diff options
Diffstat (limited to 'docs/docbook')
| -rw-r--r-- | docs/docbook/projdoc/Browsing-Quickguide.sgml | 75 | ||||
| -rw-r--r-- | docs/docbook/projdoc/Integrating-with-Windows.sgml | 443 | ||||
| -rw-r--r-- | docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml | 111 | ||||
| -rw-r--r-- | docs/docbook/projdoc/Samba-BDC-HOWTO.sgml | 2 | ||||
| -rw-r--r-- | docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 761 | ||||
| -rw-r--r-- | docs/docbook/projdoc/ServerType.sgml | 7 | ||||
| -rw-r--r-- | docs/docbook/projdoc/samba-doc.sgml | 16 | ||||
| -rw-r--r-- | docs/docbook/projdoc/security_level.sgml | 222 |
8 files changed, 428 insertions, 1209 deletions
diff --git a/docs/docbook/projdoc/Browsing-Quickguide.sgml b/docs/docbook/projdoc/Browsing-Quickguide.sgml index 0a5cf72038..adf20b7386 100644 --- a/docs/docbook/projdoc/Browsing-Quickguide.sgml +++ b/docs/docbook/projdoc/Browsing-Quickguide.sgml @@ -85,6 +85,81 @@ minutes to stabilise, particularly across network segments. </sect1> <sect1> +<title>How browsing functions and how to deploy stable and +dependable browsing using Samba</title> + + +<para> +As stated above, MS Windows machines register their NetBIOS names +(i.e.: the machine name for each service type in operation) on start +up. Also, as stated above, the exact method by which this name registration +takes place is determined by whether or not the MS Windows client/server +has been given a WINS server address, whether or not LMHOSTS lookup +is enabled, or if DNS for NetBIOS name resolution is enabled, etc. +</para> + +<para> +In the case where there is no WINS server all name registrations as +well as name lookups are done by UDP broadcast. This isolates name +resolution to the local subnet, unless LMHOSTS is used to list all +names and IP addresses. In such situations Samba provides a means by +which the samba server name may be forcibly injected into the browse +list of a remote MS Windows network (using the "remote announce" parameter). +</para> + +<para> +Where a WINS server is used, the MS Windows client will use UDP +unicast to register with the WINS server. Such packets can be routed +and thus WINS allows name resolution to function across routed networks. +</para> + +<para> +During the startup process an election will take place to create a +local master browser if one does not already exist. On each NetBIOS network +one machine will be elected to function as the domain master browser. This +domain browsing has nothing to do with MS security domain control. +Instead, the domain master browser serves the role of contacting each local +master browser (found by asking WINS or from LMHOSTS) and exchanging browse +list contents. This way every master browser will eventually obtain a complete +list of all machines that are on the network. Every 11-15 minutes an election +is held to determine which machine will be the master browser. By the nature of +the election criteria used, the machine with the highest uptime, or the +most senior protocol version, or other criteria, will win the election +as domain master browser. +</para> + +<para> +Clients wishing to browse the network make use of this list, but also depend +on the availability of correct name resolution to the respective IP +address/addresses. +</para> + +<para> +Any configuration that breaks name resolution and/or browsing intrinsics +will annoy users because they will have to put up with protracted +inability to use the network services. +</para> + +<para> +Samba supports a feature that allows forced synchonisation +of browse lists across routed networks using the "remote +browse sync" parameter in the smb.conf file. This causes Samba +to contact the local master browser on a remote network and +to request browse list synchronisation. This effectively bridges +two networks that are separated by routers. The two remote +networks may use either broadcast based name resolution or WINS +based name resolution, but it should be noted that the "remote +browse sync" parameter provides browse list synchronisation - and +that is distinct from name to address resolution, in other +words, for cross subnet browsing to function correctly it is +essential that a name to address resolution mechanism be provided. +This mechanism could be via DNS, <filename>/etc/hosts</filename>, +and so on. +</para> + +</sect1> + +<sect1> <title>Use of the "Remote Announce" parameter</title> <para> The "remote announce" parameter of smb.conf can be used to forcibly ensure diff --git a/docs/docbook/projdoc/Integrating-with-Windows.sgml b/docs/docbook/projdoc/Integrating-with-Windows.sgml index a4e79fd42b..8a5c0c40f2 100644 --- a/docs/docbook/projdoc/Integrating-with-Windows.sgml +++ b/docs/docbook/projdoc/Integrating-with-Windows.sgml @@ -18,48 +18,46 @@ <title>Integrating MS Windows networks with Samba</title> -<sect1> -<title>Agenda</title> - <para> -To identify the key functional mechanisms of MS Windows networking -to enable the deployment of Samba as a means of extending and/or -replacing MS Windows NT/2000 technology. +This section deals with NetBIOS over TCP/IP name to IP address resolution. If you +your MS Windows clients are NOT configured to use NetBIOS over TCP/IP then this +section does not apply to your installation. If your installation involves use of +NetBIOS over TCP/IP then this section may help you to resolve networking problems. </para> +<note> <para> -We will examine: + NetBIOS over TCP/IP has nothing to do with NetBEUI. NetBEUI is NetBIOS + over Logical Link Control (LLC). On modern networks it is highly advised + to NOT run NetBEUI at all. Note also that there is NO such thing as + NetBEUI over TCP/IP - the existence of such a protocol is a complete + and utter mis-apprehension. </para> +</note> -<orderedlist> - <listitem><para>Name resolution in a pure Unix/Linux TCP/IP - environment - </para></listitem> - - <listitem><para>Name resolution as used within MS Windows - networking - </para></listitem> - - <listitem><para>How browsing functions and how to deploy stable - and dependable browsing using Samba - </para></listitem> - - <listitem><para>MS Windows security options and how to - configure Samba for seemless integration - </para></listitem> +<para> +Since the introduction of MS Windows 2000 it is possible to run MS Windows networking +without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS +name resolution and uses TCP port 139 for NetBIOS session services. When NetBIOS over +TCP/IP is disabled on MS Windows 2000 and later clients then only TCP port 445 will be +used and UDP port 137 and TCP port 139 will not. +</para> - <listitem><para>Configuration of Samba as:</para> - <orderedlist> - <listitem><para>A stand-alone server</para></listitem> - <listitem><para>An MS Windows NT 3.x/4.0 security domain member - </para></listitem> - <listitem><para>An alternative to an MS Windows NT 3.x/4.0 Domain Controller - </para></listitem> - </orderedlist> - </listitem> -</orderedlist> +<note> +<para> +When using Windows 2000 or later clients, if NetBIOS over TCP/IP is NOT disabled, then +the client will use UDP port 137 (NetBIOS Name Service, also known as the Windows Internet +Name Service or WINS), TCP port 139 AND TCP port 445 (for actual file and print traffic). +</para> +</note> -</sect1> +<para> +When NetBIOS over TCP/IP is disabled the use of DNS is essential. Most installations that +disable NetBIOS over TCP/IP today use MS Active Directory Service (ADS). ADS requires +Dynamic DNS with Service Resource Records (SRV RR) and with Incremental Zone Transfers (IXFR). +Use of DHCP with ADS is recommended as a further means of maintaining central control +over client workstation network configuration. +</para> <sect1> @@ -555,381 +553,4 @@ of the WINS server. </sect2> </sect1> - -<sect1> -<title>How browsing functions and how to deploy stable and -dependable browsing using Samba</title> - - -<para> -As stated above, MS Windows machines register their NetBIOS names -(i.e.: the machine name for each service type in operation) on start -up. Also, as stated above, the exact method by which this name registration -takes place is determined by