diff options
Diffstat (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html')
-rw-r--r-- | docs/htmldocs/Samba-HOWTO-Collection.html | 17867 |
1 files changed, 0 insertions, 17867 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html deleted file mode 100644 index 3bc4ad32e3..0000000000 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ /dev/null @@ -1,17867 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->SAMBA Project Documentation</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD -><BODY -CLASS="BOOK" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="BOOK" -><A -NAME="SAMBA-HOWTO-COLLECTION" -></A -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" -><A -NAME="SAMBA-HOWTO-COLLECTION" ->SAMBA Project Documentation</A -></H1 -><H3 -CLASS="AUTHOR" -><A -NAME="AEN4" -></A ->SAMBA Team</H3 -><HR></DIV -><HR><H1 -><A -NAME="AEN8" -></A ->Abstract</H1 -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Last Update</I -></SPAN -> : Wed Jan 15</P -><P ->This book is a collection of HOWTOs added to Samba documentation over the years. -I try to ensure that all are current, but sometimes the is a larger job -than one person can maintain. The most recent version of this document -can be found at <A -HREF="http://www.samba.org/" -TARGET="_top" ->http://www.samba.org/</A -> -on the "Documentation" page. Please send updates to <A -HREF="mailto:jerry@samba.org" -TARGET="_top" ->jerry@samba.org</A -> or -<A -HREF="mailto:jelmer@samba.org" -TARGET="_top" ->jelmer@samba.org</A ->.</P -><P ->This documentation is distributed under the GNU General Public License (GPL) -version 2. A copy of the license is included with the Samba source -distribution. A copy can be found on-line at <A -HREF="http://www.fsf.org/licenses/gpl.txt" -TARGET="_top" ->http://www.fsf.org/licenses/gpl.txt</A -></P -><P ->Cheers, jerry</P -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->I. <A -HREF="#INTRODUCTION" ->General installation</A -></DT -><DD -><DL -><DT ->1. <A -HREF="#INSTALL" ->How to Install and Test SAMBA</A -></DT -><DD -><DL -><DT ->1.1. <A -HREF="#AEN26" ->Obtaining and installing samba</A -></DT -><DT ->1.2. <A -HREF="#AEN31" ->Configuring samba</A -></DT -><DT ->1.3. <A -HREF="#AEN64" ->Try listing the shares available on your - server</A -></DT -><DT ->1.4. <A -HREF="#AEN73" ->Try connecting with the unix client</A -></DT -><DT ->1.5. <A -HREF="#AEN89" ->Try connecting from a DOS, WfWg, Win9x, WinNT, - Win2k, OS/2, etc... client</A -></DT -><DT ->1.6. <A -HREF="#AEN103" ->What If Things Don't Work?</A -></DT -></DL -></DD -><DT ->2. <A -HREF="#BROWSING-QUICK" ->Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</A -></DT -><DD -><DL -><DT ->2.1. <A -HREF="#AEN130" ->Discussion</A -></DT -><DT ->2.2. <A -HREF="#AEN139" ->Use of the "Remote Announce" parameter</A -></DT -><DT ->2.3. <A -HREF="#AEN153" ->Use of the "Remote Browse Sync" parameter</A -></DT -><DT ->2.4. <A -HREF="#AEN158" ->Use of WINS</A -></DT -><DT ->2.5. <A -HREF="#AEN169" ->Do NOT use more than one (1) protocol on MS Windows machines</A -></DT -><DT ->2.6. <A -HREF="#AEN177" ->Name Resolution Order</A -></DT -></DL -></DD -><DT ->3. <A -HREF="#PASSDB" ->User information database</A -></DT -><DD -><DL -><DT ->3.1. <A -HREF="#AEN234" ->Introduction</A -></DT -><DT ->3.2. <A -HREF="#AEN241" ->Important Notes About Security</A -></DT -><DT ->3.3. <A -HREF="#AEN279" ->The smbpasswd Command</A -></DT -><DT ->3.4. <A -HREF="#AEN310" ->Plain text</A -></DT -><DT ->3.5. <A -HREF="#AEN315" ->TDB</A -></DT -><DT ->3.6. <A -HREF="#AEN318" ->LDAP</A -></DT -><DT ->3.7. <A -HREF="#AEN536" ->MySQL</A -></DT -><DT ->3.8. <A -HREF="#AEN584" ->Passdb XML plugin</A -></DT -></DL -></DD -></DL -></DD -><DT ->II. <A -HREF="#TYPE" ->Type of installation</A -></DT -><DD -><DL -><DT ->4. <A -HREF="#SERVERTYPE" ->Nomenclature of Server Types</A -></DT -><DD -><DL -><DT ->4.1. <A -HREF="#AEN627" ->Stand Alone Server</A -></DT -><DT ->4.2. <A -HREF="#AEN633" ->Domain Member Server</A -></DT -><DT ->4.3. <A -HREF="#AEN639" ->Domain Controller</A -></DT -></DL -></DD -><DT ->5. <A -HREF="#SECURITYLEVELS" ->User and Share security level (for servers not in a domain)</A -></DT -><DT ->6. <A -HREF="#SAMBA-PDC" ->Samba as an NT4 or Win2k Primary Domain Controller</A -></DT -><DD -><DL -><DT ->6.1. <A -HREF="#AEN703" ->Prerequisite Reading</A -></DT -><DT ->6.2. <A -HREF="#AEN708" ->Background</A -></DT -><DT ->6.3. <A -HREF="#AEN746" ->Configuring the Samba Domain Controller</A -></DT -><DT ->6.4. <A -HREF="#AEN788" ->Creating Machine Trust Accounts and Joining Clients to the Domain</A -></DT -><DT ->6.5. <A -HREF="#AEN896" ->Common Problems and Errors</A -></DT -><DT ->6.6. <A -HREF="#AEN944" ->System Policies and Profiles</A -></DT -><DT ->6.7. <A -HREF="#AEN988" ->What other help can I get?</A -></DT -><DT ->6.8. <A -HREF="#AEN1102" ->Domain Control for Windows 9x/ME</A -></DT -><DT ->6.9. <A -HREF="#AEN1240" ->DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A -></DT -></DL -></DD -><DT ->7. <A -HREF="#SAMBA-BDC" ->How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</A -></DT -><DD -><DL -><DT ->7.1. <A -HREF="#AEN1276" ->Prerequisite Reading</A -></DT -><DT ->7.2. <A -HREF="#AEN1280" ->Background</A -></DT -><DT ->7.3. <A -HREF="#AEN1288" ->What qualifies a Domain Controller on the network?</A -></DT -><DT ->7.4. <A -HREF="#AEN1297" ->Can Samba be a Backup Domain Controller to an NT PDC?</A -></DT -><DT ->7.5. <A -HREF="#AEN1302" ->How do I set up a Samba BDC?</A -></DT -></DL -></DD -><DT ->8. <A -HREF="#ADS" ->Samba as a ADS domain member</A -></DT -><DD -><DL -><DT ->8.1. <A -HREF="#AEN1341" ->Installing the required packages for Debian</A -></DT -><DT ->8.2. <A -HREF="#AEN1348" ->Installing the required packages for RedHat</A -></DT -><DT ->8.3. <A -HREF="#AEN1358" ->Compile Samba</A -></DT -><DT ->8.4. <A -HREF="#AEN1373" ->Setup your /etc/krb5.conf</A -></DT -><DT ->8.5. <A -HREF="#AEN1383" ->Create the computer account</A -></DT -><DT ->8.6. <A -HREF="#AEN1395" ->Test your server setup</A -></DT -><DT ->8.7. <A -HREF="#AEN1400" ->Testing with smbclient</A -></DT -><DT ->8.8. <A -HREF="#AEN1403" ->Notes</A -></DT -></DL -></DD -><DT ->9. <A -HREF="#DOMAIN-SECURITY" ->Samba as a NT4 or Win2k domain member</A -></DT -><DD -><DL -><DT ->9.1. <A -HREF="#AEN1425" ->Joining an NT Domain with Samba 3.0</A -></DT -><DT ->9.2. <A -HREF="#AEN1480" ->Samba and Windows 2000 Domains</A -></DT -><DT ->9.3. <A -HREF="#AEN1483" ->Why is this better than security = server?</A -></DT -></DL -></DD -></DL -></DD -><DT ->III. <A -HREF="#OPTIONAL" ->Optional configuration</A -></DT -><DD -><DL -><DT ->10. <A -HREF="#INTEGRATE-MS-NETWORKS" ->Integrating MS Windows networks with Samba</A -></DT -><DD -><DL -><DT ->10.1. <A -HREF="#AEN1515" ->Agenda</A -></DT -><DT ->10.2. <A -HREF="#AEN1537" ->Name Resolution in a pure Unix/Linux world</A -></DT -><DT ->10.3. <A -HREF="#AEN1600" ->Name resolution as used within MS Windows networking</A -></DT -><DT ->10.4. <A -HREF="#AEN1645" ->How browsing functions and how to deploy stable and -dependable browsing using Samba</A -></DT -><DT ->10.5. <A -HREF="#AEN1655" ->MS Windows security options and how to configure -Samba for seemless integration</A -></DT -><DT ->10.6. <A -HREF="#AEN1725" ->Conclusions</A -></DT -></DL -></DD -><DT ->11. <A -HREF="#UNIX-PERMISSIONS" ->UNIX Permission Bits and Windows NT Access Control Lists</A -></DT -><DD -><DL -><DT ->11.1. <A -HREF="#AEN1746" ->Viewing and changing UNIX permissions using the NT - security dialogs</A -></DT -><DT ->11.2. <A -HREF="#AEN1750" ->How to view file security on a Samba share</A -></DT -><DT ->11.3. <A -HREF="#AEN1761" ->Viewing file ownership</A -></DT -><DT ->11.4. <A -HREF="#AEN1781" ->Viewing file or directory permissions</A -></DT -><DT ->11.5. <A -HREF="#AEN1817" ->Modifying file or directory permissions</A -></DT -><DT ->11.6. <A -HREF="#AEN1839" ->Interaction with the standard Samba create mask - parameters</A -></DT -><DT ->11.7. <A -HREF="#AEN1903" ->Interaction with the standard Samba file attribute - mapping</A -></DT -></DL -></DD -><DT ->12. <A -HREF="#PAM" ->Configuring PAM for distributed but centrally -managed authentication</A -></DT -><DD -><DL -><DT ->12.1. <A -HREF="#AEN1924" ->Samba and PAM</A -></DT -><DT ->12.2. <A -HREF="#AEN1968" ->Distributed Authentication</A -></DT -><DT ->12.3. <A -HREF="#AEN1975" ->PAM Configuration in smb.conf</A -></DT -></DL -></DD -><DT ->13. <A -HREF="#MSDFS" ->Hosting a Microsoft Distributed File System tree on Samba</A -></DT -><DD -><DL -><DT ->13.1. <A -HREF="#AEN1995" ->Instructions</A -></DT -></DL -></DD -><DT ->14. <A -HREF="#PRINTING" ->Printing Support</A -></DT -><DD -><DL -><DT ->14.1. <A -HREF="#AEN2056" ->Introduction</A -></DT -><DT ->14.2. <A -HREF="#AEN2078" ->Configuration</A -></DT -><DT ->14.3. <A -HREF="#AEN2186" ->The Imprints Toolset</A -></DT -><DT ->14.4. <A -HREF="#AEN2229" ->Diagnosis</A -></DT -></DL -></DD -><DT ->15. <A -HREF="#WINBIND" ->Unified Logons between Windows NT and UNIX using Winbind</A -></DT -><DD -><DL -><DT ->15.1. <A -HREF="#AEN2362" ->Abstract</A -></DT -><DT ->15.2. <A -HREF="#AEN2366" ->Introduction</A -></DT -><DT ->15.3. <A -HREF="#AEN2379" ->What Winbind Provides</A -></DT -><DT ->15.4. <A -HREF="#AEN2390" ->How Winbind Works</A -></DT -><DT ->15.5. <A -HREF="#AEN2433" ->Installation and Configuration</A -></DT -><DT ->15.6. <A -HREF="#AEN2690" ->Limitations</A -></DT -><DT ->15.7. <A -HREF="#AEN2700" ->Conclusion</A -></DT -></DL -></DD -><DT ->16. <A -HREF="#IMPROVED-BROWSING" ->Improved browsing in samba</A -></DT -><DD -><DL -><DT ->16.1. <A -HREF="#AEN2710" ->Overview of browsing</A -></DT -><DT ->16.2. <A -HREF="#AEN2715" ->Browsing support in samba</A -></DT -><DT ->16.3. <A -HREF="#AEN2723" ->Problem resolution</A -></DT -><DT ->16.4. <A -HREF="#AEN2732" ->Browsing across subnets</A -></DT -><DT ->16.5. <A -HREF="#AEN2772" ->Setting up a WINS server</A -></DT -><DT ->16.6. <A -HREF="#AEN2791" ->Setting up Browsing in a WORKGROUP</A -></DT -><DT ->16.7. <A -HREF="#AEN2809" ->Setting up Browsing in a DOMAIN</A -></DT -><DT ->16.8. <A -HREF="#AEN2819" ->Forcing samba to be the master</A -></DT -><DT ->16.9. <A -HREF="#AEN2828" ->Making samba the domain master</A -></DT -><DT ->16.10. <A -HREF="#AEN2846" ->Note about broadcast addresses</A -></DT -><DT ->16.11. <A -HREF="#AEN2849" ->Multiple interfaces</A -></DT -></DL -></DD -><DT ->17. <A -HREF="#VFS" ->Stackable VFS modules</A -></DT -><DD -><DL -><DT ->17.1. <A -HREF="#AEN2867" ->Introduction and configuration</A -></DT -><DT ->17.2. <A -HREF="#AEN2876" ->Included modules</A -></DT -><DT ->17.3. <A -HREF="#AEN2930" ->VFS modules available elsewhere</A -></DT -></DL -></DD -><DT ->18. <A -HREF="#GROUPMAPPING" ->Group mapping HOWTO</A -></DT -><DT ->19. <A -HREF="#SPEED" ->Samba performance issues</A -></DT -><DD -><DL -><DT ->19.1. <A -HREF="#AEN2997" ->Comparisons</A -></DT -><DT ->19.2. <A -HREF="#AEN3003" ->Socket options</A -></DT -><DT ->19.3. <A -HREF="#AEN3010" ->Read size</A -></DT -><DT ->19.4. <A -HREF="#AEN3015" ->Max xmit</A -></DT -><DT ->19.5. <A -HREF="#AEN3020" ->Log level</A -></DT -><DT ->19.6. <A -HREF="#AEN3023" ->Read raw</A -></DT -><DT ->19.7. <A -HREF="#AEN3028" ->Write raw</A -></DT -><DT ->19.8. <A -HREF="#AEN3032" ->Slow Clients</A -></DT -><DT ->19.9. <A -HREF="#AEN3036" ->Slow Logins</A -></DT -><DT ->19.10. <A -HREF="#AEN3039" ->Client tuning</A -></DT -></DL -></DD -><DT ->20. <A -HREF="#GROUPPROFILES" ->Creating Group Prolicy Files</A -></DT -><DD -><DL -><DT ->20.1. <A -HREF="#AEN3087" ->Windows '9x</A -></DT -><DT ->20.2. <A -HREF="#AEN3097" ->Windows NT 4</A -></DT -><DT ->20.3. <A -HREF="#AEN3135" ->Windows 2000/XP</A -></DT -></DL -></DD -><DT ->21. <A -HREF="#SECURING-SAMBA" ->Securing Samba</A -></DT -><DD -><DL -><DT ->21.1. <A -HREF="#AEN3216" ->Introduction</A -></DT -><DT ->21.2. <A -HREF="#AEN3219" ->Using host based protection</A -></DT -><DT ->21.3. <A -HREF="#AEN3226" ->Using interface protection</A -></DT -><DT ->21.4. <A -HREF="#AEN3235" ->Using a firewall</A -></DT -><DT ->21.5. <A -HREF="#AEN3242" ->Using a IPC$ share deny</A -></DT -><DT ->21.6. <A -HREF="#AEN3251" ->Upgrading Samba</A -></DT -></DL -></DD -><DT ->22. <A -HREF="#UNICODE" ->Unicode/Charsets</A -></DT -><DD -><DL -><DT ->22.1. <A -HREF="#AEN3265" ->What are charsets and unicode?</A -></DT -><DT ->22.2. <A -HREF="#AEN3274" ->Samba and charsets</A -></DT -></DL -></DD -></DL -></DD -><DT ->IV. <A -HREF="#APPENDIXES" ->Appendixes</A -></DT -><DD -><DL -><DT ->23. <A -HREF="#PORTABILITY" ->Portability</A -></DT -><DD -><DL -><DT ->23.1. <A -HREF="#AEN3303" ->HPUX</A -></DT -><DT ->23.2. <A -HREF="#AEN3309" ->SCO Unix</A -></DT -><DT ->23.3. <A -HREF="#AEN3313" ->DNIX</A -></DT -><DT ->23.4. <A -HREF="#AEN3342" ->RedHat Linux Rembrandt-II</A -></DT -><DT ->23.5. <A -HREF="#AEN3348" ->AIX</A -></DT -></DL -></DD -><DT ->24. <A -HREF="#OTHER-CLIENTS" ->Samba and other CIFS clients</A -></DT -><DD -><DL -><DT ->24.1. <A -HREF="#AEN3368" ->Macintosh clients?</A -></DT -><DT ->24.2. <A -HREF="#AEN3377" ->OS2 Client</A -></DT -><DT ->24.3. <A -HREF="#AEN3417" ->Windows for Workgroups</A -></DT -><DT ->24.4. <A -HREF="#AEN3441" ->Windows '95/'98</A -></DT -><DT ->24.5. <A -HREF="#AEN3457" ->Windows 2000 Service Pack 2</A -></DT -></DL -></DD -><DT ->25. <A -HREF="#COMPILING" ->How to compile SAMBA</A -></DT -><DD -><DL -><DT ->25.1. <A -HREF="#AEN3484" ->Access Samba source code via CVS</A -></DT -><DT ->25.2. <A -HREF="#AEN3527" ->Accessing the samba sources via rsync and ftp</A -></DT -><DT ->25.3. <A -HREF="#AEN3533" ->Building the Binaries</A -></DT -><DT ->25.4. <A -HREF="#AEN3561" ->Starting the smbd and nmbd</A -></DT -></DL -></DD -><DT ->26. <A -HREF="#BUGREPORT" ->Reporting Bugs</A -></DT -><DD -><DL -><DT ->26.1. <A -HREF="#AEN3623" ->Introduction</A -></DT -><DT ->26.2. <A -HREF="#AEN3633" ->General info</A -></DT -><DT ->26.3. <A -HREF="#AEN3639" ->Debug levels</A -></DT -><DT ->26.4. <A -HREF="#AEN3656" ->Internal errors</A -></DT -><DT ->26.5. <A -HREF="#AEN3666" ->Attaching to a running process</A -></DT -><DT ->26.6. <A -HREF="#AEN3669" ->Patches</A -></DT -></DL -></DD -><DT ->27. <A -HREF="#DIAGNOSIS" ->The samba checklist</A -></DT -><DD -><DL -><DT ->27.1. <A -HREF="#AEN3692" ->Introduction</A -></DT -><DT ->27.2. <A -HREF="#AEN3697" ->Assumptions</A -></DT -><DT ->27.3. <A -HREF="#AEN3707" ->Tests</A -></DT -><DT ->27.4. <A -HREF="#AEN3817" ->Still having troubles?</A -></DT -></DL -></DD -></DL -></DD -></DL -></DIV -><DIV -CLASS="PART" -><A -NAME="INTRODUCTION" -></A -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" ->I. General installation</H1 -><DIV -CLASS="PARTINTRO" -><A -NAME="AEN21" -></A -><H1 ->Introduction</H1 -><P ->This part contains general info on how to install samba -and how to configure the parts of samba you will most likely need. -PLEASE read this.</P -></DIV -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->1. <A -HREF="#INSTALL" ->How to Install and Test SAMBA</A -></DT -><DD -><DL -><DT ->1.1. <A -HREF="#AEN26" ->Obtaining and installing samba</A -></DT -><DT ->1.2. <A -HREF="#AEN31" ->Configuring samba</A -></DT -><DD -><DL -><DT ->1.2.1. <A -HREF="#AEN36" ->Editing the smb.conf file</A -></DT -><DT ->1.2.2. <A -HREF="#AEN58" ->SWAT</A -></DT -></DL -></DD -><DT ->1.3. <A -HREF="#AEN64" ->Try listing the shares available on your - server</A -></DT -><DT ->1.4. <A -HREF="#AEN73" ->Try connecting with the unix client</A -></DT -><DT ->1.5. <A -HREF="#AEN89" ->Try connecting from a DOS, WfWg, Win9x, WinNT, - Win2k, OS/2, etc... client</A -></DT -><DT ->1.6. <A -HREF="#AEN103" ->What If Things Don't Work?</A -></DT -><DD -><DL -><DT ->1.6.1. <A -HREF="#AEN108" ->Scope IDs</A -></DT -><DT ->1.6.2. <A -HREF="#AEN111" ->Locking</A -></DT -></DL -></DD -></DL -></DD -><DT ->2. <A -HREF="#BROWSING-QUICK" ->Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</A -></DT -><DD -><DL -><DT ->2.1. <A -HREF="#AEN130" ->Discussion</A -></DT -><DT ->2.2. <A -HREF="#AEN139" ->Use of the "Remote Announce" parameter</A -></DT -><DT ->2.3. <A -HREF="#AEN153" ->Use of the "Remote Browse Sync" parameter</A -></DT -><DT ->2.4. <A -HREF="#AEN158" ->Use of WINS</A -></DT -><DT ->2.5. <A -HREF="#AEN169" ->Do NOT use more than one (1) protocol on MS Windows machines</A -></DT -><DT ->2.6. <A -HREF="#AEN177" ->Name Resolution Order</A -></DT -></DL -></DD -><DT ->3. <A -HREF="#PASSDB" ->User information database</A -></DT -><DD -><DL -><DT ->3.1. <A -HREF="#AEN234" ->Introduction</A -></DT -><DT ->3.2. <A -HREF="#AEN241" ->Important Notes About Security</A -></DT -><DD -><DL -><DT ->3.2.1. <A -HREF="#AEN267" ->Advantages of SMB Encryption</A -></DT -><DT ->3.2.2. <A -HREF="#AEN273" ->Advantages of non-encrypted passwords</A -></DT -></DL -></DD -><DT ->3.3. <A -HREF="#AEN279" ->The smbpasswd Command</A -></DT -><DT ->3.4. <A -HREF="#AEN310" ->Plain text</A -></DT -><DT ->3.5. <A -HREF="#AEN315" ->TDB</A -></DT -><DT ->3.6. <A -HREF="#AEN318" ->LDAP</A -></DT -><DD -><DL -><DT ->3.6.1. <A -HREF="#AEN320" ->Introduction</A -></DT -><DT ->3.6.2. <A -HREF="#AEN340" ->Introduction</A -></DT -><DT ->3.6.3. <A -HREF="#AEN369" ->Supported LDAP Servers</A -></DT -><DT ->3.6.4. <A -HREF="#AEN374" ->Schema and Relationship to the RFC 2307 posixAccount</A -></DT -><DT ->3.6.5. <A -HREF="#AEN386" ->Configuring Samba with LDAP</A -></DT -><DT ->3.6.6. <A -HREF="#AEN433" ->Accounts and Groups management</A -></DT -><DT ->3.6.7. <A -HREF="#AEN438" ->Security and sambaAccount</A -></DT -><DT ->3.6.8. <A -HREF="#AEN458" ->LDAP specials attributes for sambaAccounts</A -></DT -><DT ->3.6.9. <A -HREF="#AEN528" ->Example LDIF Entries for a sambaAccount</A -></DT -></DL -></DD -><DT ->3.7. <A -HREF="#AEN536" ->MySQL</A -></DT -><DD -><DL -><DT ->3.7.1. <A -HREF="#AEN538" ->Building</A -></DT -><DT ->3.7.2. <A -HREF="#AEN544" ->Creating the database</A -></DT -><DT ->3.7.3. <A -HREF="#AEN554" ->Configuring</A -></DT -><DT ->3.7.4. <A -HREF="#AEN571" ->Using plaintext passwords or encrypted password</A -></DT -><DT ->3.7.5. <A -HREF="#AEN576" ->Getting non-column data from the table</A -></DT -></DL -></DD -><DT ->3.8. <A -HREF="#AEN584" ->Passdb XML plugin</A -></DT -><DD -><DL -><DT ->3.8.1. <A -HREF="#AEN586" ->Building</A -></DT -><DT ->3.8.2. <A -HREF="#AEN592" ->Usage</A -></DT -></DL -></DD -></DL -></DD -></DL -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="INSTALL" -></A ->Chapter 1. How to Install and Test SAMBA</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN26" ->1.1. Obtaining and installing samba</A -></H2 -><P ->Binary packages of samba are included in almost any Linux or - Unix distribution. There are also some packages available at - <A -HREF="http://samba.org/" -TARGET="_top" ->the samba homepage</A -> - </P -><P ->If you need to compile samba from source, check the - appropriate appendix chapter.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN31" ->1.2. Configuring samba</A -></H2 -><P ->Samba's configuration is stored in the smb.conf file, - that usually resides in <TT -CLASS="FILENAME" ->/etc/samba/smb.conf</TT -> - or <TT -CLASS="FILENAME" ->/usr/local/samba/lib/smb.conf</TT ->. You can either - edit this file yourself or do it using one of the many graphical - tools that are available, such as the web-based interface swat, that - is included with samba.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN36" ->1.2.1. Editing the smb.conf file</A -></H3 -><P ->There are sample configuration files in the examples - subdirectory in the distribution. I suggest you read them - carefully so you can see how the options go together in - practice. See the man page for all the options.</P -><P ->The simplest useful configuration file would be - something like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> [global] - workgroup = MYGROUP - - [homes] - guest ok = no - read only = no - </PRE -></P -><P ->which would allow connections by anyone with an - account on the server, using either their login name or - "homes" as the service name. (Note that I also set the - workgroup that Samba is part of. See BROWSING.txt for details)</P -><P ->Note that <B -CLASS="COMMAND" ->make install</B -> will not install - a <TT -CLASS="FILENAME" ->smb.conf</TT -> file. You need to create it - yourself. </P -><P ->Make sure you put the smb.conf file in the same place - you specified in the<TT -CLASS="FILENAME" ->Makefile</TT -> (the default is to - look for it in <TT -CLASS="FILENAME" ->/usr/local/samba/lib/</TT ->).</P -><P ->For more information about security settings for the - [homes] share please refer to the document UNIX_SECURITY.txt.</P -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN50" ->1.2.1.1. Test your config file with - <B -CLASS="COMMAND" ->testparm</B -></A -></H4 -><P ->It's important that you test the validity of your - <TT -CLASS="FILENAME" ->smb.conf</TT -> file using the testparm program. - If testparm runs OK then it will list the loaded services. If - not it will give an error message.</P -><P ->Make sure it runs OK and that the services look - reasonable before proceeding. </P -><P ->Always run testparm again when you change - <TT -CLASS="FILENAME" ->smb.conf</TT ->!</P -></DIV -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN58" ->1.2.2. SWAT</A -></H3 -><P -> SWAT is a web-based interface that helps you configure samba. - SWAT might not be available in the samba package on your platform, - but in a seperate package. Please read the swat manpage - on compiling, installing and configuring swat from source. - </P -><P ->To launch SWAT just run your favorite web browser and - point it at "http://localhost:901/". Replace <VAR -CLASS="REPLACEABLE" ->localhost</VAR -> with the name of the computer you are running samba on if you - are running samba on a different computer then your browser.</P -><P ->Note that you can attach to SWAT from any IP connected - machine but connecting from a remote machine leaves your - connection open to password sniffing as passwords will be sent - in the clear over the wire. </P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN64" ->1.3. Try listing the shares available on your - server</A -></H2 -><P -><SAMP -CLASS="PROMPT" ->$ </SAMP -><KBD -CLASS="USERINPUT" ->smbclient -L - <VAR -CLASS="REPLACEABLE" ->yourhostname</VAR -></KBD -></P -><P ->You should get back a list of shares available on - your server. If you don't then something is incorrectly setup. - Note that this method can also be used to see what shares - are available on other LanManager clients (such as WfWg).