the net or on disk. Unfortunately this + is not available as Samba is stuck with being compatible with + other SMB systems (WinNT, WfWg, Win95 etc). </para> + + <warning> + <para>Note that Windows NT 4.0 Service pack 3 changed the + default for permissible authentication so that plaintext + passwords are <emphasis>never</emphasis> sent over the wire. + The solution to this is either to switch to encrypted passwords + with Samba or edit the Windows NT registry to re-enable plaintext + passwords. See the document WinNT.txt for details on how to do + this.</para> + + <para>Other Microsoft operating systems which also exhibit + this behavior includes</para> + + <itemizedlist> + <listitem><para>MS DOS Network client 3.0 with + the basic network redirector installed</para></listitem> + + <listitem><para>Windows 95 with the network redirector + update installed</para></listitem> + + <listitem><para>Windows 98 [se]</para></listitem> + + <listitem><para>Windows 2000</para></listitem> + </itemizedlist> + + <para><emphasis>Note :</emphasis>All current release of + Microsoft SMB/CIFS clients support authentication via the + SMB Challenge/Response mechanism described here. Enabling + clear text authentication does not disable the ability + of the client to participate in encrypted authentication.</para> + </warning> + + <sect2> + <title>Advantages of SMB Encryption</title> + + <itemizedlist> + <listitem><para>plain text passwords are not passed across + the network. Someone using a network sniffer cannot just + record passwords going to the SMB server.</para> + </listitem> + + <listitem><para>WinNT doesn't like talking to a server + that isn't using SMB encrypted passwords. It will refuse + to browse the server if the server is also in user level + security mode. It will insist on prompting the user for the + password on each connection, which is very annoying. The + only things you can do to stop this is to use SMB encryption. + </para></listitem> + </itemizedlist> + </sect2> + + + <sect2> + <title>Advantages of non-encrypted passwords</title> + + <itemizedlist> + <listitem><para>plain text passwords are not kept + on disk. </para></listitem> + + <listitem><para>uses same password file as other unix + services such as login and ftp</para></listitem> + + <listitem><para>you are probably already using other + services (such as telnet and ftp) which send plain text + passwords over the net, so sending them for SMB isn't + such a big deal.</para></listitem> + </itemizedlist> + </sect2> +</sect1> + + +<sect1> + <title>The smbpasswd Command</title> + + <para>The smbpasswd command maintains the two 32 byte password fields + in the smbpasswd file. If you wish to make it similar to the unix + <command>passwd</command> or <command>yppasswd</command> programs, + install it in <filename>/usr/local/samba/bin/</filename> (or your + main Samba binary directory).</para> + + <para><command>smbpasswd</command> now works in a client-server mode + where it contacts the local smbd to change the user's password on its + behalf. This has enormous benefits - as follows.</para> + + <para><command>smbpasswd</command> now has the capability + to change passwords on Windows NT servers (this only works when + the request is sent to the NT Primary Domain Controller if you + are changing an NT Domain user's password).</para> + + <para>To run smbpasswd as a normal user just type :</para> + + <para><prompt>$ </prompt><userinput>smbpasswd</userinput></para> + <para><prompt>Old SMB password: </prompt><userinput><type old value here - + or hit return if there was no old password></userinput></para> + <para><prompt>New SMB Password: </prompt><userinput><type new value> + </userinput></para> + <para><prompt>Repeat New SMB Password: </prompt><userinput><re-type new value + </userinput></para> + + <para>If the old value does not match the current value stored for + that user, or the two new values do not match each other, then the + password will not be changed.</para> + + <para>If invoked by an ordinary user it will only allow the user + to change his or her own Samba password.</para> + + <para>If run by the root user smbpasswd may take an optional + argument, specifying the user name whose SMB password you wish to + change. Note that when run as root smbpasswd does not prompt for + or check the old password value, thus allowing root to set passwords + for users who have forgotten their passwords.</para> + + <para><command>smbpasswd</command> is designed to work in the same way + and be familiar to UNIX users who use the <command>passwd</command> or + <command>yppasswd</command> commands.</para> + + <para>For more details on using <command>smbpasswd</command> refer + to the man page which will always be the definitive reference.</para> +</sect1> + +</chapter> diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml index 06c1d3a87e..6d5a019fcb 100644 --- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml +++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml @@ -1,4 +1,3 @@ -<?xml version="1.0" encoding="iso8859-1"?> <chapter id="groupmapping"> <chapterinfo> <author> diff --git a/docs/docbook/projdoc/GroupProfiles.sgml b/docs/docbook/projdoc/GroupProfiles.sgml deleted file mode 100644 index e5120aed9b..0000000000 --- a/docs/docbook/projdoc/GroupProfiles.sgml +++ /dev/null @@ -1,285 +0,0 @@ -<chapter id="GroupProfiles"> -<chapterinfo> - <author> - <firstname>John</firstname><surname>Terpstra</surname> - </author> - <author> - <firstname>Jelmer</firstname><surname>Vernooij</surname> - </author> - <author> - <firstname>John</firstname><surname>Russell</surname> - <affiliation> - <address><email>apca72@dsl.pipex.com</email></address> - </affiliation> - </author> -</chapterinfo> - -<title>Creating Group Profiles</title> - -<sect1> -<title>Windows '9x</title> -<para> -You need the Win98 Group Policy Editor to -set Group Profiles up under Windows '9x. It can be found on the Original -full product Win98 installation CD under -<filename>tools/reskit/netadmin/poledit</filename>. You install this -using the Add/Remove Programs facility and then click on the 'Have Disk' -tab. -</para> - -<para> -Use the Group Policy Editor to create a policy file that specifies the -location of user profiles and/or the <filename>My Documents</filename> etc. -stuff. You then save these settings in a file called -<filename>Config.POL</filename> that needs to be placed in -the root of the [NETLOGON] share. If your Win98 is configured to log onto -the Samba Domain, it will automatically read this file and update the -Win98 registry of the machine that is logging on. -</para> - -<para> -All of this is covered in the Win98 Resource Kit documentation. -</para> - -<para> -If you do not do it this way, then every so often Win98 will check the -integrity of the registry and will restore it's settings from the back-up -copy of the registry it stores on each Win98 machine. Hence, you will notice -things changing back to the original settings. -</para> - -</sect1> - -<sect1> -<title>Windows NT 4</title> - -<para> -Unfortunately, the Resource Kit info is Win NT4/2K version specific. -</para> - -<para> -Here is a quick guide: -</para> - -<itemizedlist> - -<listitem><para> -On your NT4 Domain Controller, right click on 'My Computer', then -select the tab labelled 'User Profiles'. -</para></listitem> - -<listitem><para> -Select a user profile you want to migrate and click on it. -</para> - -<note><para>I am using the term "migrate" lossely. You can copy a profile to -create a group profile. You can give the user 'Everyone' rights to the -profile you copy this to. That is what you need to do, since your samba -domain is not a member of a trust relationship with your NT4 PDC.