whether or not the MS Windows client/server -has been given a WINS server address, whether or not LMHOSTS lookup -is enabled, or if DNS for NetBIOS name resolution is enabled, etc. -</para> - -<para> -In the case where there is no WINS server all name registrations as -well as name lookups are done by UDP broadcast. This isolates name -resolution to the local subnet, unless LMHOSTS is used to list all -names and IP addresses. In such situations Samba provides a means by -which the samba server name may be forcibly injected into the browse -list of a remote MS Windows network (using the "remote announce" parameter). -</para> - -<para> -Where a WINS server is used, the MS Windows client will use UDP -unicast to register with the WINS server. Such packets can be routed -and thus WINS allows name resolution to function across routed networks. -</para> - -<para> -During the startup process an election will take place to create a -local master browser if one does not already exist. On each NetBIOS network -one machine will be elected to function as the domain master browser. This -domain browsing has nothing to do with MS security domain control. -Instead, the domain master browser serves the role of contacting each local -master browser (found by asking WINS or from LMHOSTS) and exchanging browse -list contents. This way every master browser will eventually obtain a complete -list of all machines that are on the network. Every 11-15 minutes an election -is held to determine which machine will be the master browser. By the nature of -the election criteria used, the machine with the highest uptime, or the -most senior protocol version, or other criteria, will win the election -as domain master browser. -</para> - -<para> -Clients wishing to browse the network make use of this list, but also depend -on the availability of correct name resolution to the respective IP -address/addresses. -</para> - -<para> -Any configuration that breaks name resolution and/or browsing intrinsics -will annoy users because they will have to put up with protracted -inability to use the network services. -</para> - -<para> -Samba supports a feature that allows forced synchonisation -of browse lists across routed networks using the "remote -browse sync" parameter in the smb.conf file. This causes Samba -to contact the local master browser on a remote network and -to request browse list synchronisation. This effectively bridges -two networks that are separated by routers. The two remote -networks may use either broadcast based name resolution or WINS -based name resolution, but it should be noted that the "remote -browse sync" parameter provides browse list synchronisation - and -that is distinct from name to address resolution, in other -words, for cross subnet browsing to function correctly it is -essential that a name to address resolution mechanism be provided. -This mechanism could be via DNS, <filename>/etc/hosts</filename>, -and so on. -</para> - -</sect1> - -<sect1> -<title>MS Windows security options and how to configure -Samba for seemless integration</title> - -<para> -MS Windows clients may use encrypted passwords as part of a -challenege/response authentication model (a.k.a. NTLMv1) or -alone, or clear text strings for simple password based -authentication. It should be realized that with the SMB -protocol the password is passed over the network either -in plain text or encrypted, but not both in the same -authentication requets. -</para> - -<para> -When encrypted passwords are used a password that has been -entered by the user is encrypted in two ways: -</para> - -<itemizedlist> - <listitem><para>An MD4 hash of the UNICODE of the password - string. This is known as the NT hash. - </para></listitem> - - <listitem><para>The password is converted to upper case, - and then padded or trucated to 14 bytes. This string is - then appended with 5 bytes of NULL characters and split to - form two 56 bit DES keys to encrypt a "magic" 8 byte value. - The resulting 16 bytes for the LanMan hash. - </para></listitem> -</itemizedlist> - -<para> -You should refer to the <ulink url="ENCRYPTION.html"> -Password Encryption</ulink> chapter in this HOWTO collection -for more details on the inner workings -</para> - -<para> -MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x -and version 4.0 pre-service pack 3 will use either mode of -password authentication. All versions of MS Windows that follow -these versions no longer support plain text passwords by default. -</para> - -<para> -MS Windows clients have a habit of dropping network mappings that -have been idle for 10 minutes or longer. When the user attempts to -use the mapped drive connection that has been dropped, the client -re-establishes the connection using -a cached copy of the password. -</para> - -<para> -When Microsoft changed the default password mode, they dropped support for -caching of the plain text password. This means that when the registry -parameter is changed to re-enable use of plain text passwords it appears to -work, but when a dropped mapping attempts to revalidate it will fail if -the remote authentication server does not support encrypted passwords. -This means that it is definitely not a good idea to re-enable plain text -password support in such clients. -</para> - -<para> -The following parameters can be used to work around the -issue of Windows 9x client upper casing usernames and -password before transmitting them to the SMB server -when using clear text authentication. -</para> - -<para><programlisting> - <ulink url="smb.conf.5.html#PASSWORDLEVEL">passsword level</ulink> = <replaceable>integer</replaceable> - <ulink url="smb.conf.5.html#USERNAMELEVEL">username level</ulink> = <replaceable>integer</replaceable> -</programlisting></para> - -<para> -By default Samba will lower case the username before attempting -to lookup the user in the database of local system accounts. -Because UNIX usernames conventionally only contain lower case -character, the <parameter>username level</parameter> parameter -is rarely even needed. -</para> - -<para> -However, password on UNIX systems often make use of mixed case -characters. This means that in order for a user on a Windows 9x -client to connect to a Samba server using clear text authentication, -the <parameter>password level</parameter> must be set to the maximum -number of upper case letter which <emphasis>could</emphasis> appear -is a password. Note that is the server OS uses the traditional -DES version of crypt(), then a <parameter>password level</parameter> -of 8 will result in case insensitive passwords as seen from Windows -users. This will also result in longer login times as Samba -hash to compute the permutations of the password string and -try them one by one until a match is located (or all combinations fail). -</para> - -<para> -The best option to adopt is to enable support for encrypted passwords -where ever Samba is used. There are three configuration possibilities -for support of encrypted passwords: -</para> - - -<sect2> -<title>Use MS Windows NT as an authentication server</title> - -<para> -This method involves the additions of the following parameters -in the smb.conf file: -</para> - -<para><programlisting> - encrypt passwords = Yes - security = server - password server = "NetBIOS_name_of_PDC" -</programlisting></para> - - -<para> -There are two ways of identifying whether or not a username and -password pair was valid or not. One uses the reply information provided -as part of the authentication messaging process, the other uses -just and error code. -</para> - -<para> -The down-side of this mode of configuration is the fact that -for security reasons Samba will send the password server a bogus -username and a bogus password and if the remote server fails to -reject the username and password pair then an alternative mode -of identification of validation is used. Where a site uses password -lock out after a certain number of failed authentication attempts -this will result in user lockouts. -</para> - -<para> -Use of this mode of authentication does require there to be -a standard Unix account for the