</P -><P ->If you choose user level security then you may find - that Samba requests a password before it will list the shares. - See the <B -CLASS="COMMAND" ->smbclient</B -> man page for details. (you - can force it to list the shares without a password by - adding the option -U% to the command line. This will not work - with non-Samba servers)</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN73" ->1.4. Try connecting with the unix client</A -></H2 -><P -><SAMP -CLASS="PROMPT" ->$ </SAMP -><KBD -CLASS="USERINPUT" ->smbclient <VAR -CLASS="REPLACEABLE" -> //yourhostname/aservice</VAR -></KBD -></P -><P ->Typically the <VAR -CLASS="REPLACEABLE" ->yourhostname</VAR -> - would be the name of the host where you installed <B -CLASS="COMMAND" -> smbd</B ->. The <VAR -CLASS="REPLACEABLE" ->aservice</VAR -> is - any service you have defined in the <TT -CLASS="FILENAME" ->smb.conf</TT -> - file. Try your user name if you just have a [homes] section - in <TT -CLASS="FILENAME" ->smb.conf</TT ->.</P -><P ->For example if your unix host is bambi and your login - name is fred you would type:</P -><P -><SAMP -CLASS="PROMPT" ->$ </SAMP -><KBD -CLASS="USERINPUT" ->smbclient //bambi/fred - </KBD -></P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN89" ->1.5. Try connecting from a DOS, WfWg, Win9x, WinNT, - Win2k, OS/2, etc... client</A -></H2 -><P ->Try mounting disks. eg:</P -><P -><SAMP -CLASS="PROMPT" ->C:\WINDOWS\> </SAMP -><KBD -CLASS="USERINPUT" ->net use d: \\servername\service - </KBD -></P -><P ->Try printing. eg:</P -><P -><SAMP -CLASS="PROMPT" ->C:\WINDOWS\> </SAMP -><KBD -CLASS="USERINPUT" ->net use lpt1: - \\servername\spoolservice</KBD -></P -><P -><SAMP -CLASS="PROMPT" ->C:\WINDOWS\> </SAMP -><KBD -CLASS="USERINPUT" ->print filename - </KBD -></P -><P ->Celebrate, or send me a bug report!</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN103" ->1.6. What If Things Don't Work?</A -></H2 -><P ->Then you might read the file HOWTO chapter Diagnosis and the - FAQ. If you are still stuck then try the mailing list or - newsgroup (look in the README for details). Samba has been - successfully installed at thousands of sites worldwide, so maybe - someone else has hit your problem and has overcome it. You could - also use the WWW site to scan back issues of the samba-digest.</P -><P ->When you fix the problem <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->please</I -></SPAN -> send some - updates of the documentation (or source code) to one of - the documentation maintainers or the list. - </P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN108" ->1.6.1. Scope IDs</A -></H3 -><P ->By default Samba uses a blank scope ID. This means - all your windows boxes must also have a blank scope ID. - If you really want to use a non-blank scope ID then you will - need to use the 'netbios scope' smb.conf option. - All your PCs will need to have the same setting for - this to work. I do not recommend scope IDs.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN111" ->1.6.2. Locking</A -></H3 -><P ->One area which sometimes causes trouble is locking.</P -><P ->There are two types of locking which need to be - performed by a SMB server. The first is "record locking" - which allows a client to lock a range of bytes in a open file. - The second is the "deny modes" that are specified when a file - is open.</P -><P ->Record locking semantics under Unix is very - different from record locking under Windows. Versions - of Samba before 2.2 have tried to use the native - fcntl() unix system call to implement proper record - locking between different Samba clients. This can not - be fully correct due to several reasons. The simplest - is the fact that a Windows client is allowed to lock a - byte range up to 2^32 or 2^64, depending on the client - OS. The unix locking only supports byte ranges up to - 2^31. So it is not possible to correctly satisfy a - lock request above 2^31. There are many more - differences, too many to be listed here.</P -><P ->Samba 2.2 and above implements record locking - completely independent of the underlying unix - system. If a byte range lock that the client requests - happens to fall into the range 0-2^31, Samba hands - this request down to the Unix system. All other locks - can not be seen by unix anyway.</P -><P ->Strictly a SMB server should check for locks before - every read and write call on a file. Unfortunately with the - way fcntl() works this can be slow and may overstress the - rpc.lockd. It is also almost always unnecessary as clients - are supposed to independently make locking calls before reads - and writes anyway if locking is important to them. By default - Samba only makes locking calls when explicitly asked - to by a client, but if you set "strict locking = yes" then it will - make lock checking calls on every read and write. </P -><P ->You can also disable by range locking completely - using "locking = no". This is useful for those shares that - don't support locking or don't need it (such as cdroms). In - this case Samba fakes the return codes of locking calls to - tell clients that everything is OK.</P -><P ->The second class of locking is the "deny modes". These - are set by an application when it opens a file to determine - what types of access should be allowed simultaneously with - its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE - or DENY_ALL. There are also special compatibility modes called - DENY_FCB and DENY_DOS.</P -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="BROWSING-QUICK" -></A ->Chapter 2. Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</H1 -><P ->This document should be read in conjunction with Browsing and may -be taken as the fast track guide to implementing browsing across subnets -and / or across workgroups (or domains). WINS is the best tool for resolution -of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling -except by way of name to address mapping.</P -><P ->Note: MS Windows 2000 and later can be configured to operate with NO NetBIOS -over TCP/IP. Samba-3 and later also supports this mode of operation.</P -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN130" ->2.1. Discussion</A -></H2 -><P ->Firstly, all MS Windows networking is based on SMB (Server Message -Block) based messaging. SMB messaging may be implemented using NetBIOS or -without NetBIOS. Samba implements NetBIOS by encapsulating it over TCP/IP. -MS Windows products can do likewise. NetBIOS based networking uses broadcast -messaging to affect browse list management. When running NetBIOS over -TCP/IP this uses UDP based messaging. UDP messages can be broadcast or unicast.</P -><P ->Normally, only unicast UDP messaging can be forwarded by routers. The -"remote announce" parameter to smb.conf helps to project browse announcements -to remote network segments via unicast UDP. Similarly, the "remote browse sync" -parameter of smb.conf implements browse list collation using unicast UDP.</P -><P ->Secondly, in those networks where Samba is the only SMB server technology -wherever possible nmbd should be configured on one (1) machine as the WINS -server. This makes it easy to manage the browsing environment. If each network -segment is configured with it's own Samba WINS server, then the only way to -get cross segment browsing to work is by using the "remote announce" and -the "remote browse sync" parameters to your smb.conf file.</P -><P ->If only one WINS server is used for an entire multi-segment network then -the use of the "remote announce" and the "remote browse sync" parameters -should NOT be necessary.</P -><P ->As of Samba-3 WINS replication is being worked on. The bulk of the code has -been committed, but it still needs maturation.</P -><P ->Right now samba WINS does not support MS-WINS replication. This means that -when setting up Samba as a WINS server there must only be one nmbd configured -as a WINS server on the network. Some sites have used multiple Samba WINS -servers for redundancy (one server per subnet) and then used "remote browse -sync" and "remote announce" to affect browse list collation across all -segments. Note that this means clients will only resolve local names, -and must be configured to use DNS to resolve names on other subnets in -order to resolve the IP addresses of the servers they can see on other -subnets. This setup is not recommended, but is mentioned as a practical -consideration (ie: an 'if all else fails' scenario).</P -><P ->Lastly, take note that browse lists are a collection of unreliable broadcast -messages that are repeated at intervals of not more than 15 minutes. This means -that it will take time to establish a browse list and it can take up to 45 -minutes to stabilise, particularly across network segments.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN139" ->2.2. Use of the "Remote Announce" parameter</A -></H2 -><P ->The "remote announce" parameter of smb.conf can be used to forcibly ensure -that all the NetBIOS names on a network get announced to a remote network. -The syntax of the "remote announce" parameter is: -<PRE -CLASS="PROGRAMLISTING" -> remote announce = a.b.c.d [e.f.g.h] ...</PRE -> -_or_ -<PRE -CLASS="PROGRAMLISTING" -> remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...</PRE -> - -where: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->a.b.c.d and e.f.g.h</DT -><DD -><P ->is either the LMB (Local Master Browser) IP address -or the broadcst address of the remote network. -ie: the LMB is at 192.168.1.10, or the address -could be given as 192.168.1.255 where the netmask -is assumed to be 24 bits (255.255.255.0). -When the remote announcement is made to the broadcast -address of the remote network every host will receive -our announcements. This is noisy and therefore -undesirable but may be necessary if we do NOT know -the IP address of the remote LMB.</P -></DD -><DT ->WORKGROUP</DT -><DD -><P ->is optional and can be either our own workgroup -or that of the remote network. If you use the -workgroup name of the remote network then our -NetBIOS machine names will end up looking like -they belong to that workgroup, this may cause -name resolution problems and should be avoided.</P -></DD -></DL -></DIV -></P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN153" ->2.3. Use of the "Remote Browse Sync" parameter</A -></H2 -><P ->The "remote browse sync" parameter of smb.conf is used to announce to -another LMB that it must synchronise it's NetBIOS name list with our -Samba LMB. It works ONLY if the Samba server that has this option is -simultaneously the LMB on it's network segment.</P -><P ->The syntax of the "remote browse sync" parameter is: - -<PRE -CLASS="PROGRAMLISTING" ->remote browse sync = a.b.c.d</PRE -> - -where a.b.c.d is either the IP address of the remote LMB or else is the network broadcast address of the remote segment.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN158" ->2.4. Use of WINS</A -></H2 -><P ->Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly -recommended. Every NetBIOS machine registers it's name together with a -name_type value for each of of several types of service it has available. -eg: It registers it's name directly as a unique (the type 0x03) name. -It also registers it's name if it is running the lanmanager compatible -server service (used to make shares and printers available to other users) -by registering the server (the type 0x20) name.</P -><P ->All NetBIOS names are up to 15 characters in length. The name_type variable -is added to the end of the name - thus creating a 16 character name. Any -name that is shorter than 15 characters is padded with spaces to the 15th -character. ie: All NetBIOS names are 16 characters long (including the -name_type information).</P -><P ->WINS can store these 16 character names as they get registered. A client -that wants to log onto the network can ask the WINS server for a list -of all names that have registered the NetLogon service name_type. This saves -broadcast traffic and greatly expedites logon processing. Since broadcast -name resolution can not be used across network segments this type of -information can only be provided via WINS _or_ via statically configured -"lmhosts" files that must reside on all clients in the absence of WINS.</P -><P ->WINS also serves the purpose of forcing browse list synchronisation by all -LMB's. LMB's must synchronise their browse list with the DMB (domain master -browser) and WINS helps the LMB to identify it's DMB. By definition this -will work only within a single workgroup. Note that the domain master browser -has NOTHING to do with what is referred to as an MS Windows NT Domain. The -later is a reference to a security environment while the DMB refers to the -master controller for browse list information only.</P -><P ->Use of WINS will work correctly only if EVERY client TCP/IP protocol stack -has been configured to use the WINS server/s. Any client that has not been -configured to use the WINS server will continue to use only broadcast based -name registration so that WINS may NEVER get to know about it. In any case, -machines that have not registered with a WINS server will fail name to address -lookup attempts by other clients and will therefore cause workstation access -errors.</P -><P ->To configure Samba as a WINS server just add "wins support = yes" to the -smb.conf file [globals] section.</P -><P ->To configure Samba to register with a WINS server just add -"wins server = a.b.c.d" to your smb.conf file [globals] section.</P -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->DO NOT EVER</I -></SPAN -> use both "wins support = yes" together -with "wins server = a.b.c.d" particularly not using it's own IP address. -Specifying both will cause nmbd to refuse to start!</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN169" ->2.5. Do NOT use more than one (1) protocol on MS Windows machines</A -></H2 -><P ->A very common cause of browsing problems results from installing more than -one protocol on an MS Windows machine.</P -><P ->Every NetBIOS machine takes part in a process of electing the LMB (and DMB) -every 15 minutes. A set of election criteria is used to determine the order -of precidence for winning this election process. A machine running Samba or -Windows NT will be biased so that the most suitable machine will predictably -win and thus retain it's role.</P -><P ->The election process is "fought out" so to speak over every NetBIOS network -interface. In the case of a Windows 9x machine that has both TCP/IP and IPX -installed and has NetBIOS enabled over both protocols the election will be -decided over both protocols. As often happens, if the Windows 9x machine is -the only one with both protocols then the LMB may be won on the NetBIOS -interface over the IPX protocol. Samba will then lose the LMB role as Windows -9x will insist it knows who the LMB is. Samba will then cease to function -as an LMB and thus browse list operation on all TCP/IP only machines will -fail.</P -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Windows 95, 98, 98se, Me are referred to generically as Windows 9x. -The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly -referred to as the WinNT family, but it should be recognised that 2000 and -XP/2003 introduce new protocol extensions that cause them to behave -differently from MS Windows NT4. Generally, where a server does NOT support -the newer or extended protocol, these will fall back to the NT4 protocols.</I -></SPAN -></P -><P ->The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN177" ->2.6. Name Resolution Order</A -></H2 -><P ->Resolution of NetBIOS names to IP addresses can take place using a number -of methods. The only ones that can provide NetBIOS name_type information -are:</P -><P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->WINS: the best tool!</TD -></TR -><TR -><TD ->LMHOSTS: is static and hard to maintain.</TD -></TR -><TR -><TD ->Broadcast: uses UDP and can not resolve names across remote segments.</TD -></TR -></TBODY -></TABLE -><P -></P -><P ->Alternative means of name resolution includes:</P -><P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->/etc/hosts: is static, hard to maintain, and lacks name_type info</TD -></TR -><TR -><TD ->DNS: is a good choice but lacks essential name_type info.</TD -></TR -></TBODY -></TABLE -><P -></P -><P ->Many sites want to restrict DNS lookups and want to avoid broadcast name -resolution traffic. The "name resolve order" parameter is of great help here. -The syntax of the "name resolve order" parameter is: -<PRE -CLASS="PROGRAMLISTING" ->name resolve order = wins lmhosts bcast host</PRE -> -_or_ -<PRE -CLASS="PROGRAMLISTING" ->name resolve order = wins lmhosts (eliminates bcast and host)</PRE -> -The default is: -<PRE -CLASS="PROGRAMLISTING" ->name resolve order = host lmhost wins bcast</PRE ->. -where "host" refers the the native methods used by the Unix system -to implement the gethostbyname() function call. This is normally -controlled by <TT -CLASS="FILENAME" ->/etc/host.conf</TT ->, <TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -> and <TT -CLASS="FILENAME" ->/etc/resolv.conf</TT ->.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="PASSDB" -></A ->Chapter 3. User information database</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN234" ->3.1. Introduction</A -></H2 -><P ->Old windows clients send plain text passwords over the wire. - Samba can check these passwords by crypting them and comparing them - to the hash stored in the unix user database. - </P -><P -> Newer windows clients send encrypted passwords (so-called - Lanman and NT hashes) over - the wire, instead of plain text passwords. The newest clients - will only send encrypted passwords and refuse to send plain text - passwords, unless their registry is tweaked. - </P -><P ->These passwords can't be converted to unix style encrypted - passwords. Because of that you can't use the standard unix - user database, and you have to store the Lanman and NT hashes - somewhere else. </P -><P ->Next to a differently encrypted passwords, - windows also stores certain data for each user - that is not stored in a unix user database, e.g. - workstations the user may logon from, the location where his/her - profile is stored, etc. - Samba retrieves and stores this information using a "passdb backend". - Commonly - available backends are LDAP, plain text file, MySQL and nisplus. - For more information, see the documentation about the - <B -CLASS="COMMAND" ->passdb backend = </B -> parameter. - </P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN241" ->3.2. Important Notes About Security</A -></H2 -><P ->The unix and SMB password encryption techniques seem similar - on the surface. This similarity is, however, only skin deep. The unix - scheme typically sends clear text passwords over the network when - logging in. This is bad. The SMB encryption scheme never sends the - cleartext password over the network but it does store the 16 byte - hashed values on disk. This is also bad. Why? Because the 16 byte hashed - values are a "password equivalent". You cannot derive the user's - password from them, but they could potentially be used in a modified - client to gain access to a server. This would require considerable - technical knowledge on behalf of the attacker but is perfectly possible. - You should thus treat the data stored in whatever - passdb backend you use (smbpasswd file, ldap, mysql) as though it contained the - cleartext passwords of all your users. Its contents must be kept - secret, and the file should be protected accordingly.</P -><P ->Ideally we would like a password scheme which neither requires - plain text passwords on the net or on disk. Unfortunately this - is not available as Samba is stuck with being compatible with - other SMB systems (WinNT, WfWg, Win95 etc). </P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" -HSPACE="5" -ALT="Warning"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->Note that Windows NT 4.0 Service pack 3 changed the - default for permissible authentication so that plaintext - passwords are <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->never</I -></SPAN -> sent over the wire. - The solution to this is either to switch to encrypted passwords - with Samba or edit the Windows NT registry to re-enable plaintext - passwords. See the document WinNT.txt for details on how to do - this.</P -><P ->Other Microsoft operating systems which also exhibit - this behavior includes</P -><P -> These versions of MS Windows do not support full domain - security protocols, although they may log onto a domain environment. - Of these Only MS Windows XP Home does NOT support domain logons.</P -><P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->MS DOS Network client 3.0 with - the basic network redirector installed</TD -></TR -><TR -><TD ->Windows 95 with the network redirector - update installed</TD -></TR -><TR -><TD ->Windows 98 [se]</TD -></TR -><TR -><TD ->Windows Me</TD -></TR -><TR -><TD ->Windows XP Home</TD -></TR -></TBODY -></TABLE -><P -></P -><P -> The following versions of MS Windows fully support domain - security protocols.</P -><P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->Windows NT 3.5x</TD -></TR -><TR -><TD ->Windows NT 4.0</TD -></TR -><TR -><TD ->Windows 2000 Professional</TD -></TR -><TR -><TD ->Windows 200x Server/Advanced Server</TD -></TR -><TR -><TD ->Windows XP Professional</TD -></TR -></TBODY -></TABLE -><P -></P -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Note :</I -></SPAN ->All current release of - Microsoft SMB/CIFS clients support authentication via the - SMB Challenge/Response mechanism described here. Enabling - clear text authentication does not disable the ability - of the client to participate in encrypted authentication.</P -><P ->MS Windows clients will cache the encrypted password alone. - Even when plain text passwords are re-enabled, through the appropriate - registry change, the plain text password is NEVER cached. This means that - in the event that a network connections should become disconnected (broken) - only the cached (encrypted) password will be sent to the resource server - to affect a auto-reconnect. If the resource server does not support encrypted - passwords the auto-reconnect will fail. <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->USE OF ENCRYPTED PASSWORDS - IS STRONGLY ADVISED.