</para></note> -</listitem> - -<listitem><para>Click the 'Copy To' button.</para></listitem> - -<listitem><para>In the box labelled 'Copy Profile to' add your new path, eg: -<filename>c:\temp\foobar</filename></para></listitem> - -<listitem><para>Click on the button labelled 'Change' in the "Permitted to use" box.</para></listitem> - -<listitem><para>Click on the group 'Everyone' and then click OK. This closes the -'chose user' box.</para></listitem> - -<listitem><para>Now click OK.</para></listitem> -</itemizedlist> - -<para> -Follow the above for every profile you need to migrate. -</para> - -<sect2> -<title>Side bar Notes</title> - -<para> -You should obtain the SID of your NT4 domain. You can use smbpasswd to do -this. Read the man page.</para> - -<para> -With Samba-3.0.0 alpha code you can import all you NT4 domain accounts -using the net samsync method. This way you can retain your profile -settings as well as all your users. -</para> - -</sect2> - -<sect2> -<title>Mandatory profiles</title> - -<para> -The above method can be used to create mandatory profiles also. To convert -a group profile into a mandatory profile simply locate the NTUser.DAT file -in the copied profile and rename it to NTUser.MAN. -</para> - -</sect2> - -<sect2> -<title>moveuser.exe</title> - -<para> -The W2K professional resource kit has moveuser.exe. moveuser.exe changes -the security of a profile from one user to another. This allows the account -domain to change, and/or the user name to change. -</para> - -</sect2> - -<sect2> -<title>Get SID</title> - -<para> -You can identify the SID by using GetSID.exe from the Windows NT Server 4.0 -Resource Kit. -</para> - -<para> -Windows NT 4.0 stores the local profile information in the registry under -the following key: -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList -</para> - -<para> -Under the ProfileList key, there will be subkeys named with the SIDs of the -users who have logged on to this computer. (To find the profile information -for the user whose locally cached profile you want to move, find the SID for -the user with the GetSID.exe utility.) Inside of the appropriate user's -subkey, you will see a string value named ProfileImagePath. -</para> - -</sect2> - -</sect1> - -<sect1> -<title>Windows 2000/XP</title> - -<para> -You must first convert the profile from a local profile to a domain -profile on the MS Windows workstation as follows: -</para> - -<itemizedlist> -<listitem><para> -Log on as the LOCAL workstation administrator. -</para></listitem> - -<listitem><para> -Right click on the 'My Computer' Icon, select 'Properties' -</para></listitem> - -<listitem><para> -Click on the 'User Profiles' tab -</para></listitem> - -<listitem><para> -Select the profile you wish to convert (click on it once) -</para></listitem> - -<listitem><para> -Click on the button 'Copy To' -</para></listitem> - -<listitem><para> -In the "Permitted to use" box, click on the 'Change' button. -</para></listitem> - -<listitem><para> -Click on the 'Look in" area that lists the machine name, when you click -here it will open up a selection box. Click on the domain to which the -profile must be accessible. -</para> - -<note><para>You will need to log on if a logon box opens up. Eg: In the connect -as: MIDEARTH\root, password: mypassword.</para></note> -</listitem> - -<listitem><para> -To make the profile capable of being used by anyone select 'Everyone' -</para></listitem> - -<listitem><para> -Click OK. The Selection box will close. -</para></listitem> - -<listitem><para> -Now click on the 'Ok' button to create the profile in the path you -nominated. -</para></listitem> -</itemizedlist> - -<para> -Done. You now have a profile that can be editted using the samba-3.0.0 -profiles tool. -</para> - -<note> -<para> -Under NT/2K the use of mandotory profiles forces the use of MS Exchange -storage of mail data. That keeps desktop profiles usable. -</para> -</note> - -<note> -<itemizedlist> -<listitem><para> -This is a security check new to Windows XP (or maybe only -Windows XP service pack 1). It can be disabled via a group policy in -Active Directory. The policy is:</para> - -<para>"Computer Configuration\Administrative Templates\System\User -Profiles\Do not check for user ownership of Roaming Profile Folders"</para> - -<para>...and it should be set to "Enabled". -Does the new version of samba have an Active Directory analogue? If so, -then you may be able to set the policy through this. -</para> - -<para> -If you cannot set group policies in samba, then you may be able to set -the policy locally on each machine. If you want to try this, then do -the following (N.B. I don't know for sure that this will work in the -same way as a domain group policy): -</para> - -</listitem> - -<listitem><para> -On the XP workstation log in with an Administrator account. -</para></listitem> - -<listitem><para>Click: "Start", "Run"</para></listitem> -<listitem><para>Type: "mmc"</para></listitem> -<listitem><para>Click: "OK"</para></listitem> - -<listitem><para>A Microsoft Management Console should appear.</para></listitem> -<listitem><para>Click: File, "Add/Remove Snap-in...", "Add"</para></listitem> -<listitem><para>Double-Click: "Group Policy"</para></listitem> -<listitem><para>Click: "Finish", "Close"</para></listitem> -<listitem><para>Click: "OK"</para></listitem> - -<listitem><para>In the "Console Root" window:</para></listitem> -<listitem><para>Expand: "Local Computer Policy", "Computer Configuration",</para></listitem> -<listitem><para>"Administrative Templates", "System", "User Profiles"</para></listitem> -<listitem><para>Double-Click: "Do not check for user ownership of Roaming Profile</para></listitem> -<listitem><para>Folders"</para></listitem> -<listitem><para>Select: "Enabled"</para></listitem> -<listitem><para>Click: OK"</para></listitem> - -<listitem><para>Close the whole console. You do not need to save the settings (this -refers to the console settings rather than the policies you have -changed).