user, this account can be blocked -to prevent logons by other than MS Windows clients. -</para> - -</sect2> - -<sect2> -<title>Make Samba a member of an MS Windows NT security domain</title> - -<para> -This method involves additon of the following paramters in the smb.conf file: -</para> - -<para><programlisting> - encrypt passwords = Yes - security = domain - workgroup = "name of NT domain" - password server = * -</programlisting></para> - -<para> -The use of the "*" argument to "password server" will cause samba -to locate the domain controller in a way analogous to the way -this is done within MS Windows NT. -</para> - -<para> -In order for this method to work the Samba server needs to join the -MS Windows NT security domain. This is done as follows: -</para> - -<itemizedlist> - <listitem><para>On the MS Windows NT domain controller using - the Server Manager add a machine account for the Samba server. - </para></listitem> - - <listitem><para>Next, on the Linux system execute: - <command>smbpasswd -r PDC_NAME -j DOMAIN_NAME</command> - </para></listitem> -</itemizedlist> - -<para> -Use of this mode of authentication does require there to be -a standard Unix account for the user in order to assign -a uid once the account has been authenticated by the remote -Windows DC. This account can be blocked to prevent logons by -other than MS Windows clients by things such as setting an invalid -shell in the <filename>/etc/passwd</filename> entry. -</para> - -<para> -An alternative to assigning UIDs to Windows users on a -Samba member server is presented in the <ulink -url="winbind.html">Winbind Overview</ulink> chapter in -this HOWTO collection. -</para> - - -</sect2> - - -<sect2> -<title>Configure Samba as an authentication server</title> - -<para> -This mode of authentication demands that there be on the -Unix/Linux system both a Unix style account as well as an -smbpasswd entry for the user. The Unix system account can be -locked if required as only the encrypted password will be -used for SMB client authentication. -</para> - -<para> -This method involves addition of the following parameters to -the smb.conf file: -</para> - -<para><programlisting> -## please refer to the Samba PDC HOWTO chapter later in -## this collection for more details -[global] - encrypt passwords = Yes - security = user - domain logons = Yes - ; an OS level of 33 or more is recommended - os level = 33 - -[NETLOGON] - path = /somewhare/in/file/system - read only = yes -</programlisting></para> - -<para> -in order for this method to work a Unix system account needs -to be created for each user, as well as for each MS Windows NT/2000 -machine. The following structure is required. -</para> - -<sect3> -<title>Users</title> - -<para> -A user account that may provide a home directory should be -created. The following Linux system commands are typical of -the procedure for creating an account. -</para> - -<para><programlisting> - # useradd -s /bin/bash -d /home/"userid" -m "userid" - # passwd "userid" - Enter Password: <pw> - - # smbpasswd -a "userid" - Enter Password: <pw> -</programlisting></para> -</sect3> - -<sect3> -<title>MS Windows NT Machine Accounts</title> - -<para> -These are required only when Samba is used as a domain -controller. Refer to the Samba-PDC-HOWTO for more details. -</para> - -<para><programlisting> - # useradd -s /bin/false -d /dev/null "machine_name"\$ - # passwd -l "machine_name"\$ - # smbpasswd -a -m "machine_name" -</programlisting></para> -</sect3> -</sect2> -</sect1> - - -<sect1> -<title>Conclusions</title> - -<para> -Samba provides a flexible means to operate as... -</para> - -<itemizedlist> - <listitem><para>A Stand-alone server - No special action is needed - other than to create user accounts. Stand-alone servers do NOT - provide network logon services, meaning that machines that use this - server do NOT perform a domain logon but instead make use only of - the MS Windows logon which is local to the MS Windows - workstation/server. - </para></listitem> - - <listitem><para>An MS Windows NT 3.x/4.0 security domain member. - </para></listitem> - - - <listitem><para>An alternative to an MS Windows NT 3.x/4.0 - Domain Controller. - </para></listitem> - -</itemizedlist> - -</sect1> - </chapter> diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml index d6fe6760b5..7608f821cf 100644 --- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml +++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml @@ -11,8 +11,6 @@ </address> </affiliation> </author> - - <pubdate> (Jun 21 2001) </pubdate> </chapterinfo> @@ -42,6 +40,19 @@ PAM is configured either through one file <filename>/etc/pam.conf</filename> (So or by editing individual files that are located in <filename>/etc/pam.d</filename>. </para> +<note> + <para> + If the PAM authentication module (loadable link library file) is located in the + default location then it is not necessary to specify the path. In the case of + Linux, the default location is <filename>/lib/security</filename>. If the module + is located other than default then the path may be specified as: + + <programlisting> + eg: "auth required /other_path/pam_strange_module.so" + </programlisting> + </para> +</note> + <para> The following is an example <filename>/etc/pam.d/login</filename> configuration file. This example had all options been uncommented is probably not usable @@ -51,20 +62,20 @@ by commenting them out except the calls to <filename>pam_pwdb.so</filename>. </para> <para><programlisting> -#%PAM-1.0 -# The PAM configuration file for the `login' service -# -auth required pam_securetty.so -auth required pam_nologin.so -# auth required pam_dialup.so -# auth optional pam_mail.so -auth required pam_pwdb.so shadow md5 -# account requisite pam_time.so -account required pam_pwdb.so -session required pam_pwdb.so -# session optional pam_lastlog.so -# password required pam_cracklib.so retry=3 -password required pam_pwdb.so shadow md5 + #%PAM-1.0 + # The PAM configuration file for the `login' service + # + auth required pam_securetty.so + auth required pam_nologin.so + # auth required pam_dialup.so + # auth optional pam_mail.so + auth required pam_pwdb.so shadow md5 + # account requisite pam_time.so + account required pam_pwdb.so + session required pam_pwdb.so + # session optional pam_lastlog.so + # password required pam_cracklib.so retry=3 + password required pam_pwdb.so shadow md5 </programlisting></para> <para> @@ -73,19 +84,19 @@ sample system include: </para> <para><programlisting> -$ /bin/ls /lib/security -pam_access.so pam_ftp.so pam_limits.so -pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so -pam_cracklib.so pam_group.so pam_listfile.so -pam_nologin.so pam_rootok.so pam_tally.so -pam_deny.so pam_issue.so pam_mail.so -pam_permit.so pam_securetty.so pam_time.so -pam_dialup.so pam_lastlog.so pam_mkhomedir.so -pam_pwdb.so pam_shells.so pam_unix.so -pam_env.so pam_ldap.so pam_motd.so -pam_radius.so pam_smbpass.so pam_unix_acct.so -pam_wheel.so pam_unix_auth.so pam_unix_passwd.so -pam_userdb.so pam_warn.so pam_unix_session.so + $ /bin/ls /lib/security + pam_access.so pam_ftp.so pam_limits.so + pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so + pam_cracklib.so pam_group.so pam_listfile.so + pam_nologin.so pam_rootok.so pam_tally.so + pam_deny.so pam_issue.so pam_mail.so + pam_permit.so pam_securetty.so pam_time.so + pam_dialup.so pam_lastlog.so pam_mkhomedir.so + pam_pwdb.so pam_shells.so pam_unix.so + pam_env.so pam_ldap.so pam_motd.so + pam_radius.so pam_smbpass.so pam_unix_acct.so + pam_wheel.so pam_unix_auth.so pam_unix_passwd.so + pam_userdb.so pam_warn.so pam_unix_session.so </programlisting></para> <para> @@ -110,13 +121,13 @@ source distribution. </para> <para><programlisting> -#%PAM-1.0 -# The PAM configuration file for the `login' service -# -auth required pam_smbpass.so nodelay -account required pam_smbpass.so nodelay -session required pam_smbpass.so nodelay -password required pam_smbpass.so nodelay + #%PAM-1.0 + # The PAM configuration file for the `login' service + # + auth required pam_smbpass.so nodelay + account required pam_smbpass.so nodelay + session required pam_smbpass.so