</I -></SPAN -></P -></TD -></TR -></TABLE -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN267" ->3.2.1. Advantages of SMB Encryption</A -></H3 -><P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->Plain text passwords are not passed across - the network. Someone using a network sniffer cannot just - record passwords going to the SMB server.</TD -></TR -><TR -><TD ->WinNT doesn't like talking to a server - that SM not support encrypted passwords. It will refuse - to browse the server if the server is also in user level - security mode. It will insist on prompting the user for the - password on each connection, which is very annoying. The - only things you can do to stop this is to use SMB encryption. - </TD -></TR -><TR -><TD ->Encrypted password support allows auto-matic share - (resource) reconnects.</TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN273" ->3.2.2. Advantages of non-encrypted passwords</A -></H3 -><P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->Plain text passwords are not kept - on disk, and are NOT cached in memory. </TD -></TR -><TR -><TD ->Uses same password file as other unix - services such as login and ftp</TD -></TR -><TR -><TD ->Use of other services (such as telnet and ftp) which - send plain text passwords over the net, so sending them for SMB - isn't such a big deal.</TD -></TR -></TBODY -></TABLE -><P -></P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN279" ->3.3. The smbpasswd Command</A -></H2 -><P ->The smbpasswd utility is a utility similar to the - <B -CLASS="COMMAND" ->passwd</B -> or <B -CLASS="COMMAND" ->yppasswd</B -> programs. - It maintains the two 32 byte password fields in the passdb backend. </P -><P -><B -CLASS="COMMAND" ->smbpasswd</B -> works in a client-server mode - where it contacts the local smbd to change the user's password on its - behalf. This has enormous benefits - as follows.</P -><P -><B -CLASS="COMMAND" ->smbpasswd</B -> has the capability - to change passwords on Windows NT servers (this only works when - the request is sent to the NT Primary Domain Controller if you - are changing an NT Domain user's password).</P -><P ->To run smbpasswd as a normal user just type :</P -><P -><SAMP -CLASS="PROMPT" ->$ </SAMP -><KBD -CLASS="USERINPUT" ->smbpasswd</KBD -></P -><P -><SAMP -CLASS="PROMPT" ->Old SMB password: </SAMP -><KBD -CLASS="USERINPUT" -><type old value here - - or hit return if there was no old password></KBD -></P -><P -><SAMP -CLASS="PROMPT" ->New SMB Password: </SAMP -><KBD -CLASS="USERINPUT" -><type new value> - </KBD -></P -><P -><SAMP -CLASS="PROMPT" ->Repeat New SMB Password: </SAMP -><KBD -CLASS="USERINPUT" -><re-type new value - </KBD -></P -><P ->If the old value does not match the current value stored for - that user, or the two new values do not match each other, then the - password will not be changed.</P -><P ->If invoked by an ordinary user it will only allow the user - to change his or her own Samba password.</P -><P ->If run by the root user smbpasswd may take an optional - argument, specifying the user name whose SMB password you wish to - change. Note that when run as root smbpasswd does not prompt for - or check the old password value, thus allowing root to set passwords - for users who have forgotten their passwords.</P -><P -><B -CLASS="COMMAND" ->smbpasswd</B -> is designed to work in the same way - and be familiar to UNIX users who use the <B -CLASS="COMMAND" ->passwd</B -> or - <B -CLASS="COMMAND" ->yppasswd</B -> commands.</P -><P ->For more details on using <B -CLASS="COMMAND" ->smbpasswd</B -> refer - to the man page which will always be the definitive reference.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN310" ->3.4. Plain text</A -></H2 -><P ->Older versions of samba retrieved user information from the unix user database -and eventually some other fields from the file <TT -CLASS="FILENAME" ->/etc/samba/smbpasswd</TT -> -or <TT -CLASS="FILENAME" ->/etc/smbpasswd</TT ->. When password encryption is disabled, no -data is stored at all.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN315" ->3.5. TDB</A -></H2 -><P ->Samba can also store the user data in a "TDB" (Trivial Database). Using this backend -doesn't require any additional configuration. This backend is recommended for new installations who -don't require LDAP.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN318" ->3.6. LDAP</A -></H2 -><DIV -CLASS="SECT2" -><H3 -CLASS="SECT2" -><A -NAME="AEN320" ->3.6.1. Introduction</A -></H3 -><P ->This document describes how to use an LDAP directory for storing Samba user -account information traditionally stored in the smbpasswd(5) file. It is -assumed that the reader already has a basic understanding of LDAP concepts -and has a working directory server already installed. For more information -on LDAP architectures and Directories, please refer to the following sites.</P -><P -></P -><UL -><LI -><P ->OpenLDAP - <A -HREF="http://www.openldap.org/" -TARGET="_top" ->http://www.openldap.org/</A -></P -></LI -><LI -><P ->iPlanet Directory Server - <A -HREF="http://iplanet.netscape.com/directory" -TARGET="_top" ->http://iplanet.netscape.com/directory</A -></P -></LI -></UL -><P ->Note that <A -HREF="http://www.ora.com/" -TARGET="_top" ->O'Reilly Publishing</A -> is working on -a guide to LDAP for System Administrators which has a planned release date of -early summer, 2002.</P -><P ->Two additional Samba resources which may prove to be helpful are</P -><P -></P -><UL -><LI -><P ->The <A -HREF="http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html" -TARGET="_top" ->Samba-PDC-LDAP-HOWTO</A -> - maintained by Ignacio Coupeau.</P -></LI -><LI -><P ->The NT migration scripts from <A -HREF="http://samba.idealx.org/" -TARGET="_top" ->IDEALX</A -> that are - geared to manage users and group in such a Samba-LDAP Domain Controller configuration. - </P -></LI -></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN340" ->3.6.2. Introduction</A -></H3 -><P ->Traditionally, when configuring <A -HREF="smb.conf.5.html#ENCRYPTPASSWORDS" -TARGET="_top" ->"encrypt -passwords = yes"</A -> in Samba's <TT -CLASS="FILENAME" ->smb.conf</TT -> file, user account -information such as username, LM/NT password hashes, password change times, and account -flags have been stored in the <TT -CLASS="FILENAME" ->smbpasswd(5)</TT -> file. There are several -disadvantages to this approach for sites with very large numbers of users (counted -in the thousands).</P -><P -></P -><UL -><LI -><P ->The first is that all lookups must be performed sequentially. Given that -there are approximately two lookups per domain logon (one for a normal -session connection such as when mapping a network drive or printer), this -is a performance bottleneck for lareg sites. What is needed is an indexed approach -such as is used in databases.</P -></LI -><LI -><P ->The second problem is that administrators who desired to replicate a -smbpasswd file to more than one Samba server were left to use external -tools such as <B -CLASS="COMMAND" ->rsync(1)</B -> and <B -CLASS="COMMAND" ->ssh(1)</B -> -and wrote custom, in-house scripts.</P -></LI -><LI -><P ->And finally, the amount of information which is stored in an -smbpasswd entry leaves no room for additional attributes such as -a home directory, password expiration time, or even a Relative -Identified (RID).</P -></LI -></UL -><P ->As a result of these defeciencies, a more robust means of storing user attributes -used by smbd was developed. The API which defines access to user accounts -is commonly referred to as the samdb interface (previously this was called the passdb -API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support -for a samdb backend (e.g. <VAR -CLASS="PARAMETER" ->--with-ldapsam</VAR -> or -<VAR -CLASS="PARAMETER" ->--with-tdbsam</VAR ->) requires compile time support.</P -><P ->When compiling Samba to include the <VAR -CLASS="PARAMETER" ->--with-ldapsam</VAR -> autoconf -option, smbd (and associated tools) will store and lookup user accounts in -an LDAP directory. In reality, this is very easy to understand. If you are -comfortable with using an smbpasswd file, simply replace "smbpasswd" with -"LDAP directory" in all the documentation.</P -><P ->There are a few points to stress about what the <VAR -CLASS="PARAMETER" ->--with-ldapsam</VAR -> -does not provide. The LDAP support referred to in the this documentation does not -include:</P -><P -></P -><UL -><LI -><P ->A means of retrieving user account information from - an Windows 2000 Active Directory server.</P -></LI -><LI -><P ->A means of replacing /etc/passwd.</P -></LI -></UL -><P ->The second item can be accomplished by using LDAP NSS and PAM modules. LGPL -versions of these libraries can be obtained from PADL Software -(<A -HREF="http://www.padl.com/" -TARGET="_top" ->http://www.padl.com/</A ->). However, -the details of configuring these packages are beyond the scope of this document.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN369" ->3.6.3. Supported LDAP Servers</A -></H3 -><P ->The LDAP samdb code in 2.2.3 (and later) has been developed and tested -using the OpenLDAP 2.0 server and client libraries. -The same code should be able to work with Netscape's Directory Server -and client SDK. However, due to lack of testing so far, there are bound -to be compile errors and bugs. These should not be hard to fix. -If you are so inclined, please be sure to forward all patches to -<A -HREF="samba-patches@samba.org" -TARGET="_top" ->samba-patches@samba.org</A -> and -<A -HREF="jerry@samba.org" -TARGET="_top" ->jerry@samba.org</A ->.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN374" ->3.6.4. Schema and Relationship to the RFC 2307 posixAccount</A -></H3 -><P ->Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in -<TT -CLASS="FILENAME" ->examples/LDAP/samba.schema</TT ->. The sambaAccount objectclass is given here:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL - DESC 'Samba Account' - MUST ( uid $ rid ) - MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ - logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ - displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ - description $ userWorkstations $ primaryGroupID $ domain ))</PRE -></P -><P ->The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are -owned by the Samba Team and as such is legal to be openly published. -If you translate the schema to be used with Netscape DS, please -submit the modified schema file as a patch to <A -HREF="jerry@samba.org" -TARGET="_top" ->jerry@samba.org</A -></P -><P ->Just as the smbpasswd file is mean to store information which supplements a -user's <TT -CLASS="FILENAME" ->/etc/passwd</TT -> entry, so is the sambaAccount object -meant to supplement the UNIX user account information. A sambaAccount is a -<CODE -CLASS="CONSTANT" ->STRUCTURAL</CODE -> objectclass so it can be stored individually -in the directory. However, there are several fields (e.g. uid) which overlap -with the posixAccount objectclass outlined in RFC2307. This is by design.</P -><P ->In order to store all user account information (UNIX and Samba) in the directory, -it is necessary to use the sambaAccount and posixAccount objectclasses in -combination. However, smbd will still obtain the user's UNIX account -information via the standard C library calls (e.g. getpwnam(), et. al.). -This means that the Samba server must also have the LDAP NSS library installed -and functioning correctly. This division of information makes it possible to -store all Samba account information in LDAP, but still maintain UNIX account -information in NIS while the network is transitioning to a full LDAP infrastructure.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN386" ->3.6.5. Configuring Samba with LDAP</A -></H3 -><DIV -CLASS="SECT3" -><H4 -CLASS="SECT3" -><A -NAME="AEN388" ->3.6.5.1. OpenLDAP configuration</A -></H4 -><P ->To include support for the sambaAccount object in an OpenLDAP directory -server, first copy the samba.schema file to slapd's configuration directory.</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><B -CLASS="COMMAND" ->cp samba.schema /etc/openldap/schema/</B -></P -><P ->Next, include the <TT -CLASS="FILENAME" ->samba.schema</TT -> file in <TT -CLASS="FILENAME" ->slapd.conf</TT ->. -The sambaAccount object contains two attributes which depend upon other schema -files. The 'uid' attribute is defined in <TT -CLASS="FILENAME" ->cosine.schema</TT -> and -the 'displayName' attribute is defined in the <TT -CLASS="FILENAME" ->inetorgperson.schema</TT -> -file. Both of these must be included before the <TT -CLASS="FILENAME" ->samba.schema</TT -> file.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->## /etc/openldap/slapd.conf - -## schema files (core.schema is required by default) -include /etc/openldap/schema/core.schema - -## needed for sambaAccount -include /etc/openldap/schema/cosine.schema -include /etc/openldap/schema/inetorgperson.schema -include /etc/openldap/schema/samba.schema - -## uncomment this line if you want to support the RFC2307 (NIS) schema -## include /etc/openldap/schema/nis.schema - -....</PRE -></P -><P ->It is recommended that you maintain some indices on some of the most usefull attributes, -like in the following example, to speed up searches made on sambaAccount objectclasses -(and possibly posixAccount and posixGroup as well).</P -><P -><PRE -CLASS="PROGRAMLISTING" -># Indices to maintain -## required by OpenLDAP 2.0 -index objectclass eq - -## support pb_getsampwnam() -index uid pres,eq -## support pdb_getsambapwrid() -index rid eq - -## uncomment these if you are storing posixAccount and -## posixGroup entries in the directory as well -##index uidNumber eq -##index gidNumber eq -##index cn eq -##index memberUid eq</PRE -></P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN405" ->3.6.5.2. Configuring Samba</A -></H4 -><P ->The following parameters are available in smb.conf only with <VAR -CLASS="PARAMETER" ->--with-ldapsam</VAR -> -was included with compiling Samba.</P -><P -></P -><UL -><LI -><P -><A -HREF="smb.conf.5.html#LDAPSSL" -TARGET="_top" ->ldap ssl</A -></P -></LI -><LI -><P -><A -HREF="smb.conf.5.html#LDAPSERVER" -TARGET="_top" ->ldap server</A -></P -></LI -><LI -><P -><A -HREF="smb.conf.5.html#LDAPADMINDN" -TARGET="_top" ->ldap admin dn</A -></P -></LI -><LI -><P -><A -HREF="smb.conf.5.html#LDAPSUFFIX" -TARGET="_top" ->ldap suffix</A -></P -></LI -><LI -><P -><A -HREF="smb.conf.5.html#LDAPFILTER" -TARGET="_top" ->ldap filter</A -></P -></LI -><LI -><P -><A -HREF="smb.conf.5.html#LDAPPORT" -TARGET="_top" ->ldap port</A -></P -></LI -></UL -><P ->These are described in the <A -HREF="smb.conf.5.html" -TARGET="_top" ->smb.conf(5)</A -> man -page and so will not be repeated here. However, a sample smb.conf file for -use with an LDAP directory could appear as</P -><P -><PRE -CLASS="PROGRAMLISTING" ->## /usr/local/samba/lib/smb.conf -[global] - security = user - encrypt passwords = yes - - netbios name = TASHTEGO - workgroup = NARNIA - - # ldap related parameters - - # define the DN to use when binding to the directory servers - # The password for this DN is not stored in smb.conf. Rather it - # must be set by using 'smbpasswd -w <VAR -CLASS="REPLACEABLE" ->secretpw</VAR ->' to store the - # passphrase in the secrets.tdb file. If the "ldap admin dn" values - # changes, this password will need to be reset. - ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org" - - # specify the LDAP server's hostname (defaults to locahost) - ldap server = ahab.samba.org - - # Define the SSL option when connecting to the directory - # ('off', 'start tls', or 'on' (default)) - ldap ssl = start tls - - # define the port to use in the LDAP session (defaults to 636 when - # "ldap ssl = on") - ldap port = 389 - - # specify the base DN to use when searching the directory - ldap suffix = "ou=people,dc=samba,dc=org" - - # generally the default ldap search filter is ok - # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"</PRE -></P -></DIV -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN433" ->3.6.6. Accounts and Groups management</A -></H3 -><P ->As users accounts are managed thru the sambaAccount objectclass, you should -modify you existing administration tools to deal with sambaAccount attributes.</P -><P ->Machines accounts are managed with the sambaAccount objectclass, just -like users accounts. However, it's up to you to stored thoses accounts -in a different tree of you LDAP namespace: you should use -"ou=Groups,dc=plainjoe,dc=org" to store groups and -"ou=People,dc=plainjoe,dc=org" to store users. Just configure your -NSS and PAM accordingly (usually, in the /etc/ldap.conf configuration -file).</P -><P ->In Samba release 3.0, the group management system is based on posix -groups. This means that Samba make usage of the posixGroup objectclass. -For now, there is no NT-like group system management (global and local -groups).</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN438" ->3.6.7. Security and sambaAccount</A -></H3 -><P ->There are two important points to remember when discussing the security -of sambaAccount entries in the directory.</P -><P -></P -><UL -><LI -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Never</I -></SPAN -> retrieve the lmPassword or - ntPassword attribute values over an unencrypted LDAP session.</P -></LI -><LI -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Never</I -></SPAN -> allow non-admin users to - view the lmPassword or ntPassword attribute values.</P -></LI -></UL -><P ->These password hashes are clear text equivalents and can be used to impersonate -the user without deriving the original clear text strings. For more information -on the details of LM/NT password hashes, refer to the <A -HREF="ENCRYPTION.html" -TARGET="_top" ->ENCRYPTION chapter</A -> of the Samba-HOWTO-Collection.</P -><P ->To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults -to require an encrypted session (<B -CLASS="COMMAND" ->ldap ssl = on</B ->) using -the default port of 636 -when contacting the directory server. When using an OpenLDAP 2.0 server, it -is possible to use the use the StartTLS LDAP extended operation in the place of -LDAPS. In either case, you are strongly discouraged to disable this security -(<B -CLASS="COMMAND" ->ldap ssl = off</B ->).</P -><P ->Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS -extended operation. However, the OpenLDAP library still provides support for -the older method of securing communication between clients and servers.</P -><P ->The second security precaution is to prevent non-administrative users from -harvesting password hashes from the directory. This can be done using the -following ACL in <TT -CLASS="FILENAME" ->slapd.conf</TT ->:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->## allow the "ldap admin dn" access, but deny everyone else -access to attrs=lmPassword,ntPassword - by dn="cn=Samba Admin,ou=people,dc=plainjoe,dc=org" write - by * none</PRE -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN458" ->3.6.8. LDAP specials attributes for sambaAccounts</A -></H3 -><P ->The sambaAccount objectclass is composed of the following attributes:</P -><P -></P -><UL -><LI -><P -><CODE -CLASS="CONSTANT" ->lmPassword</CODE ->: the LANMAN password 16-byte hash stored as a character - representation of a hexidecimal string.</P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->ntPassword</CODE ->: the NT password hash 16-byte stored as a character - representation of a hexidecimal string.</P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->pwdLastSet</CODE ->: The integer time in seconds since 1970 when the - <CODE -CLASS="CONSTANT" ->lmPassword</CODE -> and <CODE -CLASS="CONSTANT" ->ntPassword</CODE -> attributes were last set. - </P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->acctFlags</CODE ->: string of 11 characters surrounded by square brackets [] - representing account flags such as U (user), W(workstation), X(no password expiration), and - D(disabled).</P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->logonTime</CODE ->: Integer value currently unused</P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->logoffTime</CODE ->: Integer value currently unused</P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->kickoffTime</CODE ->: Integer value currently unused</P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->pwdCanChange</CODE ->: Integer value currently unused</P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->pwdMustChange</CODE ->: Integer value currently unused</P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->homeDrive</CODE ->: specifies the drive letter to which to map the - UNC path specified by homeDirectory. The drive letter must be specified in the form "X:" - where X is the letter of the drive to map. Refer to the "logon drive" parameter in the - smb.conf(5) man page for more information.</P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->scriptPath</CODE ->: The scriptPath property specifies the path of - the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path - is relative to the netlogon share. Refer to the "logon script" parameter in the - smb.conf(5) man page for more information.</P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->profilePath</CODE ->: specifies a path to the user's profile. - This value can be a null string, a local absolute path, or a UNC path. Refer to the - "logon path" parameter in the smb.conf(5) man page for more information.</P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->smbHome</CODE ->: The homeDirectory property specifies the path of - the home directory for the user. The string can be null. If homeDrive is set and specifies - a drive letter, homeDirectory should be a UNC path. The path must be a network - UNC path of the form \\server\share\directory. This value can be a null string. - Refer to the "logon home" parameter in the smb.conf(5) man page for more information. - </P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->userWorkstation</CODE ->: character string value currently unused. - </P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->rid</CODE ->: the integer representation of the user's relative identifier - (RID).</P -></LI -><LI -><P -><CODE -CLASS="CONSTANT" ->primaryGroupID</CODE ->: the relative identifier (RID) of the primary group - of the user.