</para></listitem> - -<listitem><para>Reboot</para></listitem> -</itemizedlist> -</note> - -</sect1> -</chapter> diff --git a/docs/docbook/projdoc/Integrating-with-Windows.sgml b/docs/docbook/projdoc/Integrating-with-Windows.sgml index a4e79fd42b..3b0faf81af 100644 --- a/docs/docbook/projdoc/Integrating-with-Windows.sgml +++ b/docs/docbook/projdoc/Integrating-with-Windows.sgml @@ -295,16 +295,16 @@ The following are typical NetBIOS name/service type registrations: <para><programlisting> Unique NetBIOS Names: - MACHINENAME<00> = Server Service is running on MACHINENAME - MACHINENAME<03> = Generic Machine Name (NetBIOS name) - MACHINENAME<20> = LanMan Server service is running on MACHINENAME - WORKGROUP<1b> = Domain Master Browser + MACHINENAME<00> = Server Service is running on MACHINENAME + MACHINENAME<03> = Generic Machine Name (NetBIOS name) + MACHINENAME<20> = LanMan Server service is running on MACHINENAME + WORKGROUP<1b> = Domain Master Browser Group Names: - WORKGROUP<03> = Generic Name registered by all members of WORKGROUP - WORKGROUP<1c> = Domain Controllers / Netlogon Servers - WORKGROUP<1d> = Local Master Browsers - WORKGROUP<1e> = Internet Name Resolvers + WORKGROUP<03> = Generic Name registered by all members of WORKGROUP + WORKGROUP<1c> = Domain Controllers / Netlogon Servers + WORKGROUP<1d> = Local Master Browsers + WORKGROUP<1e> = Internet Name Resolvers </programlisting></para> <para> @@ -323,7 +323,7 @@ be needed. An example of this is what happens when an MS Windows client wants to locate a domain logon server. It find this service and the IP address of a server that provides it by performing a lookup (via a NetBIOS broadcast) for enumeration of all machines that have -registered the name type *<1c>. A logon request is then sent to each +registered the name type *<1c>. A logon request is then sent to each IP address that is returned in the enumerated list of IP addresses. Which ever machine first replies then ends up providing the logon services. </para> diff --git a/docs/docbook/projdoc/NT_Security.sgml b/docs/docbook/projdoc/NT_Security.sgml index 2843331519..2259dae029 100644 --- a/docs/docbook/projdoc/NT_Security.sgml +++ b/docs/docbook/projdoc/NT_Security.sgml @@ -31,6 +31,12 @@ the security of the UNIX host Samba is running on, and still obeys all the file permission rules that a Samba administrator can set.</para> + + <para>In Samba 2.0.4 and above the default value of the + parameter <ulink url="smb.conf.5.html#NTACLSUPPORT"><parameter> + nt acl support</parameter></ulink> has been changed from + <constant>false</constant> to <constant>true</constant>, so + manipulation of permissions is turned on by default.</para> </sect1> <sect1> diff --git a/docs/docbook/projdoc/Portability.sgml b/docs/docbook/projdoc/Portability.sgml index dae267e8b5..afafacc5e4 100644 --- a/docs/docbook/projdoc/Portability.sgml +++ b/docs/docbook/projdoc/Portability.sgml @@ -175,16 +175,4 @@ Corrective Action: Delete the entry after the word loopback in the line starting 127.0.0.1 </para> </sect1> - -<sect1> -<title>AIX</title> -<sect2> -<title>Sequential Read Ahead</title> -<!-- From an email by William Jojo <jojowil@hvcc.edu> --> -<para> -Disabling Sequential Read Ahead using "vmtune -r 0" improves -samba performance significally. -</para> -</sect2> -</sect1> </chapter> diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml index e3bee32db0..7653e3d1c0 100644 --- a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml @@ -128,7 +128,7 @@ the password change is done. <sect1> -<title>Can Samba be a Backup Domain Controller to an NT PDC?</title> +<title>Can Samba be a Backup Domain Controller?</title> <para> With version 2.2, no. The native NT SAM replication protocols have @@ -138,12 +138,6 @@ been finished for version 2.2. </para> <para> -With version 3.0, the work on both the replication protocols and a -suitable storage mechanism has progressed, and some form of NT4 BDC -support is expected soon. -</para> - -<para> Can I get the benefits of a BDC with Samba? Yes. The main reason for implementing a BDC is availability. If the PDC is a Samba machine, a second Samba machine can be set up to @@ -184,8 +178,7 @@ whenever changes are made, or the PDC is set up as a NIS master server and the BDC as a NIS slave server. To set up the BDC as a mere NIS client would not be enough, as the BDC would not be able to access its user database in case of a PDC failure. -</para> -</listitem> +</para></listitem> <listitem><para> The Samba password database in the file private/smbpasswd has to be @@ -243,15 +236,5 @@ password. </sect2> -<sect2> -<title>Can I do this all with LDAP?</title> -<para>The simple answer is YES. Samba's pdb_ldap code supports -binding to a replica LDAP server, and will also follow referrals and -rebind to the master if it ever needs to make a modification to the -database. (Normally BDCs are read only, so this will not occur -often). -</para> -</sect2> - </sect1> </chapter> diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/Samba-LDAP-HOWTO.sgml index 222b4010ab..f294ddd1ff 100644 --- a/docs/docbook/projdoc/passdb.sgml +++ b/docs/docbook/projdoc/Samba-LDAP-HOWTO.sgml @@ -1,244 +1,27 @@ -<chapter id="passdb"> +<chapter id="samba-ldap-howto"> + <chapterinfo> <author> - <firstname>Jelmer</firstname><surname>Vernooij</surname> - <affiliation> - <orgname>The Samba Team</orgname> - <address><email>jelmer@samba.org</email></address> - </affiliation> - </author> - <author> <firstname>Gerald (Jerry)</firstname><surname>Carter</surname> <affiliation> <orgname>Samba Team</orgname> <address><email>jerry@samba.org</email></address> </affiliation> - </author> - <author> <firstname>Olivier (lem)</firstname><surname>Lemaire</surname> <affiliation> <orgname>IDEALX</orgname> <address><email>olem@IDEALX.org</email></address> </affiliation> </author> - <author> - <firstname>Jeremy</firstname><surname>Allison</surname> - <affiliation> - <orgname>Samba Team</orgname> - <address> - <email>jra@samba.org</email> - </address> - </affiliation> - </author> - <pubdate>February 2003</pubdate> -</chapterinfo> - -<title>User information database</title> - -<sect1> - <title>Introduction</title> - - <para>Old windows clients send plain text passwords over the wire. - Samba can check these passwords by crypting them and comparing them - to the hash stored in the unix user database. - </para> - - <para> - Newer windows clients send encrypted passwords (so-called - Lanman and NT hashes) over - the wire, instead of plain text passwords. The newest clients - will only send encrypted passwords and refuse to send plain text - passwords, unless their registry is tweaked. - </para> - - <para>These passwords can't be converted to unix style encrypted - passwords. Because of that you can't use the standard unix - user database, and you have to store the Lanman and NT hashes - somewhere else. </para> - - <para>Next to a differently encrypted passwords, - windows also stores certain data for each user - that is not stored in a unix user database, e.g. - workstations the user may logon from, the location where his/her - profile is stored, etc. - Samba retrieves and stores this information using a "passdb backend". - Commonly - available backends are LDAP, plain text file, MySQL and nisplus. - For more information, see the documentation about the - <command>passdb backend = </command> parameter. - </para> -</sect1> - -<sect1> - <title>Important Notes About Security</title> - - <para>The unix and SMB password encryption techniques seem similar - on the surface. This similarity is, however, only skin deep. The unix - scheme typically sends clear text passwords over the network when - logging in. This is bad. The SMB encryption scheme never sends the - cleartext password over the network but it does store the 16 byte - hashed values on disk. This is also bad. Why? Because the 16 byte hashed - values are a "password equivalent". You cannot derive the user's - password from them, but they could potentially be used in a modified - client to gain access to a server. This would require considerable - technical knowledge on behalf of the attacker but is perfectly possible. - You should thus treat the data stored in whatever - passdb backend you use (smbpasswd file, ldap, mysql) as though it contained the - cleartext passwords of all your users. Its contents must be kept - secret, and the file should be protected accordingly.