nodelay + password required pam_smbpass.so nodelay </programlisting></para> <para> @@ -125,13 +136,13 @@ Linux system. The default condition uses <filename>pam_pwdb.so</filename>. </para> <para><programlisting> -#%PAM-1.0 -# The PAM configuration file for the `samba' service -# -auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit -account required /lib/security/pam_pwdb.so audit nodelay -session required /lib/security/pam_pwdb.so nodelay -password required /lib/security/pam_pwdb.so shadow md5 + #%PAM-1.0 + # The PAM configuration file for the `samba' service + # + auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit + account required /lib/security/pam_pwdb.so audit nodelay + session required /lib/security/pam_pwdb.so nodelay + password required /lib/security/pam_pwdb.so shadow md5 </programlisting></para> <para> @@ -143,13 +154,13 @@ program. </para> <para><programlisting> -#%PAM-1.0 -# The PAM configuration file for the `samba' service -# -auth required /lib/security/pam_smbpass.so nodelay -account required /lib/security/pam_pwdb.so audit nodelay -session required /lib/security/pam_pwdb.so nodelay -password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf + #%PAM-1.0 + # The PAM configuration file for the `samba' service + # + auth required /lib/security/pam_smbpass.so nodelay + account required /lib/security/pam_pwdb.so audit nodelay + session required /lib/security/pam_pwdb.so nodelay + password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf </programlisting></para> <note><para>PAM allows stacking of authentication mechanisms. It is diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml index e3bee32db0..46e69e4ba9 100644 --- a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml @@ -13,7 +13,7 @@ </chapterinfo> <title> -How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain +Samba Backup Domain Controller to Samba Domain Control </title> <sect1> diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index 53dae21775..c8a20ba8d9 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -68,27 +68,32 @@ PDC functionality. <itemizedlist> <listitem><para> - domain logons for Windows NT 4.0 / 200x / XP Professional clients. + Domain logons for Windows NT 4.0 / 200x / XP Professional clients. </para></listitem> <listitem><para> - placing Windows 9x / Me clients in user level security + Placing Windows 9x / Me clients in user level security </para></listitem> <listitem><para> - retrieving a list of users and groups from a Samba PDC to + Retrieving a list of users and groups from a Samba PDC to Windows 9x / Me / NT / 200x / XP Professional clients </para></listitem> <listitem><para> - roaming user profiles + Roaming Profiles </para></listitem> <listitem><para> - Windows NT 4.0-style system policies + Network/System Policies </para></listitem> </itemizedlist> +<note> +<para> +Roaming Profiles and System/Network policies are advanced network administration topics +that are covered separately in this document. +</para> <para> The following functionalities are new to the Samba 3.0 release: @@ -587,18 +592,17 @@ version of Windows. <para>I joined the domain successfully but after upgrading to a newer version of the Samba code I get the message, "The system - can not log you on (C000019B), Please try a gain or consult your + can not log you on (C000019B), Please try again or consult your system administrator" when attempting to logon. </para> <para> - This occurs when the domain SID stored in - <filename>private/WORKGROUP.SID</filename> is - changed. For example, you remove the file and <command>smbd</command> automatically - creates a new one. Or you are swapping back and forth between - versions 2.0.7, TNG and the HEAD branch code (not recommended). The - only way to correct the problem is to restore the original domain - SID or remove the domain client from the domain and rejoin. + This occurs when the domain SID stored in the secrets.tdb database + is changed. The most common cause of a change in domain SID is when + the domain name and/or the server name (netbios name) is changed. + The only way to correct the problem is to restore the original domain + SID or remove the domain client from the domain and rejoin. The domain + SID may be reset using either the smbpasswd or rpcclient utilities. </para> </listitem> @@ -675,128 +679,6 @@ version of Windows. </sect1> - - -<!-- ********************************************************** - - Policies and Profiles - -*************************************************************** --> - -<sect1> -<title> -System Policies and Profiles -</title> - -<para> -Much of the information necessary to implement System Policies and -Roving User Profiles in a Samba domain is the same as that for -implementing these same items in a Windows NT 4.0 domain. -You should read the white paper <ulink url="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp">Implementing -Profiles and Policies in Windows NT 4.0</ulink> available from Microsoft. -</para> - -<para> -Here are some additional details: -</para> - -<itemizedlist> - -<listitem> - <para> - <emphasis>What about Windows NT Policy Editor?</emphasis> - </para> - - <para> - To create or edit <filename>ntconfig.pol</filename> you must use - the NT Server Policy Editor, <command>poledit.exe</command> which - is included with NT Server but <emphasis>not NT Workstation</emphasis>. - There is a Policy Editor on a NTws - but it is not suitable for creating <emphasis>Domain Policies</emphasis>. - Further, although the Windows 95 - Policy Editor can be installed on an NT Workstation/Server, it will not - work with NT policies because the registry key that are set by the policy templates. - However, the files from the NT Server will run happily enough on an NTws. - You need <filename>poledit.exe, common.adm</filename> and <filename>winnt.adm</filename>. It is convenient - to put the two *.adm files in <filename>c:\winnt\inf</filename> which is where - the binary will look for them unless told otherwise. Note also that that - directory is 'hidden'. - </para> - - <para> - The Windows NT policy editor is also included with the Service Pack 3 (and - later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>, - i.e. that's <command>Nt4sp6ai.exe /x</command> for service pack 6a. The policy editor, - <command>poledit.exe</command> and the associated template files (*.adm) should - be extracted as well. It is also possible to downloaded the policy template - files for Office97 and get a copy of the policy editor. Another possible - location is with the Zero Administration Kit available for download from Microsoft. - </para> -</listitem> - - -<listitem> - <para> - <emphasis>Can Win95 do Policies?</emphasis> - </para> - - <para> - Install the group policy handler for Win9x to pick up group - policies. Look on the Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>. - Install group policies on a Win9x client by double-clicking - <filename>grouppol.inf</filename>. Log off and on again a couple of - times and see if Win98 picks up group policies. Unfortunately this needs - to be done on every Win9x machine that uses group policies.... - </para> - - <para> - If group policies don't work one reports suggests getting the updated - (read: working) grouppol.dll for Windows 9x. The group list is grabbed - from /etc/group. - </para> -</listitem> - - -<listitem> - <para> - <emphasis>How do I get 'User Manager' and 'Server Manager'</emphasis> - </para> - - <para> - Since I don't need to buy an NT Server CD now, how do I get - the 'User Manager for Domains', the 'Server Manager'? - </para> - - <para> - Microsoft distributes a version of these tools called nexus for - installation on Windows 95 systems. The tools set includes - </para> - - <itemizedlist> - <listitem><para>Server Manager</para></listitem> - - <listitem><para>User Manager for Domains</para></listitem> - - <listitem><para>Event Viewer</para></listitem> - </itemizedlist> - - <para> - Click here to download the archived file <ulink - url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</ulink> - </para> - - <para> - The Windows NT 4.0 version of the 'User Manager for - Domains' and 'Server Manager' are available from Microsoft via ftp - from <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</ulink> - </para> -</listitem> -</itemizedlist> - -</sect1> - - - <!