</P -></LI -></UL -><P ->The majority of these parameters are only used when Samba is acting as a PDC of -a domain (refer to the <A -HREF="Samba-PDC-HOWTO.html" -TARGET="_top" ->Samba-PDC-HOWTO</A -> for details on -how to configure Samba as a Primary Domain Controller). The following four attributes -are only stored with the sambaAccount entry if the values are non-default values:</P -><P -></P -><UL -><LI -><P ->smbHome</P -></LI -><LI -><P ->scriptPath</P -></LI -><LI -><P ->logonPath</P -></LI -><LI -><P ->homeDrive</P -></LI -></UL -><P ->These attributes are only stored with the sambaAccount entry if -the values are non-default values. For example, assume TASHTEGO has now been -configured as a PDC and that <B -CLASS="COMMAND" ->logon home = \\%L\%u</B -> was defined in -its <TT -CLASS="FILENAME" ->smb.conf</TT -> file. When a user named "becky" logons to the domain, -the <VAR -CLASS="PARAMETER" ->logon home</VAR -> string is expanded to \\TASHTEGO\becky. -If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org", -this value is used. However, if this attribute does not exist, then the value -of the <VAR -CLASS="PARAMETER" ->logon home</VAR -> parameter is used in its place. Samba -will only write the attribute value to the directory entry is the value is -something other than the default (e.g. \\MOBY\becky).</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN528" ->3.6.9. Example LDIF Entries for a sambaAccount</A -></H3 -><P ->The following is a working LDIF with the inclusion of the posixAccount objectclass:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->dn: uid=guest2, ou=people,dc=plainjoe,dc=org -ntPassword: 878D8014606CDA29677A44EFA1353FC7 -pwdMustChange: 2147483647 -primaryGroupID: 1201 -lmPassword: 552902031BEDE9EFAAD3B435B51404EE -pwdLastSet: 1010179124 -logonTime: 0 -objectClass: sambaAccount -uid: guest2 -kickoffTime: 2147483647 -acctFlags: [UX ] -logoffTime: 2147483647 -rid: 19006 -pwdCanChange: 0</PRE -></P -><P ->The following is an LDIF entry for using both the sambaAccount and -posixAccount objectclasses:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->dn: uid=gcarter, ou=people,dc=plainjoe,dc=org -logonTime: 0 -displayName: Gerald Carter -lmPassword: 552902031BEDE9EFAAD3B435B51404EE -primaryGroupID: 1201 -objectClass: posixAccount -objectClass: sambaAccount -acctFlags: [UX ] -userPassword: {crypt}BpM2ej8Rkzogo -uid: gcarter -uidNumber: 9000 -cn: Gerald Carter -loginShell: /bin/bash -logoffTime: 2147483647 -gidNumber: 100 -kickoffTime: 2147483647 -pwdLastSet: 1010179230 -rid: 19000 -homeDirectory: /home/tashtego/gcarter -pwdCanChange: 0 -pwdMustChange: 2147483647 -ntPassword: 878D8014606CDA29677A44EFA1353FC7</PRE -></P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN536" ->3.7. MySQL</A -></H2 -><DIV -CLASS="SECT2" -><H3 -CLASS="SECT2" -><A -NAME="AEN538" ->3.7.1. Building</A -></H3 -><P ->To build the plugin, run <B -CLASS="COMMAND" ->make bin/pdb_mysql.so</B -> -in the <TT -CLASS="FILENAME" ->source/</TT -> directory of samba distribution. </P -><P ->Next, copy pdb_mysql.so to any location you want. I -strongly recommend installing it in $PREFIX/lib or /usr/lib/samba/</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN544" ->3.7.2. Creating the database</A -></H3 -><P ->You either can set up your own table and specify the field names to pdb_mysql (see below -for the column names) or use the default table. The file <TT -CLASS="FILENAME" ->examples/pdb/mysql/mysql.dump</TT -> -contains the correct queries to create the required tables. Use the command : - -<B -CLASS="COMMAND" ->mysql -u<VAR -CLASS="REPLACEABLE" ->username</VAR -> -h<VAR -CLASS="REPLACEABLE" ->hostname</VAR -> -p<VAR -CLASS="REPLACEABLE" ->password</VAR -> <VAR -CLASS="REPLACEABLE" ->databasename</VAR -> < <TT -CLASS="FILENAME" ->/path/to/samba/examples/pdb/mysql/mysql.dump</TT -></B -> </P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN554" ->3.7.3. Configuring</A -></H3 -><P ->This plugin lacks some good documentation, but here is some short info:</P -><P ->Add a the following to the <B -CLASS="COMMAND" ->passdb backend</B -> variable in your <TT -CLASS="FILENAME" ->smb.conf</TT ->: -<PRE -CLASS="PROGRAMLISTING" ->passdb backend = [other-plugins] plugin:/location/to/pdb_mysql.so:identifier [other-plugins]</PRE -></P -><P ->The identifier can be any string you like, as long as it doesn't collide with -the identifiers of other plugins or other instances of pdb_mysql. If you -specify multiple pdb_mysql.so entries in 'passdb backend', you also need to -use different identifiers!</P -><P ->Additional options can be given thru the smb.conf file in the [global] section.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->identifier:mysql host - host name, defaults to 'localhost' -identifier:mysql password -identifier:mysql user - defaults to 'samba' -identifier:mysql database - defaults to 'samba' -identifier:mysql port - defaults to 3306 -identifier:table - Name of the table containing users</PRE -></P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" -HSPACE="5" -ALT="Warning"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->Since the password for the mysql user is stored in the -smb.conf file, you should make the the smb.conf file -readable only to the user that runs samba. This is considered a security -bug and will be fixed soon.</P -></TD -></TR -></TABLE -></DIV -><P ->Names of the columns in this table(I've added column types those columns should have first):</P -><P -><PRE -CLASS="PROGRAMLISTING" ->identifier:logon time column - int(9) -identifier:logoff time column - int(9) -identifier:kickoff time column - int(9) -identifier:pass last set time column - int(9) -identifier:pass can change time column - int(9) -identifier:pass must change time column - int(9) -identifier:username column - varchar(255) - unix username -identifier:domain column - varchar(255) - NT domain user is part of -identifier:nt username column - varchar(255) - NT username -identifier:fullname column - varchar(255) - Full name of user -identifier:home dir column - varchar(255) - Unix homedir path -identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:') -identifier:logon script column - varchar(255) - Batch file to run on client side when logging on -identifier:profile path column - varchar(255) - Path of profile -identifier:acct desc column - varchar(255) - Some ASCII NT user data -identifier:workstations column - varchar(255) - Workstations user can logon to (or NULL for all) -identifier:unknown string column - varchar(255) - unknown string -identifier:munged dial column - varchar(255) - ? -identifier:uid column - int(9) - Unix user ID (uid) -identifier:gid column - int(9) - Unix user group (gid) -identifier:user sid column - varchar(255) - NT user SID -identifier:group sid column - varchar(255) - NT group ID -identifier:lanman pass column - varchar(255) - encrypted lanman password -identifier:nt pass column - varchar(255) - encrypted nt passwd -identifier:plain pass column - varchar(255) - plaintext password -identifier:acct control column - int(9) - nt user data -identifier:unknown 3 column - int(9) - unknown -identifier:logon divs column - int(9) - ? -identifier:hours len column - int(9) - ? -identifier:unknown 5 column - int(9) - unknown -identifier:unknown 6 column - int(9) - unknown</PRE -></P -><P ->Eventually, you can put a colon (:) after the name of each column, which -should specify the column to update when updating the table. You can also -specify nothing behind the colon - then the data from the field will not be -updated. </P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN571" ->3.7.4. Using plaintext passwords or encrypted password</A -></H3 -><P ->I strongly discourage the use of plaintext passwords, however, you can use them:</P -><P ->If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords. </P -><P ->If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN576" ->3.7.5. Getting non-column data from the table</A -></H3 -><P ->It is possible to have not all data in the database and making some 'constant'.</P -><P ->For example, you can set 'identifier:fullname column' to : -<B -CLASS="COMMAND" ->CONCAT(First_name,' ',Sur_name)</B -></P -><P ->Or, set 'identifier:workstations column' to : -<B -CLASS="COMMAND" ->NULL</B -></P -><P ->See the MySQL documentation for more language constructs.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN584" ->3.8. Passdb XML plugin</A -></H2 -><DIV -CLASS="SECT2" -><H3 -CLASS="SECT2" -><A -NAME="AEN586" ->3.8.1. Building</A -></H3 -><P ->This module requires libxml2 to be installed.</P -><P ->To build pdb_xml, run: <B -CLASS="COMMAND" ->make bin/pdb_xml.so</B -> in -the directory <TT -CLASS="FILENAME" ->source/</TT ->. </P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN592" ->3.8.2. Usage</A -></H3 -><P ->The usage of pdb_xml is pretty straightforward. To export data, use: - -<B -CLASS="COMMAND" ->pdbedit -e plugin:/usr/lib/samba/pdb_xml.so:filename</B -> - -(where filename is the name of the file to put the data in)</P -><P ->To import data, use: -<B -CLASS="COMMAND" ->pdbedit -i plugin:/usr/lib/samba/pdb_xml.so:filename -e current-pdb</B -> - -Where filename is the name to read the data from and current-pdb to put it in.</P -></DIV -></DIV -></DIV -></DIV -><DIV -CLASS="PART" -><A -NAME="TYPE" -></A -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" ->II. Type of installation</H1 -><DIV -CLASS="PARTINTRO" -><A -NAME="AEN600" -></A -><H1 ->Introduction</H1 -><P ->Samba can operate in various SMB networks. This part contains information on configuring samba -for various environments.</P -></DIV -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->4. <A -HREF="#SERVERTYPE" ->Nomenclature of Server Types</A -></DT -><DD -><DL -><DT ->4.1. <A -HREF="#AEN627" ->Stand Alone Server</A -></DT -><DT ->4.2. <A -HREF="#AEN633" ->Domain Member Server</A -></DT -><DT ->4.3. <A -HREF="#AEN639" ->Domain Controller</A -></DT -><DD -><DL -><DT ->4.3.1. <A -HREF="#AEN642" ->Domain Controller Types</A -></DT -></DL -></DD -></DL -></DD -><DT ->5. <A -HREF="#SECURITYLEVELS" ->User and Share security level (for servers not in a domain)</A -></DT -><DT ->6. <A -HREF="#SAMBA-PDC" ->Samba as an NT4 or Win2k Primary Domain Controller</A -></DT -><DD -><DL -><DT ->6.1. <A -HREF="#AEN703" ->Prerequisite Reading</A -></DT -><DT ->6.2. <A -HREF="#AEN708" ->Background</A -></DT -><DT ->6.3. <A -HREF="#AEN746" ->Configuring the Samba Domain Controller</A -></DT -><DT ->6.4. <A -HREF="#AEN788" ->Creating Machine Trust Accounts and Joining Clients to the Domain</A -></DT -><DD -><DL -><DT ->6.4.1. <A -HREF="#AEN831" ->Manual Creation of Machine Trust Accounts</A -></DT -><DT ->6.4.2. <A -HREF="#AEN872" ->"On-the-Fly" Creation of Machine Trust Accounts</A -></DT -><DT ->6.4.3. <A -HREF="#AEN881" ->Joining the Client to the Domain</A -></DT -></DL -></DD -><DT ->6.5. <A -HREF="#AEN896" ->Common Problems and Errors</A -></DT -><DT ->6.6. <A -HREF="#AEN944" ->System Policies and Profiles</A -></DT -><DT ->6.7. <A -HREF="#AEN988" ->What other help can I get?</A -></DT -><DT ->6.8. <A -HREF="#AEN1102" ->Domain Control for Windows 9x/ME</A -></DT -><DD -><DL -><DT ->6.8.1. <A -HREF="#AEN1128" ->Configuration Instructions: Network Logons</A -></DT -><DT ->6.8.2. <A -HREF="#AEN1147" ->Configuration Instructions: Setting up Roaming User Profiles</A -></DT -></DL -></DD -><DT ->6.9. <A -HREF="#AEN1240" ->DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A -></DT -></DL -></DD -><DT ->7. <A -HREF="#SAMBA-BDC" ->How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</A -></DT -><DD -><DL -><DT ->7.1. <A -HREF="#AEN1276" ->Prerequisite Reading</A -></DT -><DT ->7.2. <A -HREF="#AEN1280" ->Background</A -></DT -><DT ->7.3. <A -HREF="#AEN1288" ->What qualifies a Domain Controller on the network?</A -></DT -><DD -><DL -><DT ->7.3.1. <A -HREF="#AEN1291" ->How does a Workstation find its domain controller?</A -></DT -><DT ->7.3.2. <A -HREF="#AEN1294" ->When is the PDC needed?</A -></DT -></DL -></DD -><DT ->7.4. <A -HREF="#AEN1297" ->Can Samba be a Backup Domain Controller to an NT PDC?</A -></DT -><DT ->7.5. <A -HREF="#AEN1302" ->How do I set up a Samba BDC?</A -></DT -><DD -><DL -><DT ->7.5.1. <A -HREF="#AEN1319" ->How do I replicate the smbpasswd file?</A -></DT -><DT ->7.5.2. <A -HREF="#AEN1323" ->Can I do this all with LDAP?</A -></DT -></DL -></DD -></DL -></DD -><DT ->8. <A -HREF="#ADS" ->Samba as a ADS domain member</A -></DT -><DD -><DL -><DT ->8.1. <A -HREF="#AEN1341" ->Installing the required packages for Debian</A -></DT -><DT ->8.2. <A -HREF="#AEN1348" ->Installing the required packages for RedHat</A -></DT -><DT ->8.3. <A -HREF="#AEN1358" ->Compile Samba</A -></DT -><DT ->8.4. <A -HREF="#AEN1373" ->Setup your /etc/krb5.conf</A -></DT -><DT ->8.5. <A -HREF="#AEN1383" ->Create the computer account</A -></DT -><DD -><DL -><DT ->8.5.1. <A -HREF="#AEN1387" ->Possible errors</A -></DT -></DL -></DD -><DT ->8.6. <A -HREF="#AEN1395" ->Test your server setup</A -></DT -><DT ->8.7. <A -HREF="#AEN1400" ->Testing with smbclient</A -></DT -><DT ->8.8. <A -HREF="#AEN1403" ->Notes</A -></DT -></DL -></DD -><DT ->9. <A -HREF="#DOMAIN-SECURITY" ->Samba as a NT4 or Win2k domain member</A -></DT -><DD -><DL -><DT ->9.1. <A -HREF="#AEN1425" ->Joining an NT Domain with Samba 3.0</A -></DT -><DT ->9.2. <A -HREF="#AEN1480" ->Samba and Windows 2000 Domains</A -></DT -><DT ->9.3. <A -HREF="#AEN1483" ->Why is this better than security = server?</A -></DT -></DL -></DD -></DL -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="SERVERTYPE" -></A ->Chapter 4. Nomenclature of Server Types</H1 -><P ->Adminstrators of Microsoft networks often refer to there being three -different type of servers:</P -><P -></P -><UL -><LI -><P ->Stand Alone Server</P -></LI -><LI -><P ->Domain Member Server</P -></LI -><LI -><P ->Domain Controller</P -><P -></P -><UL -><LI -><P ->Primary Domain Controller</P -></LI -><LI -><P ->Backup Domain Controller</P -></LI -></UL -></LI -></UL -><P ->A network administrator who is familiar with these terms and who -wishes to migrate to or use Samba will want to know what these terms mean -within a Samba context.</P -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN627" ->4.1. Stand Alone Server</A -></H2 -><P ->The term <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->stand alone server</I -></SPAN -> means that the server -will provide local authentication and access control for all resources -that are available from it. In general this means that there will be a -local user database. In more technical terms, it means that resources -on the machine will either be made available in either SHARE mode or in -USER mode. SHARE mode and USER mode security are documented under -discussions regarding "security mode". The smb.conf configuration parameters -that control security mode are: "security = user" and "security = share".</P -><P ->Samba tends to blur the distinction a little in respect of what is -a stand alone server. This is because the authentication database may be -local or on a remote server, even if from the samba protocol perspective -the samba server is NOT a member of a domain security context.</P -><P ->Through the use of PAM (Pluggable Authentication Modules) and nsswitch -(the name service switcher) the source of authentication may reside on -another server. We would be inclined to call this the authentication server. -This means that the samba server may use the local Unix/Linux system -password database (/etc/passwd or /etc/shadow), may use a local smbpasswd -file (/etc/samba/smbpasswd or /usr/local/samba/lib/private/smbpasswd), or -may use an LDAP back end, or even via PAM and Winbind another CIFS/SMB -server for authentication.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN633" ->4.2. Domain Member Server</A -></H2 -><P ->This mode of server operation involves the samba machine being made a member -of a domain security context. This means by definition that all user authentication -will be done from a centrally defined authentication regime. The authentication -regime may come from an NT3/4 style (old domain technology) server, or it may be -provided from an Active Directory server (ADS) running on MS Windows 2000 or later. ->/para> </P -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Of course it should be clear that the authentication back end itself could be from any -distributed directory architecture server that is supported by Samba. This can be -LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory Server, etc.</I -></SPAN -></P -><P ->Please refer to the section on Howto configure Samba as a Primary Domain Controller -and for more information regarding how to create a domain machine account for a -domain member server as well as for information regading how to enable the samba -domain member machine to join the domain and to be fully trusted by it.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN639" ->4.3. Domain Controller</A -></H2 -><P ->Over the years public perceptions of what Domain Control really is has taken on an -almost mystical nature. Before we branch into a brief overview of what Domain Control -is the following types of controller are known:</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN642" ->4.3.1. Domain Controller Types</A -></H3 -><P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->Primary Domain Controller</TD -></TR -><TR -><TD ->Backup Domain Controller</TD -></TR -><TR -><TD ->ADS Domain Controller</TD -></TR -></TBODY -></TABLE -><P -></P -><P ->The <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Primary Domain Controller</I -></SPAN -> or PDC plays an important role in the MS -Windows NT3 and NT4 Domain Control architecture, but not in the manner that so many -expect. The PDC seeds the Domain Control database (a part of the Windows registry) and -it plays a key part in synchronisation of the domain authentication database. </P -><P ->New to Samba-3.0.0 is the ability to use a back-end file that holds the same type of data as -the NT4 style SAM (Security Account Manager) database (one of the registry files). -The samba-3.0.0 SAM can be specified via the smb.conf file parameter "passwd backend" and -valid options include <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" -> smbpasswd tdbsam ldapsam nisplussam plugin unixsam</I -></SPAN ->. -The smbpasswd, tdbsam and ldapsam options can have a "_nua" suffix to indicate that No Unix -Accounts need to be created. In other words, the Samba SAM will be independant of Unix/Linux -system accounts, provided a uid range is defined from which SAM accounts can be created.</P -><P ->The <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Backup Domain Controller</I -></SPAN -> or BDC plays a key role in servicing network -authentication requests. The BDC is biased to answer logon requests so that on a network segment -that has a BDC and a PDC the BDC will be most likely to service network logon requests. The PDC will -answer network logon requests when the BDC is too busy (high load). A BDC can be promoted to -a PDC. If the PDC is on line at the time that the BDC is promoted to PDC the previous PDC is -automatically demoted to a BDC.</P -><P ->At this time Samba is NOT capable of acting as an <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->ADS Domain Controller</I -></SPAN ->. </P -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="SECURITYLEVELS" -></A ->Chapter 5. User and Share security level (for servers not in a domain)</H1 -><P ->A SMB server tells the client at startup what "security level" it is -running. There are two options "share level" and "user level". Which -of these two the client receives affects the way the client then tries -to authenticate itself. It does not directly affect (to any great -extent) the way the Samba server does security. I know this is -strange, but it fits in with the client/server approach of SMB. In SMB -everything is initiated and controlled by the client, and the server -can only tell the client what is available and whether an action is -allowed. </P -><P ->I'll describe user level security first, as its simpler. In user level -security the client will send a "session setup" command directly after -the protocol negotiation. This contains a username and password. The -server can either accept or reject that username/password -combination. Note that at this stage the server has no idea what -share the client will eventually try to connect to, so it can't base -the "accept/reject" on anything other than:</P -><P -></P -><OL -TYPE="1" -><LI -><P ->the username/password</P -></LI -><LI -><P ->the machine that the client is coming from</P -></LI -></OL -><P ->If the server accepts the username/password then the client expects to -be able to mount any share (using a "tree connection") without -specifying a password. It expects that all access rights will be as -the username/password specified in the "session setup". </P -><P ->It is also possible for a client to send multiple "session setup" -requests. When the server responds it gives the client a "uid" to use -as an authentication tag for that username/password. The client can -maintain multiple authentication contexts in this way (WinDD is an -example of an application that does this)</P -><P ->Ok, now for share level security. In share level security the client -authenticates itself separately for each share. It will send a -password along with each "tree connection" (share mount). It does not -explicitly send a username with this operation. The client is -expecting a password to be associated with each share, independent of -the user. This means that samba has to work out what username the -client probably wants to use. It is never explicitly sent the -username. Some commercial SMB servers such as NT actually associate -passwords directly with shares in share level security, but samba -always uses the unix authentication scheme where it is a -username/password that is authenticated, not a "share/password".</P -><P ->Many clients send a "session setup" even if the server is in share -level security. They normally send a valid username but no -password. Samba records this username in a list of "possible -usernames". When the client then does a "tree connection" it also adds -to this list the name of the share they try to connect to (useful for -home directories) and any users listed in the "user =" smb.conf -line. The password is then checked in turn against these "possible -usernames". If a match is found then the client is authenticated as -that user.