</para> - - <para>Ideally we would like a password scheme which neither requires - plain text passwords on the net or on disk. Unfortunately this - is not available as Samba is stuck with being compatible with - other SMB systems (WinNT, WfWg, Win95 etc). </para> - - <warning> - <para>Note that Windows NT 4.0 Service pack 3 changed the - default for permissible authentication so that plaintext - passwords are <emphasis>never</emphasis> sent over the wire. - The solution to this is either to switch to encrypted passwords - with Samba or edit the Windows NT registry to re-enable plaintext - passwords. See the document WinNT.txt for details on how to do - this.</para> - - <para>Other Microsoft operating systems which also exhibit - this behavior includes</para> - - <simplelist> - <member>MS DOS Network client 3.0 with - the basic network redirector installed</member> - - <member>Windows 95 with the network redirector - update installed</member> - - <member>Windows 98 [se]</member> - - <member>Windows 2000</member> - </simplelist> - - <para><emphasis>Note :</emphasis>All current release of - Microsoft SMB/CIFS clients support authentication via the - SMB Challenge/Response mechanism described here. Enabling - clear text authentication does not disable the ability - of the client to participate in encrypted authentication.</para> - </warning> - - <sect2> - <title>Advantages of SMB Encryption</title> - - <simplelist> - <member>plain text passwords are not passed across - the network. Someone using a network sniffer cannot just - record passwords going to the SMB server.</member> - - <member>WinNT doesn't like talking to a server - that isn't using SMB encrypted passwords. It will refuse - to browse the server if the server is also in user level - security mode. It will insist on prompting the user for the - password on each connection, which is very annoying. The - only things you can do to stop this is to use SMB encryption. - </member> - </simplelist> - </sect2> - - - <sect2> - <title>Advantages of non-encrypted passwords</title> - - <simplelist> - <member>plain text passwords are not kept - on disk. </member> - - <member>uses same password file as other unix - services such as login and ftp</member> - - <member>you are probably already using other - services (such as telnet and ftp) which send plain text - passwords over the net, so sending them for SMB isn't - such a big deal.</member> - </simplelist> - </sect2> -</sect1> -<sect1> - <title>The smbpasswd Command</title> - - <para>The smbpasswd utility is a utility similar to the - <command>passwd</command> or <command>yppasswd</command> programs. - It maintains the two 32 byte password fields - in the passdb backend. </para> - - <para><command>smbpasswd</command> works in a client-server mode - where it contacts the local smbd to change the user's password on its - behalf. This has enormous benefits - as follows.</para> - - <para><command>smbpasswd</command> has the capability - to change passwords on Windows NT servers (this only works when - the request is sent to the NT Primary Domain Controller if you - are changing an NT Domain user's password).</para> - - <para>To run smbpasswd as a normal user just type :</para> - - <para><prompt>$ </prompt><userinput>smbpasswd</userinput></para> - <para><prompt>Old SMB password: </prompt><userinput><type old value here - - or hit return if there was no old password></userinput></para> - <para><prompt>New SMB Password: </prompt><userinput><type new value> - </userinput></para> - <para><prompt>Repeat New SMB Password: </prompt><userinput><re-type new value - </userinput></para> - - <para>If the old value does not match the current value stored for - that user, or the two new values do not match each other, then the - password will not be changed.</para> - - <para>If invoked by an ordinary user it will only allow the user - to change his or her own Samba password.</para> - - <para>If run by the root user smbpasswd may take an optional - argument, specifying the user name whose SMB password you wish to - change. Note that when run as root smbpasswd does not prompt for - or check the old password value, thus allowing root to set passwords - for users who have forgotten their passwords.</para> - - <para><command>smbpasswd</command> is designed to work in the same way - and be familiar to UNIX users who use the <command>passwd</command> or - <command>yppasswd</command> commands.</para> - - <para>For more details on using <command>smbpasswd</command> refer - to the man page which will always be the definitive reference.</para> -</sect1> - -<!-- -<sect1> -<title>The <command>pdbedit</command> command</title> -FIXME -</sect1> ---> - -<sect1> -<title>Plain text</title> -<para> -Older versions of samba retrieved user information from the unix user database -and eventually some other fields from the file <filename>/etc/samba/smbpasswd</filename> -or <filename>/etc/smbpasswd</filename>. When password encryption is disabled, no -data is stored at all. -</para> -</sect1> + <pubdate> (13 Jan 2002) </pubdate> +</chapterinfo> -<sect1> -<title>TDB</title> -<para>Samba can also store the user data in a "TDB" (Trivial Database). Using this backend -doesn't require any additional configuration. This backend is recommended for new installations who -don't require LDAP. -</para> -</sect1> +<title>Storing Samba's User/Machine Account information in an LDAP Directory</title> <sect1> -<title>LDAP</title> - -<sect2> -<title>Introduction</title> +<title>Purpose</title> <para> This document describes how to use an LDAP directory for storing Samba user @@ -272,9 +55,10 @@ Two additional Samba resources which may prove to be helpful are </para></listitem> </itemizedlist> -</sect2> +</sect1> -<sect2> + +<sect1> <title>Introduction</title> <para> @@ -346,9 +130,9 @@ versions of these libraries can be obtained from PADL Software the details of configuring these packages are beyond the scope of this document. </para> -</sect2> +</sect1> -<sect2> +<sect1> <title>Supported LDAP Servers</title> <para> @@ -361,15 +145,20 @@ hard to fix. If you are so inclined, please be sure to forward all patches to <ulink url="jerry@samba.org">jerry@samba.org</ulink>. </para> -</sect2> +</sect1> -<sect2> + + + +<sect1> <title>Schema and Relationship to the RFC 2307 posixAccount</title> <para> -Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in -<filename>examples/LDAP/samba.schema</filename>. The sambaAccount objectclass is given here: +Samba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in +<filename>examples/LDAP/samba.schema</filename>. (Note that this schema +file has been modified since the experimental support initially included +in 2.2.2). The sambaAccount objectclass is given here: </para> <para><programlisting> @@ -412,13 +201,13 @@ and functioning correctly. This division of information makes it possible to store all Samba account information in LDAP, but still maintain UNIX account information in NIS while the network is transitioning to a full LDAP infrastructure. </para> -</sect2> +</sect1> -<sect2> +<sect1> <title>Configuring Samba with LDAP</title> -<sect3> +<sect2> <title>OpenLDAP configuration</title> <para> @@ -477,10 +266,10 @@ index rid eq ##index cn eq ##index memberUid eq </programlisting></para> -</sect3> +</sect2> -<sect3> +<sect2> <title>Configuring Samba</title> <!--lem: <title>smb.conf LDAP parameters</title> --> @@ -541,11 +330,11 @@ use with an LDAP directory could appear as </programlisting></para> -</sect3> </sect2> +</sect1> -<sect2> +<sect1> <title>Accounts and Groups management</title> <para> @@ -564,15 +353,15 @@ file). </para> <para> -In Samba release 3.0, the group management system is based on posix -groups. This means that Samba make usage of the posixGroup objectclass. +In Samba release 2.2.3, the group management system is based on posix +groups. This meand that Samba make usage of the posixGroup objectclass. For now, there is no NT-like group system management (global and local groups). </para> -</sect2> +</sect1> -<sect2> +<sect1> <title>Security and sambaAccount</title> @@ -625,11 +414,11 @@ access to attrs=lmPassword,ntPassword </programlisting></para> -</sect2> +</sect1> -<sect2> +<sect1> <title>LDAP specials attributes for sambaAccounts</title> <para> @@ -722,11 +511,11 @@ something other than the default (e.g. \\MOBY\becky). </para> -</sect2> +</sect1> -<sect2> +<sect1> <title>Example LDIF Entries for a sambaAccount</title> @@ -781,189 +570,24 @@ pwdMustChange: 2147483647 ntPassword: 878D8014606CDA29677A44EFA1353FC7 </programlisting></para> -</sect2> -</sect1> -<sect1> -<title>MySQL</title> - -<sect2> -<title>Building</title> - -<para>To build the plugin, run <command>make bin/pdb_mysql.so</command> -in the <filename>source/</filename> directory of samba distribution. -</para> - -<para>Next, copy pdb_mysql.so to any location you want. I -strongly recommend installing it in $PREFIX/lib or /usr/lib/samba/</para> - -</sect2> - -<sect2> -<title>Creating the database</title> - -<para> -You either can set up your own table and specify the field names to pdb_mysql (see below -for the column names) or use the default table. The file <filename>examples/pdb/mysql/mysql.dump</filename> -contains the correct queries to create the required tables. Use the command : - -<command>mysql -u<replaceable>username</replaceable> -h<replaceable>hostname</replaceable> -p<replaceable>password</replaceable> <replaceable>databasename</replaceable> < <filename>/path/to/samba/examples/pdb/mysql/mysql.dump</filename></command> - -</para> -</sect2> - -<sect2> -<title>Configuring</title> - -<para>This plugin lacks some good documentation, but here is some short info:</para> - -<para>Add a the following to the <command>passdb backend</command> variable in your <filename>smb.conf</filename>: -<programlisting> -passdb backend = [other-plugins] plugin:/location/to/pdb_mysql.so:identifier [other-plugins] -</programlisting> -</para> - -<para>The identifier can be any string you like, as long as it doesn't collide with -the identifiers of other plugins or other instances of pdb_mysql. If you -specify multiple pdb_mysql.so entries in 'passdb backend', you also need to -use different identifiers! -</para> - -<para> -Additional options can be given thru the smb.conf file in the [global] section. -</para> - -<para><programlisting> -identifier:mysql host - host name, defaults to 'localhost' -identifier:mysql password -identifier:mysql user - defaults to 'samba' -identifier:mysql database - defaults to 'samba' -identifier:mysql port - defaults to 3306 -identifier:table - Name of the table containing users -</programlisting></para> - -<warning> -<para> -Since the password for the mysql user is stored in the -smb.conf file, you should make the the smb.conf file -readable only to the user that runs samba. This is considered a security -bug and will be fixed soon. -</para> -</warning> - -<para>Names of the columns in this table(I've added column types those columns should have first):</para> - -<para><programlisting> -identifier:logon time column - int(9) -identifier:logoff time column - int(9) -identifier:kickoff time column - int(9) -identifier:pass last set time column - int(9) -identifier:pass can change time column - int(9) -identifier:pass must change time column - int(9) -identifier:username column - varchar(255) - unix username -identifier:domain column - varchar(255) - NT domain user is part of -identifier:nt username column - varchar(255) - NT username -identifier:fullname column - varchar(255) - Full name of user -identifier:home dir column - varchar(255) - Unix homedir path -identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:') -identifier:logon script column - varchar(255) - Batch file to run on client side when logging on -identifier:profile path column - varchar(255) - Path of profile -identifier:acct desc column - varchar(255) - Some ASCII NT user data -identifier:workstations column - varchar(255) - Workstations user can logon to (or NULL for all) -identifier:unknown string column - varchar(255) - unknown string -identifier:munged dial column - varchar(255) - ? -identifier:uid column - int(9) - Unix user ID (uid) -identifier:gid column - int(9) - Unix user group (gid) -identifier:user sid column - varchar(255) - NT user SID -identifier:group sid column - varchar(255) - NT group ID -identifier:lanman pass column - varchar(255) - encrypted lanman password -identifier:nt pass column - varchar(255) - encrypted nt passwd -identifier:plain pass column - varchar(255) - plaintext password -identifier:acct control column - int(9) - nt user data -identifier:unknown 3 column - int(9) - unknown -identifier:logon divs column - int(9) - ? -identifier:hours len column - int(9) - ? -identifier:unknown 5 column - int(9) - unknown -identifier:unknown 6 column - int(9) - unknown -</programlisting></para> - -<para> -Eventually, you can put a colon (:) after the name of each column, which -should specify the column to update when updating the table. You can also -specify nothing behind the colon - then the data from the field will not be -updated. -</para> - -</sect2> - -<sect2> -<title>Using plaintext passwords or encrypted password</title> +</sect1> -<para> -I strongly discourage the use of plaintext passwords, however, you can use them: -</para> -<para> -If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords. -</para> -<para> -If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default. -</para> +<sect1> +<title>Comments</title> -</sect2> - -<sect2> -<title>Getting non-column data from the table</title> <para> -It is possible to have not all data in the database and making some 'constant'. -</para> +Please mail all comments regarding this HOWTO to <ulink +url="mailto:jerry@samba.org">jerry@samba.org</ulink>. This documents was +last updated to reflect the Samba 2.2.3 release. -<para> -For example, you can set 'identifier:fullname column' to : -<command>CONCAT(First_name,' ',Sur_name)</command> </para> -<para> -Or, set 'identifier:workstations column' to : -<command>NULL</command></para> - -<para>See the MySQL documentation for more language constructs.