-- ********************************************************** Getting Help @@ -1095,37 +977,28 @@ general SMB topics such as browsing.</para> <sect1> <title>Domain Control for Windows 9x/ME</title> -<note> -<para> -The following section contains much of the original -DOMAIN.txt file previously included with Samba. Much of -the material is based on what went into the book <emphasis>Special -Edition, Using Samba</emphasis>, by Richard Sharpe. -</para> -</note> - <para> A domain and a workgroup are exactly the same thing in terms of network browsing. The difference is that a distributable authentication database is associated with a domain, for secure login access to a network. Also, different access rights can be granted to users if they -successfully authenticate against a domain logon server (NT server and -other systems based on NT server support this, as does at least Samba TNG now). +successfully authenticate against a domain logon server. Samba-3 does this +now in the same way that MS Windows NT/2K. </para> <para> The SMB client logging on to a domain has an expectation that every other server in the domain should accept the same authentication information. -Network browsing functionality of domains and workgroups is -identical and is explained in BROWSING.txt. It should be noted, that browsing -is totally orthogonal to logon support. +Network browsing functionality of domains and workgroups is identical and +is explained in this documentation under the browsing discussions. +It should be noted, that browsing is totally orthogonal to logon support. </para> <para> Issues related to the single-logon network model are discussed in this section. Samba supports domain logons, network logon scripts, and user profiles for MS Windows for workgroups and MS Windows 9X/ME clients -which will be the focus of this section. +which are the focus of this section. </para> @@ -1286,593 +1159,5 @@ for its domain. </warning> </sect2> - - -<sect2> -<title>Configuration Instructions: Setting up Roaming User Profiles</title> - -<warning> -<para> -<emphasis>NOTE!</emphasis> Roaming profiles support is different -for Win9X and WinNT. -</para> -</warning> - -<para> -Before discussing how to configure roaming profiles, it is useful to see how -Win9X and WinNT clients implement these features. -</para> - -<para> -Win9X clients send a NetUserGetInfo request to the server to get the user's -profiles location. However, the response does not have room for a separate -profiles location field, only the user's home share. This means that Win9X -profiles are restricted to being in the user's home directory. -</para> - - -<para> -WinNT clients send a NetSAMLogon RPC request, which contains many fields, -including a separate field for the location of the user's profiles. -This means that support for profiles is different for Win9X and WinNT. -</para> - - - -<sect3> -<title>Windows NT Configuration</title> - -<para> -To support WinNT clients, in the [global] section of smb.conf set the -following (for example): -</para> - -<para><programlisting> -logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath -</programlisting></para> - -<para> -The default for this option is \\%N\%U\profile, namely -\\sambaserver\username\profile. The \\N%\%U service is created -automatically by the [homes] service. -If you are using a samba server for the profiles, you _must_ make the -share specified in the logon path browseable. -</para> - -<note> -<para> -[lkcl 26aug96 - we have discovered a problem where Windows clients can -maintain a connection to the [homes] share in between logins. The -[homes] share must NOT therefore be used in a profile path.] -</para> -</note> - -</sect3> - - -<sect3> -<title>Windows 9X Configuration</title> - -<para> -To support Win9X clients, you must use the "logon home" parameter. Samba has -now been fixed so that "net use/home" now works as well, and it, too, relies -on the "logon home" parameter. -</para> - -<para> -By using the logon home parameter, you are restricted to putting Win9X -profiles in the user's home directory. But wait! There is a trick you -can use. If you set the following in the [global] section of your -smb.conf file: -</para> - -<para><programlisting> -logon home = \\%L\%U\.profiles -</programlisting></para> - -<para> -then your Win9X clients will dutifully put their clients in a subdirectory -of your home directory called .profiles (thus making them hidden). -</para> - -<para> -Not only that, but 'net use/home' will also work, because of a feature in -Win9X. It removes any directory stuff off the end of the home directory area -and only uses the server and share portion. That is, it looks like you -specified \\%L\%U for "logon home". -</para> - - -</sect3> - - -<sect3> -<title>Win9X and WinNT Configuration</title> - -<para> -You can support profiles for both Win9X and WinNT clients by setting both the -"logon home" and "logon path" parameters. For example: -</para> - -<para><programlisting> -logon home = \\%L\%U\.profiles -logon path = \\%L\profiles\%U -</programlisting></para> - -<note> -<para> -I have not checked what 'net use /home' does on NT when "logon home" is -set as above. -</para> -</note> -</sect3> - - - -<sect3> -<title>Windows 9X Profile Setup</title> - -<para> -When a user first logs in on Windows 9X, the file user.DAT is created, -as are folders "Start Menu", "Desktop", "Programs" and "Nethood". -These directories and their contents will be merged with the local -versions stored in c:\windows\profiles\username on subsequent logins, -taking the most recent from each. You will need to use the [global] -options "preserve case = yes", "short preserve case = yes" and -"case sensitive = no" in order to maintain capital letters in shortcuts -in any of the profile folders. -</para> - - -<para> -The user.DAT file contains all the user's preferences. If you wish to -enforce a set of preferences, rename their user.DAT file to user.MAN, -and deny them write access to this file. -</para> - -<orderedlist> -<listitem> - <para> - On the Windows 95 machine, go to Control Panel | Passwords and - select the User Profiles tab. Select the required level of - roaming preferences. Press OK, but do _not_ allow the computer - to reboot. - </para> -</listitem> - - -<listitem> - <para> - On the Windows 95 machine, go to Control Panel | Network | - Client for Microsoft Networks | Preferences. Select 'Log on to - NT Domain'. Then, ensure that the Primary Logon is 'Client for - Microsoft Networks'. Press OK, and this time allow the computer - to reboot. - </para> -</listitem> - -</orderedlist> - -<para> -Under Windows 95, Profiles are downloaded from the Primary Logon. -If you have the Primary Logon as 'Client for Novell Networks', then -the profiles and logon script will be downloaded from your Novell -Server. If you have the Primary Logon as 'Windows Logon', then the -profiles will be loaded from the local machine - a bit against the -concept of roaming profiles, if you ask me. -</para> - -<para> -You will now find that the Microsoft Networks Login box contains -[user, password, domain] instead of just [user, password]. Type in -the samba server's domain name (or any other domain known to exist, -but bear in mind that the user will be authenticated against this -domain and profiles downloaded from it, if that domain logon server -supports it), user name and user's password. -</para> - -<para> -Once the user has been successfully validated, the Windows 95 machine -will inform you that 'The user has not logged on before' and asks you -if you wish to save the user's preferences? Select 'yes'. -</para> - -<para> -Once the Windows 95 client comes up with the desktop, you should be able -to examine the contents of the directory specified in the "logon path" -on the samba server and verify that the "Desktop", "Start Menu", -"Programs" and "Nethood" folders have been created. -</para> - -<para> -These folders will be cached locally on the