</P -><P ->Finally "server level" security. In server level security the samba -server reports to the client that it is in user level security. The -client then does a "session setup" as described earlier. The samba -server takes the username/password that the client sends and attempts -to login to the "password server" by sending exactly the same -username/password that it got from the client. If that server is in -user level security and accepts the password then samba accepts the -clients connection. This allows the samba server to use another SMB -server as the "password server". </P -><P ->You should also note that at the very start of all this, where the -server tells the client what security level it is in, it also tells -the client if it supports encryption. If it does then it supplies the -client with a random "cryptkey". The client will then send all -passwords in encrypted form. You have to compile samba with encryption -enabled to support this feature, and you have to maintain a separate -smbpasswd file with SMB style encrypted passwords. It is -cryptographically impossible to translate from unix style encryption -to SMB style encryption, although there are some fairly simple management -schemes by which the two could be kept in sync.</P -><P ->"security = server" means that Samba reports to clients that -it is running in "user mode" but actually passes off all authentication -requests to another "user mode" server. This requires an additional -parameter "password server =" that points to the real authentication server. -That real authentication server can be another Samba server or can be a -Windows NT server, the later natively capable of encrypted password support.</P -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="SAMBA-PDC" -></A ->Chapter 6. Samba as an NT4 or Win2k Primary Domain Controller</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN703" ->6.1. Prerequisite Reading</A -></H2 -><P ->Before you continue reading in this chapter, please make sure -that you are comfortable with configuring basic files services -in smb.conf and how to enable and administer password -encryption in Samba. Theses two topics are covered in the -<A -HREF="smb.conf.5.html" -TARGET="_top" -><TT -CLASS="FILENAME" ->smb.conf(5)</TT -></A -> -manpage.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN708" ->6.2. Background</A -></H2 -><P ->This article outlines the steps necessary for configuring Samba as a PDC. -It is necessary to have a working Samba server prior to implementing the -PDC functionality.</P -><P -></P -><UL -><LI -><P -> domain logons for Windows NT 4.0 / 200x / XP Professional clients. - </P -></LI -><LI -><P -> placing Windows 9x / Me clients in user level security - </P -></LI -><LI -><P -> retrieving a list of users and groups from a Samba PDC to - Windows 9x / Me / NT / 200x / XP Professional clients - </P -></LI -><LI -><P -> roaming user profiles - </P -></LI -><LI -><P -> Windows NT 4.0-style system policies - </P -></LI -></UL -><P ->The following functionalities are new to the Samba 3.0 release:</P -><P -></P -><UL -><LI -><P -> Windows NT 4 domain trusts - </P -></LI -><LI -><P -> Adding users via the User Manager for Domains - </P -></LI -></UL -><P ->The following functionalities are NOT provided by Samba 3.0:</P -><P -></P -><UL -><LI -><P -> SAM replication with Windows NT 4.0 Domain Controllers - (i.e. a Samba PDC and a Windows NT BDC or vice versa) - </P -></LI -><LI -><P -> Acting as a Windows 2000 Domain Controller (i.e. Kerberos and - Active Directory) - </P -></LI -></UL -><P ->Please note that Windows 9x / Me / XP Home clients are not true members of a domain -for reasons outlined in this article. Therefore the protocol for -support Windows 9x-style domain logons is completely different -from NT4 / Win2k type domain logons and has been officially supported for some -time.</P -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->MS Windows XP Home edition is NOT able to join a domain and does not permit -the use of domain logons.</I -></SPAN -></P -><P ->Implementing a Samba PDC can basically be divided into 3 broad -steps.</P -><P -></P -><OL -TYPE="1" -><LI -><P -> Configuring the Samba PDC - </P -></LI -><LI -><P -> Creating machine trust accounts and joining clients to the domain - </P -></LI -><LI -><P -> Adding and managing domain user accounts - </P -></LI -></OL -><P ->There are other minor details such as user profiles, system -policies, etc... However, these are not necessarily specific -to a Samba PDC as much as they are related to Windows NT networking -concepts.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN746" ->6.3. Configuring the Samba Domain Controller</A -></H2 -><P ->The first step in creating a working Samba PDC is to -understand the parameters necessary in smb.conf. Here we -attempt to explain the parameters that are covered in -<A -HREF="smb.conf.5.html" -TARGET="_top" -> the smb.conf -man page</A ->.</P -><P ->Here is an example <TT -CLASS="FILENAME" ->smb.conf</TT -> for acting as a PDC:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->[global] - ; Basic server settings - <A -HREF="smb.conf.5.html#NETBIOSNAME" -TARGET="_top" ->netbios name</A -> = <VAR -CLASS="REPLACEABLE" ->POGO</VAR -> - <A -HREF="smb.conf.5.html#WORKGROUP" -TARGET="_top" ->workgroup</A -> = <VAR -CLASS="REPLACEABLE" ->NARNIA</VAR -> - - ; we should act as the domain and local master browser - <A -HREF="smb.conf.5.html#OSLEVEL" -TARGET="_top" ->os level</A -> = 64 - <A -HREF="smb.conf.5.html#PERFERREDMASTER" -TARGET="_top" ->preferred master</A -> = yes - <A -HREF="smb.conf.5.html#DOMAINMASTER" -TARGET="_top" ->domain master</A -> = yes - <A -HREF="smb.conf.5.html#LOCALMASTER" -TARGET="_top" ->local master</A -> = yes - - ; security settings (must user security = user) - <A -HREF="smb.conf.5.html#SECURITYEQUALSUSER" -TARGET="_top" ->security</A -> = user - - ; encrypted passwords are a requirement for a PDC - <A -HREF="smb.conf.5.html#ENCRYPTPASSWORDS" -TARGET="_top" ->encrypt passwords</A -> = yes - - ; support domain logons - <A -HREF="smb.conf.5.html#DOMAINLOGONS" -TARGET="_top" ->domain logons</A -> = yes - - ; where to store user profiles? - <A -HREF="smb.conf.5.html#LOGONPATH" -TARGET="_top" ->logon path</A -> = \\%N\profiles\%u - - ; where is a user's home directory and where should it be mounted at? - <A -HREF="smb.conf.5.html#LOGONDRIVE" -TARGET="_top" ->logon drive</A -> = H: - <A -HREF="smb.conf.5.html#LOGONHOME" -TARGET="_top" ->logon home</A -> = \\homeserver\%u - - ; specify a generic logon script for all users - ; this is a relative **DOS** path to the [netlogon] share - <A -HREF="smb.conf.5.html#LOGONSCRIPT" -TARGET="_top" ->logon script</A -> = logon.cmd - -; necessary share for domain controller -[netlogon] - <A -HREF="smb.conf.5.html#PATH" -TARGET="_top" ->path</A -> = /usr/local/samba/lib/netlogon - <A -HREF="smb.conf.5.html#READONLY" -TARGET="_top" ->read only</A -> = yes - <A -HREF="smb.conf.5.html#WRITELIST" -TARGET="_top" ->write list</A -> = <VAR -CLASS="REPLACEABLE" ->ntadmin</VAR -> - -; share for storing user profiles -[profiles] - <A -HREF="smb.conf.5.html#PATH" -TARGET="_top" ->path</A -> = /export/smb/ntprofile - <A -HREF="smb.conf.5.html#READONLY" -TARGET="_top" ->read only</A -> = no - <A -HREF="smb.conf.5.html#CREATEMASK" -TARGET="_top" ->create mask</A -> = 0600 - <A -HREF="smb.conf.5.html#DIRECTORYMASK" -TARGET="_top" ->directory mask</A -> = 0700</PRE -></P -><P ->There are a couple of points to emphasize in the above configuration.</P -><P -></P -><UL -><LI -><P -> Encrypted passwords must be enabled. For more details on how - to do this, refer to <A -HREF="ENCRYPTION.html" -TARGET="_top" ->ENCRYPTION.html</A ->. - </P -></LI -><LI -><P -> The server must support domain logons and a - <TT -CLASS="FILENAME" ->[netlogon]</TT -> share - </P -></LI -><LI -><P -> The server must be the domain master browser in order for Windows - client to locate the server as a DC. Please refer to the various - Network Browsing documentation included with this distribution for - details. - </P -></LI -></UL -><P ->Samba 3.0 offers a complete implementation of group mapping -between Windows NT groups and Unix groups (this is really quite -complicated to explain in a short space).</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN788" ->6.4. Creating Machine Trust Accounts and Joining Clients to the Domain</A -></H2 -><P ->A machine trust account is a Samba account that is used to -authenticate a client machine (rather than a user) to the Samba -server. In Windows terminology, this is known as a "Computer -Account."</P -><P ->The password of a machine trust account acts as the shared secret for -secure communication with the Domain Controller. This is a security -feature to prevent an unauthorized machine with the same NetBIOS name -from joining the domain and gaining access to domain user/group -accounts. Windows NT, 200x, XP Professional clients use machine trust -accounts, but Windows 9x / Me / XP Home clients do not. Hence, a -Windows 9x / Me / XP Home client is never a true member of a domain -because it does not possess a machine trust account, and thus has no -shared secret with the domain controller.</P -><P ->A Windows PDC stores each machine trust account in the Windows -Registry. A Samba-3 PDC also has to stoe machine trust account information -in a suitable back-end data store. With Samba-3 there can be multiple back-ends -for this including:</P -><P -></P -><UL -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->smbpaswd</I -></SPAN -> - the plain ascii file stored used by - earlier versions of Samba. This file configuration option requires - a Unix/Linux system account for EVERY entry (ie: both for user and for - machine accounts). This file will be located in the <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->private</I -></SPAN -> - directory (default is /usr/local/samba/lib/private or on linux /etc/samba). - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->smbpasswd_nua</I -></SPAN -> - This file is independant of the - system wide user accounts. The use of this back-end option requires - specification of the "non unix account range" option also. It is called - smbpasswd and will be located in the <TT -CLASS="FILENAME" ->private</TT -> directory. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->tdbsam</I -></SPAN -> - a binary database backend that will be - stored in the <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->private</I -></SPAN -> directory in a file called - <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->passwd.tdb</I -></SPAN ->. The key benefit of this binary format - file is that it can store binary objects that can not be accomodated - in the traditional plain text smbpasswd file. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->tdbsam_nua</I -></SPAN -> like the smbpasswd_nua option above, this - file allows the creation of arbitrary user and machine accounts without - requiring that account to be added to the system (/etc/passwd) file. It - too requires the specification of the "non unix account range" option - in the [globals] section of the smb.conf file. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->ldapsam</I -></SPAN -> - An LDAP based back-end. Permits the - LDAP server to be specified. eg: ldap://localhost or ldap://frodo.murphy.com - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->ldapsam_nua</I -></SPAN -> - LDAP based back-end with no unix - account requirement, like smbpasswd_nua and tdbsam_nua above. - </P -></LI -></UL -><P ->A Samba PDC, however, stores each machine trust account in two parts, -as follows: - -<P -></P -><UL -><LI -><P ->A Samba account, stored in the same location as user - LanMan and NT password hashes (currently - <TT -CLASS="FILENAME" ->smbpasswd</TT ->). The Samba account - possesses and uses only the NT password hash.</P -></LI -><LI -><P ->A corresponding Unix account, typically stored in - <TT -CLASS="FILENAME" ->/etc/passwd</TT ->. (Future releases will alleviate the need to - create <TT -CLASS="FILENAME" ->/etc/passwd</TT -> entries.) </P -></LI -></UL -></P -><P ->There are two ways to create machine trust accounts:</P -><P -></P -><UL -><LI -><P -> Manual creation. Both the Samba and corresponding - Unix account are created by hand.</P -></LI -><LI -><P -> "On-the-fly" creation. The Samba machine trust - account is automatically created by Samba at the time the client - is joined to the domain. (For security, this is the - recommended method.) The corresponding Unix account may be - created automatically or manually. </P -></LI -></UL -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN831" ->6.4.1. Manual Creation of Machine Trust Accounts</A -></H3 -><P ->The first step in manually creating a machine trust account is to -manually create the corresponding Unix account in -<TT -CLASS="FILENAME" ->/etc/passwd</TT ->. This can be done using -<B -CLASS="COMMAND" ->vipw</B -> or other 'add user' command that is normally -used to create new Unix accounts. The following is an example for a -Linux based Samba server:</P -><P -> <SAMP -CLASS="PROMPT" ->root# </SAMP -><B -CLASS="COMMAND" ->/usr/sbin/useradd -g 100 -d /dev/null -c <VAR -CLASS="REPLACEABLE" ->"machine -nickname"</VAR -> -s /bin/false <VAR -CLASS="REPLACEABLE" ->machine_name</VAR ->$ </B -></P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><B -CLASS="COMMAND" ->passwd -l <VAR -CLASS="REPLACEABLE" ->machine_name</VAR ->$</B -></P -><P ->On *BSD systems, this can be done using the 'chpass' utility:</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><B -CLASS="COMMAND" ->chpass -a "<VAR -CLASS="REPLACEABLE" ->machine_name</VAR ->$:*:101:100::0:0:Workstation <VAR -CLASS="REPLACEABLE" ->machine_name</VAR ->:/dev/null:/sbin/nologin"</B -></P -><P ->The <TT -CLASS="FILENAME" ->/etc/passwd</TT -> entry will list the machine name -with a "$" appended, won't have a password, will have a null shell and no -home directory. For example a machine named 'doppy' would have an -<TT -CLASS="FILENAME" ->/etc/passwd</TT -> entry like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->doppy$:x:505:501:<VAR -CLASS="REPLACEABLE" ->machine_nickname</VAR ->:/dev/null:/bin/false</PRE -></P -><P ->Above, <VAR -CLASS="REPLACEABLE" ->machine_nickname</VAR -> can be any -descriptive name for the client, i.e., BasementComputer. -<VAR -CLASS="REPLACEABLE" ->machine_name</VAR -> absolutely must be the NetBIOS -name of the client to be joined to the domain. The "$" must be -appended to the NetBIOS name of the client or Samba will not recognize -this as a machine trust account.</P -><P ->Now that the corresponding Unix account has been created, the next step is to create -the Samba account for the client containing the well-known initial -machine trust account password. This can be done using the <A -HREF="smbpasswd.8.html" -TARGET="_top" -><B -CLASS="COMMAND" ->smbpasswd(8)</B -></A -> command -as shown here:</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><B -CLASS="COMMAND" ->smbpasswd -a -m <VAR -CLASS="REPLACEABLE" ->machine_name</VAR -></B -></P -><P ->where <VAR -CLASS="REPLACEABLE" ->machine_name</VAR -> is the machine's NetBIOS -name. The RID of the new machine account is generated from the UID of -the corresponding Unix account.</P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" -HSPACE="5" -ALT="Warning"></TD -><TH -ALIGN="LEFT" -VALIGN="CENTER" -><B ->Join the client to the domain immediately</B -></TH -></TR -><TR -><TD -> </TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P -> Manually creating a machine trust account using this method is the - equivalent of creating a machine trust account on a Windows NT PDC using - the "Server Manager". From the time at which the account is created - to the time which the client joins the domain and changes the password, - your domain is vulnerable to an intruder joining your domain using a - a machine with the same NetBIOS name. A PDC inherently trusts - members of the domain and will serve out a large degree of user - information to such clients. You have been warned! - </P -></TD -></TR -></TABLE -></DIV -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN872" ->6.4.2. "On-the-Fly" Creation of Machine Trust Accounts</A -></H3 -><P ->The second (and recommended) way of creating machine trust accounts is -simply to allow the Samba server to create them as needed when the client -is joined to the domain. </P -><P ->Since each Samba machine trust account requires a corresponding -Unix account, a method for automatically creating the -Unix account is usually supplied; this requires configuration of the -<A -HREF="smb.conf.5.html#ADDUSERSCRIPT" -TARGET="_top" ->add user script</A -> -option in <TT -CLASS="FILENAME" ->smb.conf</TT ->. This -method is not required, however; corresponding Unix accounts may also -be created manually.</P -><P ->Below is an example for a RedHat 6.2 Linux system.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->[global] - # <...remainder of parameters...> - add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN881" ->6.4.3. Joining the Client to the Domain</A -></H3 -><P ->The procedure for joining a client to the domain varies with the -version of Windows.</P -><P -></P -><UL -><LI -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Windows 2000</I -></SPAN -></P -><P -> When the user elects to join the client to a domain, Windows prompts for - an account and password that is privileged to join the domain. A - Samba administrative account (i.e., a Samba account that has root - privileges on the Samba server) must be entered here; the - operation will fail if an ordinary user account is given. - The password for this account should be - set to a different password than the associated - <TT -CLASS="FILENAME" ->/etc/passwd</TT -> entry, for security - reasons. </P -><P ->The session key of the Samba administrative account acts as an - encryption key for setting the password of the machine trust - account. The machine trust account will be created on-the-fly, or - updated if it already exists.</P -></LI -><LI -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Windows NT</I -></SPAN -></P -><P -> If the machine trust account was created manually, on the - Identification Changes menu enter the domain name, but do not - check the box "Create a Computer Account in the Domain." In this case, - the existing machine trust account is used to join the machine to - the domain.</P -><P -> If the machine trust account is to be created - on-the-fly, on the Identification Changes menu enter the domain - name, and check the box "Create a Computer Account in the Domain." In - this case, joining the domain proceeds as above for Windows 2000 - (i.e., you must supply a Samba administrative account when - prompted).</P -></LI -></UL -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN896" ->6.5. Common Problems and Errors</A -></H2 -><P -></P -><P -></P -><UL -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->I cannot include a '$' in a machine name.</I -></SPAN -> - </P -><P -> A 'machine name' in (typically) <TT -CLASS="FILENAME" ->/etc/passwd</TT -> - of the machine name with a '$' appended. FreeBSD (and other BSD - systems?) won't create a user with a '$' in their name. - </P -><P -> The problem is only in the program used to make the entry, once - made, it works perfectly. So create a user without the '$' and - use <B -CLASS="COMMAND" ->vipw</B -> to edit the entry, adding the '$'. Or create - the whole entry with vipw if you like, make sure you use a - unique User ID ! - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->I get told "You already have a connection to the Domain...." - or "Cannot join domain, the credentials supplied conflict with an - existing set.." when creating a machine trust account.</I -></SPAN -> - </P -><P -> This happens if you try to create a machine trust account from the - machine itself and already have a connection (e.g. mapped drive) - to a share (or IPC$) on the Samba PDC. The following command - will remove all network drive connections: - </P -><P -> <SAMP -CLASS="PROMPT" ->C:\WINNT\></SAMP -> <B -CLASS="COMMAND" ->net use * /d</B -> - </P -><P -> Further, if the machine is a already a 'member of a workgroup' that - is the same name as the domain you are joining (bad idea) you will - get this message. Change the workgroup name to something else, it - does not matter what, reboot, and try again. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->The system can not log you on (C000019B)....</I -></SPAN -> - </P -><P ->I joined the domain successfully but after upgrading - to a newer version of the Samba code I get the message, "The system - can not log you on (C000019B), Please try a gain or consult your - system administrator" when attempting to logon. - </P -><P -> This occurs when the domain SID stored in - <TT -CLASS="FILENAME" ->private/WORKGROUP.SID</TT -> is - changed. For example, you remove the file and <B -CLASS="COMMAND" ->smbd</B -> automatically - creates a new one. Or you are swapping back and forth between - versions 2.0.7, TNG and the HEAD branch code (not recommended). The - only way to correct the problem is to restore the original domain - SID or remove the domain client from the domain and rejoin. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->The machine trust account for this computer either does not - exist or is not accessible.</I -></SPAN -> - </P -><P -> When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessible". What's - wrong? - </P -><P -> This problem is caused by the PDC not having a suitable machine trust account. - If you are using the <VAR -CLASS="PARAMETER" ->add user script</VAR -> method to create - accounts then this would indicate that it has not worked. Ensure the domain - admin user system is working. - </P -><P -> Alternatively if you are creating account entries manually then they - have not been created correctly. Make sure that you have the entry - correct for the machine trust account in smbpasswd file on the Samba PDC. - If you added the account using an editor rather than using the smbpasswd - utility, make sure that the account name is the machine NetBIOS name - with a '$' appended to it ( i.e. computer_name$ ). There must be an entry - in both /etc/passwd and the smbpasswd file. Some people have reported - that inconsistent subnet masks between the Samba server and the NT - client have caused this problem. Make sure that these are consistent - for both client and server. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->When I attempt to login to a Samba Domain from a NT4/W2K workstation, - I get a message about my account being disabled.</I -></SPAN -> - </P -><P -> This problem is caused by a PAM related bug in Samba 2.2.0. This bug is - fixed in 2.2.1. Other symptoms could be unaccessible shares on - NT/W2K member servers in the domain or the following error in your smbd.log: - passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user% - </P -><P -> At first be ensure to enable the useraccounts with <B -CLASS="COMMAND" ->smbpasswd -e - %user%</B ->, this is normally done, when you create an account. - </P -><P -> In order to work around this problem in 2.2.0, configure the - <VAR -CLASS="PARAMETER" ->account</VAR -> control flag in - <TT -CLASS="FILENAME" ->/etc/pam.d/samba</TT -> file as follows: - </P -><P -><PRE -CLASS="PROGRAMLISTING" -> account required pam_permit.so - </PRE -></P -><P -> If you want to remain backward compatibility to samba 2.0.x use - <TT -CLASS="FILENAME" ->pam_permit.so</TT ->, it's also possible to use - <TT -CLASS="FILENAME" ->pam_pwdb.so</TT ->. There are some bugs if you try to - use <TT -CLASS="FILENAME" ->pam_unix.so</TT ->, if you need this, be ensure to use - the most recent version of this file. - </P -></LI -></UL -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN944" ->6.6. System Policies and Profiles</A -></H2 -><P ->Much of the information necessary to implement System Policies and -Roving User Profiles in a Samba domain is the same as that for -implementing these same items in a Windows NT 4.0 domain. -You should read the white paper <A -HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" -TARGET="_top" ->Implementing -Profiles and Policies in Windows NT 4.0</A -> available from Microsoft.</P -><P ->Here are some additional details:</P -><P -></P -><UL -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->What about Windows NT Policy Editor?</I -></SPAN -> - </P -><P -> To create or edit <TT -CLASS="FILENAME" ->ntconfig.pol</TT -> you must use - the NT Server Policy Editor, <B -CLASS="COMMAND" ->poledit.exe</B -> which - is included with NT Server but <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->not NT Workstation</I -></SPAN ->. - There is a Policy Editor on a NTws - but it is not suitable for creating <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Domain Policies</I -></SPAN ->. - Further, although the Windows 95 - Policy Editor can be installed on an NT Workstation/Server, it will not - work with NT policies because the registry key that are set by the policy templates. - However, the files from the NT Server will run happily enough on an NTws. - You need <TT -CLASS="FILENAME" ->poledit.exe, common.adm</TT -> and <TT -CLASS="FILENAME" ->winnt.adm</TT ->. It is convenient - to put the two *.adm files in <TT -CLASS="FILENAME" ->c:\winnt\inf</TT -> which is where - the binary will look for them unless told otherwise. Note also that that - directory is 'hidden'. - </P -><P -> The Windows NT policy editor is also included with the Service Pack 3 (and - later) for Windows NT 4.0. Extract the files using <B -CLASS="COMMAND" ->servicepackname /x</B ->, - i.e. that's <B -CLASS="COMMAND" ->Nt4sp6ai.exe /x</B -> for service pack 6a. The policy editor, - <B -CLASS="COMMAND" ->poledit.exe</B -> and the associated template files (*.adm) should - be extracted as well. It is also possible to downloaded the policy template - files for Office97 and get a copy of the policy editor. Another possible - location is with the Zero Administration Kit available for download from Microsoft. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Can Win95 do Policies?</I -></SPAN -> - </P -><P -> Install the group policy handler for Win9x to pick up group - policies. Look on the Win98 CD in <TT -CLASS="FILENAME" ->\tools\reskit\netadmin\poledit</TT ->. - Install group policies on a Win9x client by double-clicking - <TT -CLASS="FILENAME" ->grouppol.inf</TT ->. Log off and on again a couple of - times and see if Win98 picks up group policies. Unfortunately this needs - to be done on every Win9x machine that uses group policies.... - </P -><P -> If group policies don't work one reports suggests getting the updated - (read: working) grouppol.dll for Windows 9x. The group list is grabbed - from /etc/group. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->How do I get 'User Manager' and 'Server Manager'</I -></SPAN -> - </P -><P -> Since I don't need to buy an NT Server CD now, how do I get - the 'User Manager for Domains', the 'Server Manager'? - </P -><P -> Microsoft distributes a version of these tools called nexus for - installation on Windows 95 systems. The tools set includes - </P -><P -></P -><UL -><LI -><P ->Server Manager</P -></LI -><LI -><P ->User Manager for Domains</P -></LI -><LI -><P ->Event Viewer</P -></LI -></UL -><P -> Click here to download the archived file <A -HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" -TARGET="_top" ->ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A -> - </P -><P -> The Windows NT 4.0 version of the 'User Manager for - Domains' and 'Server Manager' are available from Microsoft via ftp - from <A -HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" -TARGET="_top" ->ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A -> - </P -></LI -></UL -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN988" ->6.7. What other help can I get?</A -></H2 -><P ->There are many sources of information available in the form -of mailing lists, RFC's and documentation. The docs that come -with the samba distribution contain very good explanations of -general SMB topics such as browsing.</P -><P -></P -><UL -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->What are some diagnostics tools I can use to debug the domain logon - process and where can I find them?</I -></SPAN -> - </P -><P -> One of the best diagnostic tools for debugging problems is Samba itself. - You can use the -d option for both smbd and nmbd to specify what - 'debug level' at which to run. See the man pages on smbd, nmbd and - smb.conf for more information on debugging options. The debug - level can range from 1 (the default) to 10 (100 for debugging passwords). - </P -><P -> Another helpful method of debugging is to compile samba using the - <B -CLASS="COMMAND" ->gcc -g </B -> flag. This will include debug - information in the binaries and allow you to attach gdb to the - running smbd / nmbd process. In order to attach gdb to an smbd - process for an NT workstation, first get the workstation to make the - connection. Pressing ctrl-alt-delete and going down to the domain box - is sufficient (at least, on the first time you join the domain) to - generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation - maintains an open connection, and therefore there will be an smbd - process running (assuming that you haven't set a really short smbd - idle timeout) So, in between pressing ctrl alt delete, and actually - typing in your password, you can gdb attach and continue. - </P -><P -> Some useful samba commands worth investigating: - </P -><P -></P -><UL -><LI -><P ->testparam | more</P -></LI -><LI -><P ->smbclient -L //{netbios name of server}</P -></LI -></UL -><P -> An SMB enabled version of tcpdump is available from - <A -HREF="http://www.tcpdump.org/" -TARGET="_top" ->http://www.tcpdup.org/</A ->. - Ethereal, another good packet sniffer for Unix and Win32 - hosts, can be downloaded from <A -HREF="http://www.ethereal.com/" -TARGET="_top" ->http://www.ethereal.com</A ->. - </P -><P -> For tracing things on the Microsoft Windows NT, Network Monitor - (aka. netmon) is available on the Microsoft Developer Network CD's, - the Windows NT Server install CD and the SMS CD's. The version of - netmon that ships with SMS allows for dumping packets between any two - computers (i.e. placing the network interface in promiscuous mode). - The version on the NT Server install CD will only allow monitoring - of network traffic directed to the local NT box and broadcasts on the - local subnet. Be aware that Ethereal can read and write netmon - formatted files. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->How do I install 'Network Monitor' on an NT Workstation - or a Windows 9x box?</I -></SPAN -> - </P -><P -> Installing netmon on an NT workstation requires a couple - of steps. The following are for installing Netmon V4.00.349, which comes - with Microsoft Windows NT Server 4.0, on Microsoft Windows NT - Workstation 4.0. The process should be similar for other version of - Windows NT / Netmon. You will need both the Microsoft Windows - NT Server 4.0 Install CD and the Workstation 4.0 Install CD. - </P -><P -> Initially you will need to install 'Network Monitor Tools and Agent' - on the NT Server. To do this - </P -><P -></P -><UL -><LI -><P ->Goto Start - Settings - Control Panel - - Network - Services - Add </P -></LI -><LI -><P ->Select the 'Network Monitor Tools and Agent' and - click on 'OK'.</P -></LI -><LI -><P ->Click 'OK' on the Network Control Panel. - </P -></LI -><LI -><P ->Insert the Windows NT Server 4.0 install CD - when prompted.</P -></LI -></UL -><P -> At this point the Netmon files should exist in - <TT -CLASS="FILENAME" ->%SYSTEMROOT%\System32\netmon\*.*</TT ->. - Two subdirectories exist as well, <TT -CLASS="FILENAME" ->parsers\</TT -> - which contains the necessary DLL's for parsing the netmon packet - dump, and <TT -CLASS="FILENAME" ->captures\</TT ->. - </P -><P -> In order to install the Netmon tools on an NT Workstation, you will - first need to install the 'Network Monitor Agent' from the Workstation - install CD. - </P -><P -></P -><UL -><LI -><P ->Goto Start - Settings - Control Panel - - Network - Services - Add</P -></LI -><LI -><P ->Select the 'Network Monitor Agent' and click - on 'OK'.</P -></LI -><LI -><P ->Click 'OK' on the Network Control Panel. - </P -></LI -><LI -><P ->Insert the Windows NT Workstation 4.0 install - CD when prompted.</P -></LI -></UL -><P -> Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* - to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set - permissions as you deem appropriate for your site. You will need - administrative rights on the NT box to run netmon. - </P -><P -> To install Netmon on a Windows 9x box install the network monitor agent - from the Windows 9x CD (\admin\nettools\netmon). There is a readme - file located with the netmon driver files on the CD if you need - information on how to do this. Copy the files from a working - Netmon installation. - </P -></LI -><LI -><P -> The following is a list if helpful URLs and other links: - </P -><P -></P -><UL -><LI -><P ->Home of Samba site <A -HREF="http://samba.org" -TARGET="_top" -> http://samba.org</A ->. We have a mirror near you !</P -></LI -><LI -><P -> The <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Development</I -></SPAN -> document - on the Samba mirrors might mention your problem. If so, - it might mean that the developers are working on it.</P -></LI -><LI -><P ->See how Scott Merrill simulates a BDC behavior at - <A -HREF="http://www.skippy.net/linux/smb-howto.html" -TARGET="_top" -> http://www.skippy.net/linux/smb-howto.html</A ->. </P -></LI -><LI -><P ->Although 2.0.7 has almost had its day as a PDC, David Bannon will - keep the 2.0.7 PDC pages at <A -HREF="http://bioserve.latrobe.edu.au/samba" -TARGET="_top" -> http://bioserve.latrobe.edu.au/samba</A -> going for a while yet.</P -></LI -><LI -><P ->Misc links to CIFS information - <A -HREF="http://samba.org/cifs/" -TARGET="_top" ->http://samba.org/cifs/</A -></P -></LI -><LI -><P ->NT Domains for Unix <A -HREF="http://mailhost.cb1.com/~lkcl/ntdom/" -TARGET="_top" -> http://mailhost.cb1.com/~lkcl/ntdom/</A -></P -></LI -><LI -><P ->FTP site for older SMB specs: - <A -HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/" -TARGET="_top" -> ftp://ftp.microsoft.com/developr/drg/CIFS/</A -></P -></LI -></UL -></LI -></UL -><P -></P -><UL -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->How do I get help from the mailing lists?</I -></SPAN -> - </P -><P -> There are a number of Samba related mailing lists. Go to <A -HREF="http://samba.org" -TARGET="_top" ->http://samba.org</A ->, click on your nearest mirror - and then click on <B -CLASS="COMMAND" ->Support</B -> and then click on <B -CLASS="COMMAND" -> Samba related mailing lists</B ->. - </P -><P -> For questions relating to Samba TNG go to - <A -HREF="http://www.samba-tng.org/" -TARGET="_top" ->http://www.samba-tng.org/</A -> - It has been requested that you don't post questions about Samba-TNG to the - main stream Samba lists.</P -><P -> If you post a message to one of the lists please observe the following guide lines : - </P -><P -></P -><UL -><LI -><P -> Always remember that the developers are volunteers, they are - not paid and they never guarantee to produce a particular feature at - a particular time. Any time lines are 'best guess' and nothing more. - </P -></LI -><LI -><P -> Always mention what version of samba you are using and what - operating system its running under. You should probably list the - relevant sections of your smb.conf file, at least the options - in [global] that affect PDC support.</P -></LI -><LI -><P ->In addition to the version, if you obtained Samba via - CVS mention the date when you last checked it out.</P -></LI -><LI -><P -> Try and make your question clear and brief, lots of long, - convoluted questions get deleted before they are completely read ! - Don't post html encoded messages (if you can select colour or font - size its html).</P -></LI -><LI -><P -> If you run one of those nifty 'I'm on holidays' things when - you are away, make sure its configured to not answer mailing lists. - </P -></LI -><LI -><P -> Don't cross post. Work out which is the best list to post to - and see what happens, i.e. don't post to both samba-ntdom and samba-technical. - Many people active on the lists subscribe to more - than one list and get annoyed to see the same message two or more times. - Often someone will see a message and thinking it would be better dealt - with on another, will forward it on for you.</P -></LI -><LI -><P ->You might include <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->partial</I -></SPAN -> - log files written at a debug level set to as much as 20. - Please don't send the entire log but enough to give the context of the - error messages.</P -></LI -><LI -><P ->(Possibly) If you have a complete netmon trace ( from the opening of - the pipe to the error ) you can send the *.CAP file as well.</P -></LI -><LI -><P ->Please think carefully before attaching a document to an email. - Consider pasting the relevant parts into the body of the message. The samba - mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory?</P -></LI -></UL -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->How do I get off the mailing lists?</I -></SPAN -> - </P -><P ->To have your name removed from a samba mailing list, go to the - same place you went to to get on it. Go to <A -HREF="http://lists.samba.org/" -TARGET="_top" ->http://lists.samba.org</A ->, - click on your nearest mirror and then click on <B -CLASS="COMMAND" ->Support</B -> and - then click on <B -CLASS="COMMAND" -> Samba related mailing lists</B ->. Or perhaps see - <A -HREF="http://lists.samba.org/mailman/roster/samba-ntdom" -TARGET="_top" ->here</A -> - </P -><P -> Please don't post messages to the list asking to be removed, you will just - be referred to the above address (unless that process failed in some way...) - </P -></LI -></UL -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1102" ->6.8. Domain Control for Windows 9x/ME</A -></H2 -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->The following section contains much of the original -DOMAIN.txt file previously included with Samba. Much of -the material is based on what went into the book <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Special -Edition, Using Samba</I -></SPAN ->, by Richard Sharpe.</P -></TD -></TR -></TABLE -></DIV -><P ->A domain and a workgroup are exactly the same thing in terms of network -browsing. The difference is that a distributable authentication -database is associated with a domain, for secure login access to a -network. Also, different access rights can be granted to users if they -successfully authenticate against a domain logon server (NT server and -other systems based on NT server support this, as does at least Samba TNG now).</P -><P ->The SMB client logging on to a domain has an expectation that every other -server in the domain should accept the same authentication information. -Network browsing functionality of domains and workgroups is -identical and is explained in BROWSING.txt. It should be noted, that browsing -is totally orthogonal to logon support.</P -><P ->Issues related to the single-logon network model are discussed in this -section. Samba supports domain logons, network logon scripts, and user -profiles for MS Windows for workgroups and MS Windows 9X/ME clients -which will be the focus of this section.</P -><P ->When an SMB client in a domain wishes to logon it broadcast requests for a -logon server. The first one to reply gets the job, and validates its -password using whatever mechanism the Samba administrator has installed. -It is possible (but very stupid) to create a domain where the user -database is not shared between servers, i.e. they are effectively workgroup -servers advertising themselves as participating in a domain. This -demonstrates how authentication is quite different from but closely -involved with domains.</P -><P ->Using these features you can make your clients verify their logon via -the Samba server; make clients run a batch file when they logon to -the network and download their preferences, desktop and start menu.</P -><P ->Before launching into the configuration instructions, it is -worthwhile lookingat how a Windows 9x/ME client performs a logon:</P -><P -></P -><OL -TYPE="1" -><LI -><P -> The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the - NetBIOS layer. The client chooses the first response it receives, which - contains the NetBIOS name of the logon server to use in the format of - \\SERVER. - </P -></LI -><LI -><P -> The client then connects to that server, logs on (does an SMBsessetupX) and - then connects to the IPC$ share (using an SMBtconX). - </P -></LI -><LI -><P -> The client then does a NetWkstaUserLogon request, which retrieves the name - of the user's logon script. - </P -></LI -><LI -><P -> The client then connects to the NetLogon share and searches for this - and if it is found and can be read, is retrieved and executed by the client. - After this, the client disconnects from the NetLogon share. - </P -></LI -><LI -><P -> The client then sends a NetUserGetInfo request to the server, to retrieve - the user's home share, which is used to search for profiles. Since the - response to the NetUserGetInfo request does not contain much more - the user's home share, profiles for Win9X clients MUST reside in the user - home directory. - </P -></LI -><LI -><P -> The client then connects to the user's home share and searches for the - user's profile. As it turns out, you can specify the user's home share as - a sharename and path. For example, \\server\fred\.profile. - If the profiles are found, they are implemented. - </P -></LI -><LI -><P -> The client then disconnects from the user's home share, and reconnects to - the NetLogon share and looks for CONFIG.POL, the policies file. If this is - found, it is read and implemented. - </P -></LI -></OL -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1128" ->6.8.1. Configuration Instructions: Network Logons</A -></H3 -><P ->The main difference between a PDC and a Windows 9x logon -server configuration is that</P -><P -></P -><UL -><LI -><P ->Password encryption is not required for a Windows 9x logon server.</P -></LI -><LI -><P ->Windows 9x/ME clients do not possess machine trust accounts.</P -></LI -></UL -><P ->Therefore, a Samba PDC will also act as a Windows 9x logon -server.</P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" -HSPACE="5" -ALT="Warning"></TD -><TH -ALIGN="LEFT" -VALIGN="CENTER" -><B ->security mode and master browsers</B -></TH -></TR -><TR -><TD -> </TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->There are a few comments to make in order to tie up some -loose ends. There has been much debate over the issue of whether -or not it is ok to configure Samba as a Domain Controller in security -modes other than <CODE -CLASS="CONSTANT" ->USER</CODE ->. The only security mode -which will not work due to technical reasons is <CODE -CLASS="CONSTANT" ->SHARE</CODE -> -mode security. <CODE -CLASS="CONSTANT" ->DOMAIN</CODE -> and <CODE -CLASS="CONSTANT" ->SERVER</CODE -> -mode security is really just a variation on SMB user level security.</P -><P ->Actually, this issue is also closely tied to the debate on whether -or not Samba must be the domain master browser for its workgroup -when operating as a DC. While it may technically be possible -to configure a server as such (after all, browsing and domain logons -are two distinctly different functions), it is not a good idea to -so. You should remember that the DC must register the DOMAIN#1b NetBIOS -name. This is the name used by Windows clients to locate the DC. -Windows clients do not distinguish between the DC and the DMB. -For this reason, it is very wise to configure the Samba DC as the DMB.</P -><P ->Now back to the issue of configuring a Samba DC to use a mode other -than "security = user". If a Samba host is configured to use -another SMB server or DC in order to validate user connection -requests, then it is a fact that some other machine on the network -(the "password server") knows more about user than the Samba host. -99% of the time, this other host is a domain controller. Now -in order to operate in domain mode security, the "workgroup" parameter -must be set to the name of the Windows NT domain (which already -has a domain controller, right?)</P -><P ->Therefore configuring a Samba box as a DC for a domain that -already by definition has a PDC is asking for trouble. -Therefore, you should always configure the Samba DC to be the DMB -for its domain.