</para> -</sect2> </sect1> -<sect1> -<title>Passdb XML plugin</title> - -<sect2> -<title>Building</title> - -<para>This module requires libxml2 to be installed.</para> - -<para>To build pdb_xml, run: <command>make bin/pdb_xml.so</command> in -the directory <filename>source/</filename>. </para> - -</sect2> - -<sect2> -<title>Usage</title> - -<para>The usage of pdb_xml is pretty straightforward. To export data, use: - -<command>pdbedit -e plugin:/usr/lib/samba/pdb_xml.so:filename</command> - -(where filename is the name of the file to put the data in) -</para> - -<para> -To import data, use: -<command>pdbedit -i plugin:/usr/lib/samba/pdb_xml.so:filename -e current-pdb</command> - -Where filename is the name to read the data from and current-pdb to put it in. -</para> -</sect2> -</sect1> </chapter> diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index c0be81d989..7cf3e5735c 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -19,7 +19,7 @@ </chapterinfo> <title> -Samba as a NT4 or Win2k Primary Domain Controller +How to Configure Samba as a NT4 Primary Domain Controller </title> @@ -142,7 +142,7 @@ Implementing a Samba PDC can basically be divided into 2 broad steps. </para> -<orderedlist numeration="arabic"> +<orderedlist numeration="Arabic"> <listitem><para> Configuring the Samba PDC </para></listitem> @@ -426,7 +426,7 @@ be created manually. <para><programlisting> [global] - # <...remainder of parameters...> + # <...remainder of parameters...> add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </programlisting></para> @@ -496,7 +496,7 @@ version of Windows. </para> <para> - A 'machine name' in (typically) <filename>/etc/passwd</filename> + A 'machine name' in (typically) <filename>/etc/passwd</> of the machine name with a '$' appended. FreeBSD (and other BSD systems?) won't create a user with a '$' in their name. </para> @@ -504,7 +504,7 @@ version of Windows. <para> The problem is only in the program used to make the entry, once made, it works perfectly. So create a user without the '$' and - use <command>vipw</command> to edit the entry, adding the '$'. Or create + use <command>vipw</> to edit the entry, adding the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID ! </para> @@ -673,8 +673,8 @@ Here are some additional details: Policy Editor can be installed on an NT Workstation/Server, it will not work with NT policies because the registry key that are set by the policy templates. However, the files from the NT Server will run happily enough on an NTws. - You need <filename>poledit.exe, common.adm</filename> and <filename>winnt.adm</filename>. It is convenient - to put the two *.adm files in <filename>c:\winnt\inf</filename> which is where + You need <filename>poledit.exe, common.adm</> and <filename>winnt.adm</>. It is convenient + to put the two *.adm files in <filename>c:\winnt\inf</> which is where the binary will look for them unless told otherwise. Note also that that directory is 'hidden'. </para> @@ -928,7 +928,7 @@ general SMB topics such as browsing.</para> <listitem><para>See how Scott Merrill simulates a BDC behavior at <ulink url="http://www.skippy.net/linux/smb-howto.html"> - http://www.skippy.net/linux/smb-howto.html</ulink>. </para></listitem> + http://www.skippy.net/linux/smb-howto.html</>. </para></listitem> <listitem><para>Although 2.0.7 has almost had its day as a PDC, David Bannon will keep the 2.0.7 PDC pages at <ulink url="http://bioserve.latrobe.edu.au/samba"> @@ -958,8 +958,8 @@ general SMB topics such as browsing.</para> <para> There are a number of Samba related mailing lists. Go to <ulink url="http://samba.org">http://samba.org</ulink>, click on your nearest mirror - and then click on <command>Support</command> and then click on <command> - Samba related mailing lists</command>. + and then click on <command>Support</> and then click on <command> + Samba related mailing lists</>. </para> <para> @@ -1028,8 +1028,8 @@ general SMB topics such as browsing.</para> <para>To have your name removed from a samba mailing list, go to the same place you went to to get on it. Go to <ulink url="http://lists.samba.org/">http://lists.samba.org</ulink>, - click on your nearest mirror and then click on <command>Support</command> and - then click on <command> Samba related mailing lists</command>. Or perhaps see + click on your nearest mirror and then click on <command>Support</> and + then click on <command> Samba related mailing lists</>. Or perhaps see <ulink url="http://lists.samba.org/mailman/roster/samba-ntdom">here</ulink> </para> @@ -1112,7 +1112,7 @@ worthwhile lookingat how a Windows 9x/ME client performs a logon: <listitem> <para> The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -1704,7 +1704,7 @@ contrast to w95, where it _does_ transfer / update profiles correctly]. <sect1> <title> -DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba +DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba </title> <warning> diff --git a/docs/docbook/projdoc/msdfs_setup.sgml b/docs/docbook/projdoc/msdfs_setup.sgml index a86cd74235..6e1609460f 100644 --- a/docs/docbook/projdoc/msdfs_setup.sgml +++ b/docs/docbook/projdoc/msdfs_setup.sgml @@ -4,7 +4,7 @@ <author> <firstname>Shirish</firstname><surname>Kalele</surname> <affiliation> - <orgname>Samba Team & Veritas Software</orgname> + <orgname>Samba Team & Veritas Software</orgname> <address> <email>samba@samba.org</email> </address> diff --git a/docs/docbook/projdoc/pdb_mysql.sgml b/docs/docbook/projdoc/pdb_mysql.sgml new file mode 100644 index 0000000000..59a134a15f --- /dev/null +++ b/docs/docbook/projdoc/pdb_mysql.sgml @@ -0,0 +1,146 @@ +<chapter id="pdb-mysql"> +<chapterinfo> + <author> + <firstname>Jelmer</firstname><surname>Vernooij</surname> + <affiliation> + <orgname>The Samba Team</orgname> + <address><email>jelmer@samba.org</email></address> + </affiliation> + </author> + <pubdate>November 2002</pubdate> +</chapterinfo> + +<title>Passdb MySQL plugin</title> + +<sect1> +<title>Building</title> + +<para>To build the