client, and updated when -the user logs off (if you haven't made them read-only by then :-). -You will find that if the user creates further folders or short-cuts, -that the client will merge the profile contents downloaded with the -contents of the profile directory already on the local client, taking -the newest folders and short-cuts from each set. -</para> - -<para> -If you have made the folders / files read-only on the samba server, -then you will get errors from the w95 machine on logon and logout, as -it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the w95 machine, check the Unix file -permissions and ownership rights on the profile directory contents, -on the samba server. -</para> - -<para> -If you have problems creating user profiles, you can reset the user's -local desktop cache, as shown below. When this user then next logs in, -they will be told that they are logging in "for the first time". -</para> - -<orderedlist> -<listitem> - <para> - instead of logging in under the [user, password, domain] dialog, - press escape. - </para> -</listitem> - -<listitem> - <para> - run the regedit.exe program, and look in: - </para> - - <para> - HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList - </para> - - <para> - you will find an entry, for each user, of ProfilePath. Note the - contents of this key (likely to be c:\windows\profiles\username), - then delete the key ProfilePath for the required user. - </para> - - <para> - [Exit the registry editor]. - </para> -</listitem> - -<listitem> - <para> - <emphasis>WARNING</emphasis> - before deleting the contents of the - directory listed in - the ProfilePath (this is likely to be c:\windows\profiles\username), - ask them if they have any important files stored on their desktop - or in their start menu. delete the contents of the directory - ProfilePath (making a backup if any of the files are needed). - </para> - - <para> - This will have the effect of removing the local (read-only hidden - system file) user.DAT in their profile directory, as well as the - local "desktop", "nethood", "start menu" and "programs" folders. - </para> -</listitem> - -<listitem> - <para> - search for the user's .PWL password-caching file in the c:\windows - directory, and delete it. - </para> -</listitem> - - -<listitem> - <para> - log off the windows 95 client. - </para> -</listitem> - -<listitem> - <para> - check the contents of the profile path (see "logon path" described - above), and delete the user.DAT or user.MAN file for the user, - making a backup if required. - </para> -</listitem> - -</orderedlist> - -<para> -If all else fails, increase samba's debug log levels to between 3 and 10, -and / or run a packet trace program such as tcpdump or netmon.exe, and -look for any error reports. -</para> - -<para> -If you have access to an NT server, then first set up roaming profiles -and / or netlogons on the NT server. Make a packet trace, or examine -the example packet traces provided with NT server, and see what the -differences are with the equivalent samba trace. -</para> - -</sect3> - - -<sect3> -<title>Windows NT Workstation 4.0</title> - -<para> -When a user first logs in to a Windows NT Workstation, the profile -NTuser.DAT is created. The profile location can be now specified -through the "logon path" parameter. -</para> - -<note> -<para> -[lkcl 10aug97 - i tried setting the path to -\\samba-server\homes\profile, and discovered that this fails because -a background process maintains the connection to the [homes] share -which does _not_ close down in between user logins. you have to -have \\samba-server\%L\profile, where user is the username created -from the [homes] share]. -</para> -</note> - -<para> -There is a parameter that is now available for use with NT Profiles: -"logon drive". This should be set to "h:" or any other drive, and -should be used in conjunction with the new "logon home" parameter. -</para> - -<para> -The entry for the NT 4.0 profile is a _directory_ not a file. The NT -help on profiles mentions that a directory is also created with a .PDS -extension. The user, while logging in, must have write permission to -create the full profile path (and the folder with the .PDS extension) -[lkcl 10aug97 - i found that the creation of the .PDS directory failed, -and had to create these manually for each user, with a shell script. -also, i presume, but have not tested, that the full profile path must -be browseable just as it is for w95, due to the manner in which they -attempt to create the full profile path: test existence of each path -component; create path component]. -</para> - -<para> -In the profile directory, NT creates more folders than 95. It creates -"Application Data" and others, as well as "Desktop", "Nethood", -"Start Menu" and "Programs". The profile itself is stored in a file -NTuser.DAT. Nothing appears to be stored in the .PDS directory, and -its purpose is currently unknown. -</para> - -<para> -You can use the System Control Panel to copy a local profile onto -a samba server (see NT Help on profiles: it is also capable of firing -up the correct location in the System Control Panel for you). The -NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN -turns a profile into a mandatory one. -</para> - -<note> -<para> -[lkcl 10aug97 - i notice that NT Workstation tells me that it is -downloading a profile from a slow link. whether this is actually the -case, or whether there is some configuration issue, as yet unknown, -that makes NT Workstation _think_ that the link is a slow one is a -matter to be resolved]. -</para> - -<para> -[lkcl 20aug97 - after samba digest correspondence, one user found, and -another confirmed, that profiles cannot be loaded from a samba server -unless "security = user" and "encrypt passwords = yes" (see the file -ENCRYPTION.txt) or "security = server" and "password server = ip.address. -of.yourNTserver" are used. Either of these options will allow the NT -workstation to access the samba server using LAN manager encrypted -passwords, without the user intervention normally required by NT -workstation for clear-text passwords]. -</para> - -<para> -[lkcl 25aug97 - more comments received about NT profiles: the case of -the profile _matters_. the file _must_ be called NTuser.DAT or, for -a mandatory profile, NTuser.MAN]. -</para> -</note> - -</sect3> - - -<sect3> -<title>Windows NT Server</title> - -<para> -There is nothing to stop you specifying any path that you like for the -location of users' profiles. Therefore, you could specify that the -profile be stored on a samba server, or any other SMB server, as long as -that SMB server supports encrypted passwords. -</para> - -</sect3> - - -<sect3> -<title>Sharing Profiles between W95 and NT Workstation 4.0</title> - -<warning> -<title>Potentially outdated or incorrect material follows</title> -<para> -I think this is all bogus, but have not deleted it. (Richard Sharpe) -</para> -</warning> - -<para> -The default logon path is \\%N\%U. NT Workstation will attempt to create -a directory "\\samba-server\username.PDS" if you specify the logon path -as "\\samba-server\username" with the NT User Manager. Therefore, you -will need to specify (for example) "\\samba-server\username\profile". -NT 4.0 will attempt to create "\\samba-server\username\profile.PDS", which -is more likely to succeed. -</para> - -<para> -If you then want to share the same Start Menu / Desktop with W95, you will -need to specify "logon path = \\samba-server\username\profile" [lkcl 10aug97 -this has its drawbacks: i created a shortcut to telnet.exe, which attempts -to run from the c:\winnt\system32 directory. this directory is obviously -unlikely to exist on a Win95-only host]. -</para> - -<para> - -If you have this set up correctly, you will find separate user.DAT and -NTuser.DAT files in the same profile directory. -</para> - -<note> -<para> -[lkcl 25aug97 - there are some issues to resolve with downloading of -NT profiles, probably to do with time/date stamps. i have found that -NTuser.DAT is never updated on the workstation after the first time that -it is copied to the local workstation profile directory. this is in -contrast to w95, where it _does_ transfer / update profiles correctly]. -</para> -</note> - -</sect3> - -</sect2> </sect1> - - -<!