</P -></TD -></TR -></TABLE -></DIV -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1147" ->6.8.2. Configuration Instructions: Setting up Roaming User Profiles</A -></H3 -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" -HSPACE="5" -ALT="Warning"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->NOTE!</I -></SPAN -> Roaming profiles support is different -for Win9X and WinNT.</P -></TD -></TR -></TABLE -></DIV -><P ->Before discussing how to configure roaming profiles, it is useful to see how -Win9X and WinNT clients implement these features.</P -><P ->Win9X clients send a NetUserGetInfo request to the server to get the user's -profiles location. However, the response does not have room for a separate -profiles location field, only the user's home share. This means that Win9X -profiles are restricted to being in the user's home directory.</P -><P ->WinNT clients send a NetSAMLogon RPC request, which contains many fields, -including a separate field for the location of the user's profiles. -This means that support for profiles is different for Win9X and WinNT.</P -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1155" ->6.8.2.1. Windows NT Configuration</A -></H4 -><P ->To support WinNT clients, in the [global] section of smb.conf set the -following (for example):</P -><P -><PRE -CLASS="PROGRAMLISTING" ->logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</PRE -></P -><P ->The default for this option is \\%N\%U\profile, namely -\\sambaserver\username\profile. The \\N%\%U service is created -automatically by the [homes] service. -If you are using a samba server for the profiles, you _must_ make the -share specified in the logon path browseable. </P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->[lkcl 26aug96 - we have discovered a problem where Windows clients can -maintain a connection to the [homes] share in between logins. The -[homes] share must NOT therefore be used in a profile path.]</P -></TD -></TR -></TABLE -></DIV -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1163" ->6.8.2.2. Windows 9X Configuration</A -></H4 -><P ->To support Win9X clients, you must use the "logon home" parameter. Samba has -now been fixed so that "net use/home" now works as well, and it, too, relies -on the "logon home" parameter.</P -><P ->By using the logon home parameter, you are restricted to putting Win9X -profiles in the user's home directory. But wait! There is a trick you -can use. If you set the following in the [global] section of your -smb.conf file:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->logon home = \\%L\%U\.profiles</PRE -></P -><P ->then your Win9X clients will dutifully put their clients in a subdirectory -of your home directory called .profiles (thus making them hidden).</P -><P ->Not only that, but 'net use/home' will also work, because of a feature in -Win9X. It removes any directory stuff off the end of the home directory area -and only uses the server and share portion. That is, it looks like you -specified \\%L\%U for "logon home".</P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1171" ->6.8.2.3. Win9X and WinNT Configuration</A -></H4 -><P ->You can support profiles for both Win9X and WinNT clients by setting both the -"logon home" and "logon path" parameters. For example:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->logon home = \\%L\%U\.profiles -logon path = \\%L\profiles\%U</PRE -></P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->I have not checked what 'net use /home' does on NT when "logon home" is -set as above.</P -></TD -></TR -></TABLE -></DIV -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1178" ->6.8.2.4. Windows 9X Profile Setup</A -></H4 -><P ->When a user first logs in on Windows 9X, the file user.DAT is created, -as are folders "Start Menu", "Desktop", "Programs" and "Nethood". -These directories and their contents will be merged with the local -versions stored in c:\windows\profiles\username on subsequent logins, -taking the most recent from each. You will need to use the [global] -options "preserve case = yes", "short preserve case = yes" and -"case sensitive = no" in order to maintain capital letters in shortcuts -in any of the profile folders.</P -><P ->The user.DAT file contains all the user's preferences. If you wish to -enforce a set of preferences, rename their user.DAT file to user.MAN, -and deny them write access to this file.</P -><P -></P -><OL -TYPE="1" -><LI -><P -> On the Windows 95 machine, go to Control Panel | Passwords and - select the User Profiles tab. Select the required level of - roaming preferences. Press OK, but do _not_ allow the computer - to reboot. - </P -></LI -><LI -><P -> On the Windows 95 machine, go to Control Panel | Network | - Client for Microsoft Networks | Preferences. Select 'Log on to - NT Domain'. Then, ensure that the Primary Logon is 'Client for - Microsoft Networks'. Press OK, and this time allow the computer - to reboot. - </P -></LI -></OL -><P ->Under Windows 95, Profiles are downloaded from the Primary Logon. -If you have the Primary Logon as 'Client for Novell Networks', then -the profiles and logon script will be downloaded from your Novell -Server. If you have the Primary Logon as 'Windows Logon', then the -profiles will be loaded from the local machine - a bit against the -concept of roaming profiles, if you ask me.</P -><P ->You will now find that the Microsoft Networks Login box contains -[user, password, domain] instead of just [user, password]. Type in -the samba server's domain name (or any other domain known to exist, -but bear in mind that the user will be authenticated against this -domain and profiles downloaded from it, if that domain logon server -supports it), user name and user's password.</P -><P ->Once the user has been successfully validated, the Windows 95 machine -will inform you that 'The user has not logged on before' and asks you -if you wish to save the user's preferences? Select 'yes'.</P -><P ->Once the Windows 95 client comes up with the desktop, you should be able -to examine the contents of the directory specified in the "logon path" -on the samba server and verify that the "Desktop", "Start Menu", -"Programs" and "Nethood" folders have been created.</P -><P ->These folders will be cached locally on the client, and updated when -the user logs off (if you haven't made them read-only by then :-). -You will find that if the user creates further folders or short-cuts, -that the client will merge the profile contents downloaded with the -contents of the profile directory already on the local client, taking -the newest folders and short-cuts from each set.</P -><P ->If you have made the folders / files read-only on the samba server, -then you will get errors from the w95 machine on logon and logout, as -it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the w95 machine, check the Unix file -permissions and ownership rights on the profile directory contents, -on the samba server.</P -><P ->If you have problems creating user profiles, you can reset the user's -local desktop cache, as shown below. When this user then next logs in, -they will be told that they are logging in "for the first time".</P -><P -></P -><OL -TYPE="1" -><LI -><P -> instead of logging in under the [user, password, domain] dialog, - press escape. - </P -></LI -><LI -><P -> run the regedit.exe program, and look in: - </P -><P -> HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList - </P -><P -> you will find an entry, for each user, of ProfilePath. Note the - contents of this key (likely to be c:\windows\profiles\username), - then delete the key ProfilePath for the required user. - </P -><P -> [Exit the registry editor]. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->WARNING</I -></SPAN -> - before deleting the contents of the - directory listed in - the ProfilePath (this is likely to be c:\windows\profiles\username), - ask them if they have any important files stored on their desktop - or in their start menu. delete the contents of the directory - ProfilePath (making a backup if any of the files are needed). - </P -><P -> This will have the effect of removing the local (read-only hidden - system file) user.DAT in their profile directory, as well as the - local "desktop", "nethood", "start menu" and "programs" folders. - </P -></LI -><LI -><P -> search for the user's .PWL password-caching file in the c:\windows - directory, and delete it. - </P -></LI -><LI -><P -> log off the windows 95 client. - </P -></LI -><LI -><P -> check the contents of the profile path (see "logon path" described - above), and delete the user.DAT or user.MAN file for the user, - making a backup if required. - </P -></LI -></OL -><P ->If all else fails, increase samba's debug log levels to between 3 and 10, -and / or run a packet trace program such as tcpdump or netmon.exe, and -look for any error reports.</P -><P ->If you have access to an NT server, then first set up roaming profiles -and / or netlogons on the NT server. Make a packet trace, or examine -the example packet traces provided with NT server, and see what the -differences are with the equivalent samba trace.</P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1214" ->6.8.2.5. Windows NT Workstation 4.0</A -></H4 -><P ->When a user first logs in to a Windows NT Workstation, the profile -NTuser.DAT is created. The profile location can be now specified -through the "logon path" parameter. </P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->[lkcl 10aug97 - i tried setting the path to -\\samba-server\homes\profile, and discovered that this fails because -a background process maintains the connection to the [homes] share -which does _not_ close down in between user logins. you have to -have \\samba-server\%L\profile, where user is the username created -from the [homes] share].</P -></TD -></TR -></TABLE -></DIV -><P ->There is a parameter that is now available for use with NT Profiles: -"logon drive". This should be set to "h:" or any other drive, and -should be used in conjunction with the new "logon home" parameter.</P -><P ->The entry for the NT 4.0 profile is a _directory_ not a file. The NT -help on profiles mentions that a directory is also created with a .PDS -extension. The user, while logging in, must have write permission to -create the full profile path (and the folder with the .PDS extension) -[lkcl 10aug97 - i found that the creation of the .PDS directory failed, -and had to create these manually for each user, with a shell script. -also, i presume, but have not tested, that the full profile path must -be browseable just as it is for w95, due to the manner in which they -attempt to create the full profile path: test existence of each path -component; create path component].</P -><P ->In the profile directory, NT creates more folders than 95. It creates -"Application Data" and others, as well as "Desktop", "Nethood", -"Start Menu" and "Programs". The profile itself is stored in a file -NTuser.DAT. Nothing appears to be stored in the .PDS directory, and -its purpose is currently unknown.</P -><P ->You can use the System Control Panel to copy a local profile onto -a samba server (see NT Help on profiles: it is also capable of firing -up the correct location in the System Control Panel for you). The -NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN -turns a profile into a mandatory one.</P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->[lkcl 10aug97 - i notice that NT Workstation tells me that it is -downloading a profile from a slow link. whether this is actually the -case, or whether there is some configuration issue, as yet unknown, -that makes NT Workstation _think_ that the link is a slow one is a -matter to be resolved].</P -><P ->[lkcl 20aug97 - after samba digest correspondence, one user found, and -another confirmed, that profiles cannot be loaded from a samba server -unless "security = user" and "encrypt passwords = yes" (see the file -ENCRYPTION.txt) or "security = server" and "password server = ip.address. -of.yourNTserver" are used. Either of these options will allow the NT -workstation to access the samba server using LAN manager encrypted -passwords, without the user intervention normally required by NT -workstation for clear-text passwords].</P -><P ->[lkcl 25aug97 - more comments received about NT profiles: the case of -the profile _matters_. the file _must_ be called NTuser.DAT or, for -a mandatory profile, NTuser.MAN].</P -></TD -></TR -></TABLE -></DIV -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1227" ->6.8.2.6. Windows NT Server</A -></H4 -><P ->There is nothing to stop you specifying any path that you like for the -location of users' profiles. Therefore, you could specify that the -profile be stored on a samba server, or any other SMB server, as long as -that SMB server supports encrypted passwords.</P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1230" ->6.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</A -></H4 -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" -HSPACE="5" -ALT="Warning"></TD -><TH -ALIGN="LEFT" -VALIGN="CENTER" -><B ->Potentially outdated or incorrect material follows</B -></TH -></TR -><TR -><TD -> </TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->I think this is all bogus, but have not deleted it. (Richard Sharpe)</P -></TD -></TR -></TABLE -></DIV -><P ->The default logon path is \\%N\%U. NT Workstation will attempt to create -a directory "\\samba-server\username.PDS" if you specify the logon path -as "\\samba-server\username" with the NT User Manager. Therefore, you -will need to specify (for example) "\\samba-server\username\profile". -NT 4.0 will attempt to create "\\samba-server\username\profile.PDS", which -is more likely to succeed.</P -><P ->If you then want to share the same Start Menu / Desktop with W95, you will -need to specify "logon path = \\samba-server\username\profile" [lkcl 10aug97 -this has its drawbacks: i created a shortcut to telnet.exe, which attempts -to run from the c:\winnt\system32 directory. this directory is obviously -unlikely to exist on a Win95-only host].</P -><P -> If you have this set up correctly, you will find separate user.DAT and -NTuser.DAT files in the same profile directory.</P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->[lkcl 25aug97 - there are some issues to resolve with downloading of -NT profiles, probably to do with time/date stamps. i have found that -NTuser.DAT is never updated on the workstation after the first time that -it is copied to the local workstation profile directory. this is in -contrast to w95, where it _does_ transfer / update profiles correctly].</P -></TD -></TR -></TABLE -></DIV -></DIV -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1240" ->6.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A -></H2 -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" -HSPACE="5" -ALT="Warning"></TD -><TH -ALIGN="LEFT" -VALIGN="CENTER" -><B ->Possibly Outdated Material</B -></TH -></TR -><TR -><TD -> </TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P -> This appendix was originally authored by John H Terpstra of - the Samba Team and is included here for posterity. - </P -></TD -></TR -></TABLE -></DIV -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->NOTE :</I -></SPAN -> -The term "Domain Controller" and those related to it refer to one specific -method of authentication that can underly an SMB domain. Domain Controllers -prior to Windows NT Server 3.1 were sold by various companies and based on -private extensions to the LAN Manager 2.1 protocol. Windows NT introduced -Microsoft-specific ways of distributing the user authentication database. -See DOMAIN.txt for examples of how Samba can participate in or create -SMB domains based on shared authentication database schemes other than the -Windows NT SAM.</P -><P ->Windows NT Server can be installed as either a plain file and print server -(WORKGROUP workstation or server) or as a server that participates in Domain -Control (DOMAIN member, Primary Domain controller or Backup Domain controller). -The same is true for OS/2 Warp Server, Digital Pathworks and other similar -products, all of which can participate in Domain Control along with Windows NT.</P -><P ->To many people these terms can be confusing, so let's try to clear the air.</P -><P ->Every Windows NT system (workstation or server) has a registry database. -The registry contains entries that describe the initialization information -for all services (the equivalent of Unix Daemons) that run within the Windows -NT environment. The registry also contains entries that tell application -software where to find dynamically loadable libraries that they depend upon. -In fact, the registry contains entries that describes everything that anything -may need to know to interact with the rest of the system.</P -><P ->The registry files can be located on any Windows NT machine by opening a -command prompt and typing:</P -><P -><SAMP -CLASS="PROMPT" ->C:\WINNT\></SAMP -> dir %SystemRoot%\System32\config</P -><P ->The environment variable %SystemRoot% value can be obtained by typing:</P -><P -><SAMP -CLASS="PROMPT" ->C:\WINNT></SAMP ->echo %SystemRoot%</P -><P ->The active parts of the registry that you may want to be familiar with are -the files called: default, system, software, sam and security.</P -><P ->In a domain environment, Microsoft Windows NT domain controllers participate -in replication of the SAM and SECURITY files so that all controllers within -the domain have an exactly identical copy of each.</P -><P ->The Microsoft Windows NT system is structured within a security model that -says that all applications and services must authenticate themselves before -they can obtain permission from the security manager to do what they set out -to do.</P -><P ->The Windows NT User database also resides within the registry. This part of -the registry contains the user's security identifier, home directory, group -memberships, desktop profile, and so on.</P -><P ->Every Windows NT system (workstation as well as server) will have its own -registry. Windows NT Servers that participate in Domain Security control -have a database that they share in common - thus they do NOT own an -independent full registry database of their own, as do Workstations and -plain Servers.</P -><P ->The User database is called the SAM (Security Access Manager) database and -is used for all user authentication as well as for authentication of inter- -process authentication (i.e. to ensure that the service action a user has -requested is permitted within the limits of that user's privileges).</P -><P ->The Samba team have produced a utility that can dump the Windows NT SAM into -smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and -/pub/samba/pwdump on your nearest Samba mirror for the utility. This -facility is useful but cannot be easily used to implement SAM replication -to Samba systems.</P -><P ->Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers -can participate in a Domain security system that is controlled by Windows NT -servers that have been correctly configured. Almost every domain will have -ONE Primary Domain Controller (PDC). It is desirable that each domain will -have at least one Backup Domain Controller (BDC).</P -><P ->The PDC and BDCs then participate in replication of the SAM database so that -each Domain Controlling participant will have an up to date SAM component -within its registry.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="SAMBA-BDC" -></A ->Chapter 7. How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN1276" ->7.1. Prerequisite Reading</A -></H2 -><P ->Before you continue reading in this chapter, please make sure -that you are comfortable with configuring a Samba PDC -as described in the <A -HREF="Samba-PDC-HOWTO.html" -TARGET="_top" ->Samba-PDC-HOWTO</A ->.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1280" ->7.2. Background</A -></H2 -><P ->What is a Domain Controller? It is a machine that is able to answer -logon requests from workstations in a Windows NT Domain. Whenever a -user logs into a Windows NT Workstation, the workstation connects to a -Domain Controller and asks him whether the username and password the -user typed in is correct. The Domain Controller replies with a lot of -information about the user, for example the place where the users -profile is stored, the users full name of the user. All this -information is stored in the NT user database, the so-called SAM.</P -><P ->There are two kinds of Domain Controller in a NT 4 compatible Domain: -A Primary Domain Controller (PDC) and one or more Backup Domain -Controllers (BDC). The PDC contains the master copy of the -SAM. Whenever the SAM has to change, for example when a user changes -his password, this change has to be done on the PDC. A Backup Domain -Controller is a machine that maintains a read-only copy of the -SAM. This way it is able to reply to logon requests and authenticate -users in case the PDC is not available. During this time no changes to -the SAM are possible. Whenever changes to the SAM are done on the PDC, -all BDC receive the changes from the PDC.</P -><P ->Since version 2.2 Samba officially supports domain logons for all -current Windows Clients, including Windows 2000 and XP. This text -assumes the domain to be named SAMBA. To be able to act as a PDC, some -parameters in the [global]-section of the smb.conf have to be set:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->workgroup = SAMBA -domain master = yes -domain logons = yes</PRE -></P -><P ->Several other things like a [homes] and a [netlogon] share also may be -set along with settings for the profile path, the users home drive and -others. This will not be covered in this document.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1288" ->7.3. What qualifies a Domain Controller on the network?</A -></H2 -><P ->Every machine that is a Domain Controller for the domain SAMBA has to -register the NetBIOS group name SAMBA#1c with the WINS server and/or -by broadcast on the local network. The PDC also registers the unique -NetBIOS name SAMBA#1b with the WINS server. The name type #1b is -normally reserved for the domain master browser, a role that has -nothing to do with anything related to authentication, but the -Microsoft Domain implementation requires the domain master browser to -be on the same machine as the PDC.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1291" ->7.3.1. How does a Workstation find its domain controller?