plugin, run <command>make bin/pdb_mysql.so</command> +in the <filename>source/</filename> directory of samba distribution. +</para> + +<para>Next, copy pdb_mysql.so to any location you want. I +strongly recommend installing it in $PREFIX/lib or /usr/lib/samba/</para> + +</sect1> + +<sect1> +<title>Configuring</title> + +<para>This plugin lacks some good documentation, but here is some short info:</para> + +<para>Add a the following to the <command>passdb backend</command> variable in your <filename>smb.conf</filename>: +<programlisting> +passdb backend = [other-plugins] plugin:/location/to/pdb_mysql.so:identifier [other-plugins] +</programlisting> +</para> + +<para>The identifier can be any string you like, as long as it doesn't collide with +the identifiers of other plugins or other instances of pdb_mysql. If you +specify multiple pdb_mysql.so entries in 'passdb backend', you also need to +use different identifiers! +</para> + +<para> +Additional options can be given thru the smb.conf file in the [global] section. +</para> + +<para><programlisting> +identifier:mysql host - host name, defaults to 'localhost' +identifier:mysql password +identifier:mysql user - defaults to 'samba' +identifier:mysql database - defaults to 'samba' +identifier:mysql port - defaults to 3306 +identifier:table - Name of the table containing users +</programlisting></para> + +<para> +<emphasis> +WARNING: since the password for the mysql user is stored in the +smb.conf file, you should make the the smb.conf file +readable only to the user that runs samba. This is considered a security +bug and will be fixed soon.</emphasis> +</para> + +<para>Names of the columns in this table(I've added column types those columns should have first):</para> + +<para><programlisting> +identifier:logon time column - int(9) +identifier:logoff time column - int(9) +identifier:kickoff time column - int(9) +identifier:pass last set time column - int(9) +identifier:pass can change time column - int(9) +identifier:pass must change time column - int(9) +identifier:username column - varchar(255) - unix username +identifier:domain column - varchar(255) - NT domain user is part of +identifier:nt username column - varchar(255) - NT username +identifier:fullname column - varchar(255) - Full name of user +identifier:home dir column - varchar(255) - Unix homedir path +identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:') +identifier:logon script column - varchar(255) - Batch file to run on client side when logging on +identifier:profile path column - varchar(255) - Path of profile +identifier:acct desc column - varchar(255) - Some ASCII NT user data +identifier:workstations column - varchar(255) - Workstations user can logon to (or NULL for all) +identifier:unknown string column - varchar(255) - unknown string +identifier:munged dial column - varchar(255) - ? +identifier:uid column - int(9) - Unix user ID (uid) +identifier:gid column - int(9) - Unix user group (gid) +identifier:user sid column - varchar(255) - NT user SID +identifier:group sid column - varchar(255) - NT group ID +identifier:lanman pass column - varchar(255) - encrypted lanman password +identifier:nt pass column - varchar(255) - encrypted nt passwd +identifier:plain pass column - varchar(255) - plaintext password +identifier:acct control column - int(9) - nt user data +identifier:unknown 3 column - int(9) - unknown +identifier:logon divs column - int(9) - ? +identifier:hours len column - int(9) - ? +identifier:unknown 5 column - int(9) - unknown +identifier:unknown 6 column - int(9) - unknown +</programlisting></para> + +<para> +Eventually, you can put a colon (:) after the name of each column, which +should specify the column to update when updating the table. You can also +specify nothing behind the colon - then the data from the field will not be +updated. +</para> + +</sect1> + +<sect1> +<title>Using plaintext passwords or encrypted password</title> + +<para> +I strongly discourage the use of plaintext passwords, however, you can use them: +</para> + +<para> +If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords. +</para> + +<para> +If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default. +</para> + +</sect1> + +<sect1> +<title>Getting non-column data from the table</title> + +<para> +It is possible to have not all data in the database and making some 'constant'. +</para> + +<para> +For example, you can set 'identifier:fullname column' to : +<command>CONCAT(First_name,' ',Sur_name)</command> +</para> + +<para> +Or, set 'identifier:workstations column' to : +<command>NULL</command></para> + +<para>See the MySQL documentation for more language constructs.</para> + +</sect1> +</chapter> diff --git a/docs/docbook/projdoc/pdb_xml.sgml b/docs/docbook/projdoc/pdb_xml.sgml new file mode 100644 index 0000000000..87afb7b401 --- /dev/null +++ b/docs/docbook/projdoc/pdb_xml.sgml @@ -0,0 +1,42 @@ +<chapter id="pdb-xml"> +<chapterinfo> + <author> + <firstname>Jelmer</firstname><surname>Vernooij</surname> + <affiliation> + <orgname>The Samba Team</orgname> + <address><email>jelmer@samba.org</email></address> + </affiliation> + </author> + <pubdate>November 2002</pubdate> +</chapterinfo> + +<title>Passdb XML plugin</title> + +<sect1> +<title>Building</title> + +<para>This module requires libxml2 to be installed.</para> + +<para>To build pdb_xml, run: <command>make bin/pdb_xml.so</command> in +the directory <filename>source/</filename>. </para> + +</sect1> + +<sect1> +<title>Usage</title> + +<para>The usage of pdb_xml is pretty straightforward. To export data, use: + +<command>pdbedit -e plugin:/usr/lib/samba/pdb_xml.so:filename</command> + +(where filename is the name of the file to put the data in) +</para> + +<para> +To import data, use: +<command>pdbedit -i plugin:/usr/lib/samba/pdb_xml.so:filename -e current-pdb</command> + +Where filename is the name to read the data from and current-pdb to put it in. +</para> +</sect1> +</chapter> diff --git a/docs/docbook/projdoc/printer_driver2.sgml b/docs/docbook/projdoc/printer_driver2.sgml index 8d15e437b2..7bca8dc6f5 100644 --- a/docs/docbook/projdoc/printer_driver2.sgml +++ b/docs/docbook/projdoc/printer_driver2.sgml @@ -409,8 +409,8 @@ echo " :sd=/var/spool/lpd/$2:\\" >> $PRINTCAP echo " :mx=0:ml=0:sh:\\" >> $PRINTCAP echo " :lp=/usr/local/samba/var/print/$5.prn:" >> $PRINTCAP -touch "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1 -chown $LP "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1 +touch "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1 +chown $LP "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1 mkdir /var/spool/lpd/$2 chmod 700 /var/spool/lpd/$2 @@ -757,7 +757,7 @@ be: /usr/bin/id -p >/tmp/tmp.print # we run the command and save the error messages # replace the command with the one appropriate for your system - /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print + /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print </programlisting></para> <para> diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index 246fba1228..8cf16478c8 