-- ********************************************************** - - Appendix - DOMAIN_CONTROL.txt - -*************************************************************** --> - -<sect1> -<title> -DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba -</title> - -<warning> - <title>Possibly Outdated Material</title> - - <para> - This appendix was originally authored by John H Terpstra of - the Samba Team and is included here for posterity. - </para> -</warning> - - -<para> -<emphasis>NOTE :</emphasis> -The term "Domain Controller" and those related to it refer to one specific -method of authentication that can underly an SMB domain. Domain Controllers -prior to Windows NT Server 3.1 were sold by various companies and based on -private extensions to the LAN Manager 2.1 protocol. Windows NT introduced -Microsoft-specific ways of distributing the user authentication database. -See DOMAIN.txt for examples of how Samba can participate in or create -SMB domains based on shared authentication database schemes other than the -Windows NT SAM. -</para> - -<para> -Windows NT Server can be installed as either a plain file and print server -(WORKGROUP workstation or server) or as a server that participates in Domain -Control (DOMAIN member, Primary Domain controller or Backup Domain controller). -The same is true for OS/2 Warp Server, Digital Pathworks and other similar -products, all of which can participate in Domain Control along with Windows NT. -</para> - -<para> -To many people these terms can be confusing, so let's try to clear the air. -</para> - -<para> -Every Windows NT system (workstation or server) has a registry database. -The registry contains entries that describe the initialization information -for all services (the equivalent of Unix Daemons) that run within the Windows -NT environment. The registry also contains entries that tell application -software where to find dynamically loadable libraries that they depend upon. -In fact, the registry contains entries that describes everything that anything -may need to know to interact with the rest of the system. -</para> - -<para> -The registry files can be located on any Windows NT machine by opening a -command prompt and typing: -</para> - -<para> -<prompt>C:\WINNT\></prompt> dir %SystemRoot%\System32\config -</para> - -<para> -The environment variable %SystemRoot% value can be obtained by typing: -</para> - -<para> -<prompt>C:\WINNT></prompt>echo %SystemRoot% -</para> - -<para> -The active parts of the registry that you may want to be familiar with are -the files called: default, system, software, sam and security. -</para> - -<para> -In a domain environment, Microsoft Windows NT domain controllers participate -in replication of the SAM and SECURITY files so that all controllers within -the domain have an exactly identical copy of each. -</para> - -<para> -The Microsoft Windows NT system is structured within a security model that -says that all applications and services must authenticate themselves before -they can obtain permission from the security manager to do what they set out -to do. -</para> - -<para> -The Windows NT User database also resides within the registry. This part of -the registry contains the user's security identifier, home directory, group -memberships, desktop profile, and so on. -</para> - -<para> -Every Windows NT system (workstation as well as server) will have its own -registry. Windows NT Servers that participate in Domain Security control -have a database that they share in common - thus they do NOT own an -independent full registry database of their own, as do Workstations and -plain Servers. -</para> - -<para> -The User database is called the SAM (Security Access Manager) database and -is used for all user authentication as well as for authentication of inter- -process authentication (i.e. to ensure that the service action a user has -requested is permitted within the limits of that user's privileges). -</para> - -<para> -The Samba team have produced a utility that can dump the Windows NT SAM into -smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and -/pub/samba/pwdump on your nearest Samba mirror for the utility. This -facility is useful but cannot be easily used to implement SAM replication -to Samba systems. -</para> - -<para> -Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers -can participate in a Domain security system that is controlled by Windows NT -servers that have been correctly configured. Almost every domain will have -ONE Primary Domain Controller (PDC). It is desirable that each domain will -have at least one Backup Domain Controller (BDC). -</para> - -<para> -The PDC and BDCs then participate in replication of the SAM database so that -each Domain Controlling participant will have an up to date SAM component -within its registry. -</para> - -</sect1> - </chapter> diff --git a/docs/docbook/projdoc/ServerType.sgml b/docs/docbook/projdoc/ServerType.sgml index 41b1c0ed2f..91478740d6 100644 --- a/docs/docbook/projdoc/ServerType.sgml +++ b/docs/docbook/projdoc/ServerType.sgml @@ -45,6 +45,13 @@ that control security mode are: "security = user" and "security = share". </para> <para> +No special action is needed other than to create user accounts. Stand-alone +servers do NOT provide network logon services, meaning that machines that +use this server do NOT perform a domain logon but instead make use only of +the MS Windows logon which is local to the MS Windows workstation/server. +</para> + +<para> Samba tends to blur the distinction a little in respect of what is a stand alone server. This is because the authentication database may be local or on a remote server, even if from the samba protocol perspective diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index 1a2e285596..8784bad1b7 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -22,11 +22,11 @@ <!ENTITY ADS-HOWTO SYSTEM "ADS-HOWTO.sgml"> <!ENTITY Passdb SYSTEM "passdb.sgml"> <!ENTITY VFS SYSTEM "VFS.sgml"> -<!ENTITY GroupProfiles SYSTEM "GroupProfiles.sgml"> <!ENTITY SecuringSamba SYSTEM "securing-samba.sgml"> <!ENTITY Compiling SYSTEM "Compiling.sgml"> <!ENTITY unicode SYSTEM "unicode.sgml"> <!ENTITY CUPS SYSTEM "CUPS-printing.sgml"> +<!ENTITY AdvancedNetworkManagement SYSTEM "AdvancedNetworkAdmin.sgml"> ]> <book id="Samba-HOWTO-Collection"> @@ -102,30 +102,30 @@ for various environments. </part> <part id="optional"> -<title>Optional configuration</title> +<title>Advanced Configuration</title> <partintro> <title>Introduction</title> <para>Samba has several features that you might want or might not want to use. The chapters in this part each cover one specific feature.</para> </partintro> -&IntegratingWithWindows; +&AdvancedNetworkManagment; &NT-Security; +&GROUP-MAPPING-HOWTO; &Samba-PAM; -&MS-Dfs-Setup; &PRINTER-DRIVER2; &CUPS; &WINBIND; +&IntegratingWithWindows; &BROWSING; +&MS-Dfs-Setup; &VFS; -&GROUP-MAPPING-HOWTO; -&SPEED; -&GroupProfiles; &SecuringSamba; &unicode; </part> <part id="Appendixes"> <title>Appendixes</title> +&SPEED; &Portability; &Other-Clients; &Compiling; @@ -133,4 +133,4 @@ part each cover one specific feature.</para> &Diagnosis; </part> -</book> + diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml index 00dcc6e83b..fd0fef90fe 100644 --- a/docs/docbook/projdoc/security_level.sgml +++ b/docs/docbook/projdoc/security_level.sgml @@ -8,8 +8,15 @@ </affiliation> </author> </chapterinfo> +<title>Samba as Stand-Alone Server</title -<title>Samba as Stand-Alone server (User and Share security level)</title> +<para> +In this section the function and purpose of Samba's <emphasis>security</emphasis> +modes are described. +</para> + +<sect1> +<Title>User and Share security level</title> <para> A SMB server tells the client at startup what "security level" it is @@ -23,6 +30,9 @@ can only tell the client what is available and whether an action is allowed. </para> +<sect2> +<title>User Level Security</title> + <para> I'll describe user level security first, as its simpler. In user level security the client will send a "session setup" command directly after @@ -53,6 +63,11 @@ maintain multiple authentication contexts in this way (WinDD is an example of an application that does this) </para> +</sect2> + +<sect2> +<title>Share Level Security> + <para> Ok, now for share level security. In share level security the client authenticates itself separately for each share. It will send a @@ -79,6 +94,11 @@ usernames". If a match is found then the client is authenticated as that user. </para> +</sect2> + +<sect2> +<title>Server Level Security</title> + <para> Finally "server level" security. In server level security the samba server reports to the client that it is in user level security. The @@ -113,4 +133,204 @@ That real authentication server can be another Samba server or can be a Windows NT server, the later natively capable of encrypted password support. </para> +<sect3> +<title>Configuring Samba for Seemless Windows Network Integration</title> + +<para> +MS Windows clients may use encrypted passwords as part of a challenege/response +authentication model (a.k.a. NTLMv1) or alone, or clear text strings for simple +password based authentication. It should be realized that with the SMB protocol +the password is passed over the network either in plain text or encrypted, but +not both in the same authentication requests. +</para> + +<para> +When encrypted passwords are used a password that has been entered by the user +is encrypted in two ways: +</para> + +<itemizedlist> + <listitem><para>An MD4 hash of the UNICODE of the password + string. This is known as the NT hash. + </para></listitem> + + <listitem><para>The password is converted to upper case, + and then padded or trucated to 14 bytes. This string is + then appended with 5 bytes of NULL characters and split to + form two 56 bit DES keys to encrypt a "magic" 8 byte value. + The resulting 16 bytes for the LanMan hash. + </para></listitem> +</itemizedlist> + +<para> +MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x and version 4.0 +pre-service pack 3 will use either mode of password authentication. All +versions of MS Windows that follow these versions no longer support plain +text passwords by default. +</para> + +<para> +MS Windows clients have a habit of dropping network mappings that have been idle +for 10 minutes or longer. When the user attempts to use the mapped drive +connection that has been dropped, the client re-establishes the connection using +a cached copy of the password. +</para> + +<para> +When Microsoft changed the default password mode, support was dropped for caching +of the plain text password. This means that when the registry parameter is changed +to re-enable use of plain text passwords it appears to work, but when a dropped +service connection mapping attempts to revalidate it will fail if the remote +authentication server does not support encrypted passwords. This means that it +is definitely not a good idea to re-enable plain text password support in such clients. +</para> + +<para> +The following parameters can be used to work around the issue of Windows 9x client +upper casing usernames and password before transmitting them to the SMB server +when using clear text authentication. +</para> + +<para><programlisting> + <ulink url="smb.conf.5.html#PASSWORDLEVEL">passsword level</ulink> = <replaceable>integer</replaceable> + <ulink url="smb.conf.5.html#USERNAMELEVEL">username level</ulink> = <replaceable>integer</replaceable> +</programlisting></para> + +<para> +By default Samba will lower case the username before attempting to lookup the user +in the database of local system accounts. Because UNIX usernames conventionally +only contain lower case character, the <parameter>username level</parameter> parameter +is rarely needed. +</para> + +<para> +However, passwords on UNIX systems often make use of mixed case characters. +This means that in order for a user on a Windows 9x client to connect to a Samba +server using clear text authentication, the <parameter>password level</parameter> +must be set to the maximum number of upper case letter which <emphasis>could</emphasis> +appear is a password. Note that is the server OS uses the traditional DES version +of crypt(), then a <parameter>password level</parameter> of 8 will result in case +insensitive passwords as seen from Windows users. This will also result in longer +login times as Samba hash to compute the permutations of the password string and +try them one by one until a match is located (or all combinations fail). +</para> + +<para> +The best option to adopt is to enable support for encrypted passwords +where ever Samba is used. There are three configuration possibilities +for support of encrypted passwords: +</para> + +</sect3> +<sect3> +<title>Use MS Windows NT as an authentication server</title> + +<para> +This method involves the additions of the following parameters in the smb.conf file: +</para> + +<para><programlisting> + encrypt passwords = Yes + security = server + password server = "NetBIOS_name_of_PDC" +</programlisting></para> + + +<para> +There are two ways of identifying whether or not a username and +password pair was valid or not. One uses the reply information provided +as part of the authentication messaging process, the other uses +just and error code. +</para> + +<para> +The down-side of this mode of configuration is the fact that +for security reasons Samba will send the password server a bogus +username and a bogus password and if the remote server fails to +reject the username and password pair then an alternative mode +of identification of validation is used. Where a site uses password +lock out after a certain number of failed authentication attempts +this will result in user lockouts. +</para> + +<para> +Use of this mode of authentication does require there to be +a standard Unix account for the user, this account can be blocked +to prevent logons by other than MS Windows clients. +</para> + +</sect3> +</sect2> + +<sect2> +<title>Domain Level Security</title> + +<para> +When samba is operating in <emphasis>security = domain</emphasis> mode this means that +the Samba server has a domain security trust account (a machine account) and will cause +all authentication requests to be passed through to the domain controllers. +</para> + +<sect3> +<title>Samba as a member of an MS Windows NT security domain</title> + +<para> +This method involves additon of the following paramters in the smb.conf file: +</para> + +<para><programlisting> + encrypt passwords = Yes + security = domain + workgroup = "name of NT domain" + password server = * +</programlisting></para> + +<para> +The use of the "*" argument to "password server" will cause samba to locate the +domain controller in a way analogous to the way this is done within MS Windows NT. +This is the default behaviour. +</para> + +<para> +In order for this method to work the Samba server needs to join the +MS Windows NT security domain. This is done as follows: +</para> + +<itemizedlist> + <listitem><para>On the MS Windows NT domain controller using + the Server Manager add a machine account for the Samba server. + </para></listitem> + + <listitem><para>Next, on the Linux system execute: + <command>smbpasswd -r PDC_NAME -j DOMAIN_NAME</command> + </para></listitem> +</itemizedlist> + +<para> +Use of this mode of authentication does require there to be a standard Unix account +for the user in order to assign a uid once the account has been authenticated by +the remote Windows DC. This account can be blocked to prevent logons by other than +MS Windows clients by things such as setting an invalid shell in the +<filename>/etc/passwd</filename> entry. +</para> + +<para> +An alternative to assigning UIDs to Windows users on a Samba member server is +presented in the <ulink url="winbind.html">Winbind Overview</ulink> chapter +in this HOWTO collection. +</para> + +</sect3> +</sect2> + +<sect2> +<title>ADS Level Security</title> + +<para> +For information about the configuration option please refer to the entire section entitled +<emphasis>Samba as an ADS Domain Member.</emphasis> +</para> + +</sect2> +</sect1> </chapter> |