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -1,5 +1,6 @@ <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [ <!ENTITY UNIX-INSTALL SYSTEM "UNIX_INSTALL.sgml"> +<!ENTITY ENCRYPTION SYSTEM "ENCRYPTION.sgml"> <!ENTITY MS-Dfs-Setup SYSTEM "msdfs_setup.sgml"> <!ENTITY PRINTER-DRIVER2 SYSTEM "printer_driver2.sgml"> <!ENTITY DOMAIN-MEMBER SYSTEM "DOMAIN_MEMBER.sgml"> @@ -10,6 +11,7 @@ <!ENTITY CVS-Access SYSTEM "CVS-Access.sgml"> <!ENTITY IntegratingWithWindows SYSTEM "Integrating-with-Windows.sgml"> <!ENTITY Samba-PAM SYSTEM "PAM-Authentication-And-Samba.sgml"> +<!ENTITY Samba-LDAP SYSTEM "Samba-LDAP-HOWTO.sgml"> <!ENTITY Diagnosis SYSTEM "Diagnosis.sgml"> <!ENTITY BUGS SYSTEM "Bugs.sgml"> <!ENTITY SECURITY-LEVEL SYSTEM "security_level.sgml"> @@ -20,10 +22,9 @@ <!ENTITY Portability SYSTEM "Portability.sgml"> <!ENTITY Other-Clients SYSTEM "Other-Clients.sgml"> <!ENTITY ADS-HOWTO SYSTEM "ADS-HOWTO.sgml"> -<!ENTITY Passdb SYSTEM "passdb.sgml"> +<!ENTITY pdb-mysql SYSTEM "pdb_mysql.sgml"> +<!ENTITY pdb-xml SYSTEM "pdb_xml.sgml"> <!ENTITY VFS SYSTEM "VFS.sgml"> -<!ENTITY GroupProfiles SYSTEM "GroupProfiles.sgml"> -<!ENTITY SecuringSamba SYSTEM "securing-samba.sgml"> ]> <book id="Samba-HOWTO-Collection"> @@ -77,8 +78,9 @@ and how to configure the parts of samba you will most likely need. PLEASE read this.</para> </partintro> &UNIX-INSTALL; +&BROWSING; &BROWSING-Quick; -&Passdb; +&ENCRYPTION; </part> <part id="type"> @@ -110,13 +112,13 @@ part each cover one specific feature.</para> &MS-Dfs-Setup; &PRINTER-DRIVER2; &WINBIND; -&BROWSING; +&pdb-mysql; +&pdb-xml; &VFS; +&Samba-LDAP; &CVS-Access; &GROUP-MAPPING-HOWTO; &SPEED; -&GroupProfiles; -&SecuringSamba; </part> <part id="Appendixes"> diff --git a/docs/docbook/projdoc/upgrading-to-3.0.sgml b/docs/docbook/projdoc/upgrading-to-3.0.sgml index f227556151..5b6b8dd635 100644 --- a/docs/docbook/projdoc/upgrading-to-3.0.sgml +++ b/docs/docbook/projdoc/upgrading-to-3.0.sgml @@ -16,24 +16,4 @@ FIXME </sect1> -<sect1> -<title>Obsolete configuration options</title> - -<para> -In 3.0, the following configuration options have been removed. -</para> - -<simplelist> -<member>printer driver</member> -<member>printer driver file</member> -<member>printer driver location</member> -<member>use rhosts</member> -<member>postscript</member> -</simplelist> - -<para>The first three options have been replaced by new driver procedures. -Please read the printing documentation.</para> - -</sect1> - </chapter> diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml index 06579617f5..d2bfb8ab67 100644 --- a/docs/docbook/projdoc/winbind.sgml +++ b/docs/docbook/projdoc/winbind.sgml @@ -2,7 +2,6 @@ <chapterinfo> - <authorgroup> <author> <firstname>Tim</firstname><surname>Potter</surname> <affiliation> @@ -11,7 +10,7 @@ </affiliation> </author> <author> - <firstname>Andrew</firstname><surname>Tridgell</surname> + <firstname>Andrew</firstname><surname>Trigdell</surname> <affiliation> <orgname>Samba Team</orgname> <address><email>tridge@linuxcare.com.au</email></address> @@ -36,7 +35,6 @@ <address><email>jelmer@nl.linux.org</email></address> </affiliation> </author> - </authorgroup> <pubdate>27 June 2002</pubdate> </chapterinfo> @@ -175,7 +173,7 @@ <sect2> <title>Microsoft Remote Procedure Calls</title> - <para>Over the last few years, efforts have been underway + <para>Over the last two years, efforts have been underway by various Samba Team members to decode various aspects of the Microsoft Remote Procedure Call (MSRPC) system. This system is used for most network related operations between @@ -194,21 +192,6 @@ </sect2> <sect2> - <title>Microsoft Active Directory Services</title> - - <para> - Since late 2001, Samba has gained the ability to - interact with Microsoft Windows 2000 using its 'Native - Mode' protocols, rather than the NT4 RPC services. - Using LDAP and Kerberos, a domain member running - winbind can enumerate users and groups in exactly the - same way as a Win2k client would, and in so doing - provide a much more efficient and - effective winbind implementation. - </para> - </sect2> - - <sect2> <title>Name Service Switch</title> <para>The Name Service Switch, or NSS, is a feature that is @@ -481,7 +464,7 @@ whether or not you have previously built the Samba binaries. <prompt>root#</prompt> <command>autoconf</command> <prompt>root#</prompt> <command>make clean</command> <prompt>root#</prompt> <command>rm config.cache</command> -<prompt>root#</prompt> <command>./configure</command> +<prompt>root#</prompt> <command>./configure --with-winbind</command> <prompt>root#</prompt> <command>make</command> <prompt>root#</prompt> <command>make install</command> </programlisting></para> @@ -569,7 +552,7 @@ include the following entries in the [global] section: <para><programlisting> [global] - <...> + <...> # separate domain and username with '+', like DOMAIN+username <ulink url="winbindd.8.html#WINBINDSEPARATOR">winbind separator</ulink> = + # use uids from 10000 to 20000 for domain users @@ -599,7 +582,7 @@ a domain user who has administrative privileges in the domain. <para> -<prompt>root#</prompt> <command>/usr/local/samba/bin/net join -S PDC -U Administrator</command> +<prompt>root#</prompt> <command>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</command> </para> @@ -750,7 +733,7 @@ start() { daemon /usr/local/samba/bin/winbindd RETVAL3=$? echo - [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \ + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \ RETVAL=1 return $RETVAL } @@ -777,7 +760,7 @@ stop() { echo -n $"Shutting down $KIND services: " killproc winbindd RETVAL3=$? - [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb echo "" return $RETVAL } @@ -808,7 +791,7 @@ killproc() { # kill the named process(es) pid=`/usr/bin/ps -e | /usr/bin/grep -w $1 | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` - [ "$pid" != "" ] && kill $pid + [ "$pid" != "" ] && kill $pid } # Start/stop processes required for samba server @@ -1059,7 +1042,7 @@ annoying double prompts for passwords. </para> <para> -Now restart your Samba and try connecting through your application that you +Now restart your Samba & try connecting through your application that you configured in the pam.conf. </para> @@ -1080,7 +1063,7 @@ configured in the pam.conf. <itemizedlist> <listitem><para>Winbind is currently only available for - the Linux, Solaris and IRIX operating systems, although ports to other operating + the Linux operating system, although ports to other operating systems are certainly possible. For such ports to be feasible, we require the C library of the target operating system to support the Name Service Switch and Pluggable Authentication @@ -1096,8 +1079,7 @@ configured in the pam.conf. <listitem><para>Currently the winbind PAM module does not take into account possible workstation and logon time restrictions - that may be been set for Windows NT users, this is - instead up to the PDC to enforce.</para></listitem> + that may be been set for Windows NT users.</para></listitem> </itemizedlist> </sect1> |