</A -></H3 -><P ->A NT workstation in the domain SAMBA that wants a local user to be -authenticated has to find the domain controller for SAMBA. It does -this by doing a NetBIOS name query for the group name SAMBA#1c. It -assumes that each of the machines it gets back from the queries is a -domain controller and can answer logon requests. To not open security -holes both the workstation and the selected (TODO: How is the DC -chosen) domain controller authenticate each other. After that the -workstation sends the user's credentials (his name and password) to -the domain controller, asking for approval.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1294" ->7.3.2. When is the PDC needed?</A -></H3 -><P ->Whenever a user wants to change his password, this has to be done on -the PDC. To find the PDC, the workstation does a NetBIOS name query -for SAMBA#1b, assuming this machine maintains the master copy of the -SAM. The workstation contacts the PDC, both mutually authenticate and -the password change is done.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1297" ->7.4. Can Samba be a Backup Domain Controller to an NT PDC?</A -></H2 -><P ->With version 2.2, no. The native NT SAM replication protocols have -not yet been fully implemented. The Samba Team is working on -understanding and implementing the protocols, but this work has not -been finished for version 2.2.</P -><P ->With version 3.0, the work on both the replication protocols and a -suitable storage mechanism has progressed, and some form of NT4 BDC -support is expected soon.</P -><P ->Can I get the benefits of a BDC with Samba? Yes. The main reason for -implementing a BDC is availability. If the PDC is a Samba machine, -a second Samba machine can be set up to -service logon requests whenever the PDC is down.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1302" ->7.5. How do I set up a Samba BDC?</A -></H2 -><P ->Several things have to be done:</P -><P -></P -><UL -><LI -><P ->The domain SID has to be the same on the PDC and the BDC. This used to -be stored in the file private/MACHINE.SID. This file is not created -anymore since Samba 2.2.5 or even earlier. Nowadays the domain SID is -stored in the file private/secrets.tdb. Simply copying the secrets.tdb -from the PDC to the BDC does not work, as the BDC would -generate a new SID for itself and override the domain SID with this -new BDC SID.</P -><P ->To retrieve the domain SID from the PDC or an existing BDC and store it in the -secrets.tdb, execute 'net rpc getsid' on the BDC.</P -></LI -><LI -><P ->The Unix user database has to be synchronized from the PDC to the -BDC. This means that both the /etc/passwd and /etc/group have to be -replicated from the PDC to the BDC. This can be done manually -whenever changes are made, or the PDC is set up as a NIS master -server and the BDC as a NIS slave server. To set up the BDC as a -mere NIS client would not be enough, as the BDC would not be able to -access its user database in case of a PDC failure.</P -></LI -><LI -><P ->The Samba password database in the file private/smbpasswd has to be -replicated from the PDC to the BDC. This is a bit tricky, see the -next section.</P -></LI -><LI -><P ->Any netlogon share has to be replicated from the PDC to the -BDC. This can be done manually whenever login scripts are changed, -or it can be done automatically together with the smbpasswd -synchronization.</P -></LI -></UL -><P ->Finally, the BDC has to be found by the workstations. This can be done -by setting</P -><P -><PRE -CLASS="PROGRAMLISTING" ->workgroup = samba -domain master = no -domain logons = yes</PRE -></P -><P ->in the [global]-section of the smb.conf of the BDC. This makes the BDC -only register the name SAMBA#1c with the WINS server. This is no -problem as the name SAMBA#1c is a NetBIOS group name that is meant to -be registered by more than one machine. The parameter 'domain master = -no' forces the BDC not to register SAMBA#1b which as a unique NetBIOS -name is reserved for the Primary Domain Controller.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1319" ->7.5.1. How do I replicate the smbpasswd file?</A -></H3 -><P ->Replication of the smbpasswd file is sensitive. It has to be done -whenever changes to the SAM are made. Every user's password change is -done in the smbpasswd file and has to be replicated to the BDC. So -replicating the smbpasswd file very often is necessary.</P -><P ->As the smbpasswd file contains plain text password equivalents, it -must not be sent unencrypted over the wire. The best way to set up -smbpasswd replication from the PDC to the BDC is to use the utility -rsync. rsync can use ssh as a transport. ssh itself can be set up to -accept *only* rsync transfer without requiring the user to type a -password.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1323" ->7.5.2. Can I do this all with LDAP?</A -></H3 -><P ->The simple answer is YES. Samba's pdb_ldap code supports -binding to a replica LDAP server, and will also follow referrals and -rebind to the master if it ever needs to make a modification to the -database. (Normally BDCs are read only, so this will not occur -often).</P -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="ADS" -></A ->Chapter 8. Samba as a ADS domain member</H1 -><P ->This is a rough guide to setting up Samba 3.0 with kerberos authentication against a -Windows2000 KDC. </P -><P ->Pieces you need before you begin:</P -><P -><P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->a Windows 2000 server.</TD -></TR -><TR -><TD ->samba 3.0 or higher.</TD -></TR -><TR -><TD ->the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</TD -></TR -><TR -><TD ->the OpenLDAP development libraries.</TD -></TR -></TBODY -></TABLE -><P -></P -></P -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1341" ->8.1. Installing the required packages for Debian</A -></H2 -><P ->On Debian you need to install the following packages:</P -><P -><P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->libkrb5-dev</TD -></TR -><TR -><TD ->krb5-user</TD -></TR -></TBODY -></TABLE -><P -></P -></P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1348" ->8.2. Installing the required packages for RedHat</A -></H2 -><P ->On RedHat this means you should have at least: </P -><P -><P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->krb5-workstation (for kinit)</TD -></TR -><TR -><TD ->krb5-libs (for linking with)</TD -></TR -><TR -><TD ->krb5-devel (because you are compiling from source)</TD -></TR -></TBODY -></TABLE -><P -></P -></P -><P ->in addition to the standard development environment.</P -><P ->Note that these are not standard on a RedHat install, and you may need -to get them off CD2.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1358" ->8.3. Compile Samba</A -></H2 -><P ->If your kerberos libraries are in a non-standard location then - remember to add the configure option --with-krb5=DIR.</P -><P ->After you run configure make sure that include/config.h it - generates contains - lines like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->#define HAVE_KRB5 1 -#define HAVE_LDAP 1</PRE -></P -><P ->If it doesn't then configure did not find your krb5 libraries or - your ldap libraries. Look in config.log to figure out why and fix - it.</P -><P ->Then compile and install Samba as usual. You must use at least the - following 3 options in smb.conf:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> realm = YOUR.KERBEROS.REALM - security = ADS - encrypt passwords = yes</PRE -></P -><P ->In case samba can't figure out your ads server using your realm name, use the -<B -CLASS="COMMAND" ->ads server</B -> option in <TT -CLASS="FILENAME" ->smb.conf</TT ->: -<PRE -CLASS="PROGRAMLISTING" -> ads server = your.kerberos.server</PRE -></P -><P ->You do *not* need a smbpasswd file, and older clients will - be authenticated as if "security = domain", although it won't do any harm - and allows you to have local users not in the domain. - I expect that the above - required options will change soon when we get better active - directory integration.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1373" ->8.4. Setup your /etc/krb5.conf</A -></H2 -><P ->The minimal configuration for krb5.conf is:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->[realms] - YOUR.KERBEROS.REALM = { - kdc = your.kerberos.server - }</PRE -></P -><P ->Test your config by doing a "kinit USERNAME@REALM" and making sure that - your password is accepted by the Win2000 KDC. </P -><P ->NOTE: The realm must be uppercase. </P -><P ->You also must ensure that you can do a reverse DNS lookup on the IP -address of your KDC. Also, the name that this reverse lookup maps to -must either be the netbios name of the KDC (ie. the hostname with no -domain attached) or it can alternatively be the netbios name -followed by the realm. </P -><P ->The easiest way to ensure you get this right is to add a /etc/hosts -entry mapping the IP address of your KDC to its netbios name. If you -don't get this right then you will get a "local error" when you try -to join the realm.</P -><P ->If all you want is kerberos support in smbclient then you can skip -straight to step 5 now. Step 3 is only needed if you want kerberos -support for smbd and winbindd.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1383" ->8.5. Create the computer account</A -></H2 -><P ->As a user that has write permission on the Samba private directory -(usually root) run: -<B -CLASS="COMMAND" ->net ads join</B -></P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1387" ->8.5.1. Possible errors</A -></H3 -><P -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->"ADS support not compiled in"</DT -><DD -><P ->Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</P -></DD -></DL -></DIV -></P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1395" ->8.6. Test your server setup</A -></H2 -><P ->On a Windows 2000 client try <B -CLASS="COMMAND" ->net use * \\server\share</B ->. You should -be logged in with kerberos without needing to know a password. If -this fails then run <B -CLASS="COMMAND" ->klist tickets</B ->. Did you get a ticket for the -server? Does it have an encoding type of DES-CBC-MD5 ? </P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1400" ->8.7. Testing with smbclient</A -></H2 -><P ->On your Samba server try to login to a Win2000 server or your Samba -server using smbclient and kerberos. Use smbclient as usual, but -specify the -k option to choose kerberos authentication.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1403" ->8.8. Notes</A -></H2 -><P ->You must change administrator password at least once after DC install, - to create the right encoding types</P -><P ->w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in - their defaults DNS setup. Maybe fixed in service packs?</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="DOMAIN-SECURITY" -></A ->Chapter 9. Samba as a NT4 or Win2k domain member</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN1425" ->9.1. Joining an NT Domain with Samba 3.0</A -></H2 -><P ->Assume you have a Samba 3.0 server with a NetBIOS name of - <CODE -CLASS="CONSTANT" ->SERV1</CODE -> and are joining an or Win2k NT domain called - <CODE -CLASS="CONSTANT" ->DOM</CODE ->, which has a PDC with a NetBIOS name - of <CODE -CLASS="CONSTANT" ->DOMPDC</CODE -> and two backup domain controllers - with NetBIOS names <CODE -CLASS="CONSTANT" ->DOMBDC1</CODE -> and <CODE -CLASS="CONSTANT" ->DOMBDC2 - </CODE ->.</P -><P ->Firstly, you must edit your <A -HREF="smb.conf.5.html" -TARGET="_top" -><TT -CLASS="FILENAME" ->smb.conf(5)</TT -> - </A -> file to tell Samba it should now use domain security.</P -><P ->Change (or add) your <A -HREF="smb.conf.5.html#SECURITY" -TARGET="_top" -> <VAR -CLASS="PARAMETER" ->security =</VAR -></A -> line in the [global] section - of your smb.conf to read:</P -><P -><B -CLASS="COMMAND" ->security = domain</B -> or - <B -CLASS="COMMAND" ->security = ads</B -> depending on if the PDC is - NT4 or running Active Directory respectivly.</P -><P ->Next change the <A -HREF="smb.conf.5.html#WORKGROUP" -TARGET="_top" -><VAR -CLASS="PARAMETER" -> workgroup =</VAR -></A -> line in the [global] section to read: </P -><P -><B -CLASS="COMMAND" ->workgroup = DOM</B -></P -><P ->as this is the name of the domain we are joining. </P -><P ->You must also have the parameter <A -HREF="smb.conf.5.html#ENCRYPTPASSWORDS" -TARGET="_top" -> <VAR -CLASS="PARAMETER" ->encrypt passwords</VAR -></A -> set to <CODE -CLASS="CONSTANT" ->yes - </CODE -> in order for your users to authenticate to the NT PDC.</P -><P ->Finally, add (or modify) a <A -HREF="smb.conf.5.html#PASSWORDSERVER" -TARGET="_top" -> <VAR -CLASS="PARAMETER" ->password server =</VAR -></A -> line in the [global] - section to read: </P -><P -><B -CLASS="COMMAND" ->password server = DOMPDC DOMBDC1 DOMBDC2</B -></P -><P ->These are the primary and backup domain controllers Samba - will attempt to contact in order to authenticate users. Samba will - try to contact each of these servers in order, so you may want to - rearrange this list in order to spread out the authentication load - among domain controllers.</P -><P ->Alternatively, if you want smbd to automatically determine - the list of Domain controllers to use for authentication, you may - set this line to be :</P -><P -><B -CLASS="COMMAND" ->password server = *</B -></P -><P ->This method, allows Samba to use exactly the same - mechanism that NT does. This - method either broadcasts or uses a WINS database in order to - find domain controllers to authenticate against.</P -><P ->In order to actually join the domain, you must run this - command:</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->net join -S DOMPDC - -U<VAR -CLASS="REPLACEABLE" ->Administrator%password</VAR -></KBD -></P -><P ->as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. The <VAR -CLASS="REPLACEABLE" ->Administrator%password</VAR -> is - the login name and password for an account which has the necessary - privilege to add machines to the domain. If this is successful - you will see the message:</P -><P -><SAMP -CLASS="COMPUTEROUTPUT" ->Joined domain DOM.</SAMP -> - or <SAMP -CLASS="COMPUTEROUTPUT" ->Joined 'SERV1' to realm 'MYREALM'</SAMP -> - </P -><P ->in your terminal window. See the <A -HREF="net.8.html" -TARGET="_top" -> net(8)</A -> man page for more details.</P -><P ->This process joins the server to thedomain - without having to create the machine trust account on the PDC - beforehand.</P -><P ->This command goes through the machine account password - change protocol, then writes the new (random) machine account - password for this Samba server into a file in the same directory - in which an smbpasswd file would be stored - normally :</P -><P -><TT -CLASS="FILENAME" ->/usr/local/samba/private/secrets.tdb</TT -></P -><P ->This file is created and owned by root and is not - readable by any other user. It is the key to the domain-level - security for your system, and should be treated as carefully - as a shadow password file.</P -><P ->Finally, restart your Samba daemons and get ready for - clients to begin using domain security!</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1480" ->9.2. Samba and Windows 2000 Domains</A -></H2 -><P ->Many people have asked regarding the state of Samba's ability to participate in -a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows -2000 domain operating in mixed or native mode. The steps above apply -to both NT4 and Windows 2000.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1483" ->9.3. Why is this better than security = server?</A -></H2 -><P ->Currently, domain security in Samba doesn't free you from - having to create local Unix users to represent the users attaching - to your server. This means that if domain user <CODE -CLASS="CONSTANT" ->DOM\fred - </CODE -> attaches to your domain security Samba server, there needs - to be a local Unix user fred to represent that user in the Unix - filesystem. This is very similar to the older Samba security mode - <A -HREF="smb.conf.5.html#SECURITYEQUALSSERVER" -TARGET="_top" ->security = server</A ->, - where Samba would pass through the authentication request to a Windows - NT server in the same way as a Windows 95 or Windows 98 server would. - </P -><P ->Please refer to the <A -HREF="winbind.html" -TARGET="_top" ->Winbind - paper</A -> for information on a system to automatically - assign UNIX uids and gids to Windows NT Domain users and groups. - This code is available in development branches only at the moment, - but will be moved to release branches soon.</P -><P ->The advantage to domain-level security is that the - authentication in domain-level security is passed down the authenticated - RPC channel in exactly the same way that an NT server would do it. This - means Samba servers now participate in domain trust relationships in - exactly the same way NT servers do (i.e., you can add Samba servers into - a resource domain and have the authentication passed on from a resource - domain PDC to an account domain PDC.</P -><P ->In addition, with <B -CLASS="COMMAND" ->security = server</B -> every Samba - daemon on a server has to keep a connection open to the - authenticating server for as long as that daemon lasts. This can drain - the connection resources on a Microsoft NT server and cause it to run - out of available connections. With <B -CLASS="COMMAND" ->security = domain</B ->, - however, the Samba daemons connect to the PDC/BDC only for as long - as is necessary to authenticate the user, and then drop the connection, - thus conserving PDC connection resources.</P -><P ->And finally, acting in the same manner as an NT server - authenticating to a PDC means that as part of the authentication - reply, the Samba server gets the user identification information such - as the user SID, the list of NT groups the user belongs to, etc. </P -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->NOTE:</I -></SPAN -> Much of the text of this document - was first published in the Web magazine <A -HREF="http://www.linuxworld.com" -TARGET="_top" -> - LinuxWorld</A -> as the article <A -HREF="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html" -TARGET="_top" ->Doing - the NIS/NT Samba</A ->.</P -></DIV -></DIV -></DIV -><DIV -CLASS="PART" -><A -NAME="OPTIONAL" -></A -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" ->III. Optional configuration</H1 -><DIV -CLASS="PARTINTRO" -><A -NAME="AEN1501" -></A -><H1 ->Introduction</H1 -><P ->Samba has several features that you might want or might not want to use. The chapters in this -part each cover one specific feature.</P -></DIV -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->10. <A -HREF="#INTEGRATE-MS-NETWORKS" ->Integrating MS Windows networks with Samba</A -></DT -><DD -><DL -><DT ->10.1. <A -HREF="#AEN1515" ->Agenda</A -></DT -><DT ->10.2. <A -HREF="#AEN1537" ->Name Resolution in a pure Unix/Linux world</A -></DT -><DD -><DL -><DT ->10.2.1. <A -HREF="#AEN1553" -><TT -CLASS="FILENAME" ->/etc/hosts</TT -></A -></DT -><DT ->10.2.2. <A -HREF="#AEN1569" -><TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></A -></DT -><DT ->10.2.3. <A -HREF="#AEN1580" -><TT -CLASS="FILENAME" ->/etc/host.conf</TT -></A -></DT -><DT ->10.2.4. <A -HREF="#AEN1588" -><TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -></A -></DT -></DL -></DD -><DT ->10.3. <A -HREF="#AEN1600" ->Name resolution as used within MS Windows networking</A -></DT -><DD -><DL -><DT ->10.3.1. <A -HREF="#AEN1612" ->The NetBIOS Name Cache</A -></DT -><DT ->10.3.2. <A -HREF="#AEN1617" ->The LMHOSTS file</A -></DT -><DT ->10.3.3. <A -HREF="#AEN1625" ->HOSTS file</A -></DT -><DT ->10.3.4. <A -HREF="#AEN1630" ->DNS Lookup</A -></DT -><DT ->10.3.5. <A -HREF="#AEN1633" ->WINS Lookup</A -></DT -></DL -></DD -><DT ->10.4. <A -HREF="#AEN1645" ->How browsing functions and how to deploy stable and -dependable browsing using Samba</A -></DT -><DT ->10.5. <A -HREF="#AEN1655" ->MS Windows security options and how to configure -Samba for seemless integration</A -></DT -><DD -><DL -><DT ->10.5.1. <A -HREF="#AEN1683" ->Use MS Windows NT as an authentication server</A -></DT -><DT ->10.5.2. <A -HREF="#AEN1691" ->Make Samba a member of an MS Windows NT security domain</A -></DT -><DT ->10.5.3. <A -HREF="#AEN1708" ->Configure Samba as an authentication server</A -></DT -></DL -></DD -><DT ->10.6. <A -HREF="#AEN1725" ->Conclusions</A -></DT -></DL -></DD -><DT ->11. <A -HREF="#UNIX-PERMISSIONS" ->UNIX Permission Bits and Windows NT Access Control Lists</A -></DT -><DD -><DL -><DT ->11.1. <A -HREF="#AEN1746" ->Viewing and changing UNIX permissions using the NT - security dialogs</A -></DT -><DT ->11.2. <A -HREF="#AEN1750" ->How to view file security on a Samba share</A -></DT -><DT ->11.3. <A -HREF="#AEN1761" ->Viewing file ownership</A -></DT -><DT ->11.4. <A -HREF="#AEN1781" ->Viewing file or directory permissions</A -></DT -><DD -><DL -><DT ->11.4.1. <A -HREF="#AEN1796" ->File Permissions</A -></DT -><DT ->11.4.2. <A -HREF="#AEN1810" ->Directory Permissions</A -></DT -></DL -></DD -><DT ->11.5. <A -HREF="#AEN1817" ->Modifying file or directory permissions</A -></DT -><DT ->11.6. <A -HREF="#AEN1839" ->Interaction with the standard Samba create mask - parameters</A -></DT -><DT ->11.7. <A -HREF="#AEN1903" ->Interaction with the standard Samba file attribute - mapping</A -></DT -></DL -></DD -><DT ->12. <A -HREF="#PAM" ->Configuring PAM for distributed but centrally -managed authentication</A -></DT -><DD -><DL -><DT ->12.1. <A -HREF="#AEN1924" ->Samba and PAM</A -></DT -><DT ->12.2. <A -HREF="#AEN1968" ->Distributed Authentication</A -></DT -><DT ->12.3. <A -HREF="#AEN1975" ->PAM Configuration in smb.conf</A -></DT -></DL -></DD -><DT ->13. <A -HREF="#MSDFS" ->Hosting a Microsoft Distributed File System tree on Samba</A -></DT -><DD -><DL -><DT ->13.1. <A -HREF="#AEN1995" ->Instructions</A -></DT -><DD -><DL -><DT ->13.1.1. <A -HREF="#AEN2030" ->Notes</A -></DT -></DL -></DD -></DL -></DD -><DT ->14. <A -HREF="#PRINTING" ->Printing Support</A -></DT -><DD -><DL -><DT ->14.1. <A -HREF="#AEN2056" ->Introduction</A -></DT -><DT ->14.2. <A -HREF="#AEN2078" ->Configuration</A -></DT -><DD -><DL -><DT ->14.2.1. <A -HREF="#AEN2086" ->Creating [print$]</A -></DT -><DT ->14.2.2. <A -HREF="#AEN2121" ->Setting Drivers for Existing Printers</A -></DT -><DT ->14.2.3. <A -HREF="#AEN2137" ->Support a large number of printers</A -></DT -><DT ->14.2.4. <A -HREF="#AEN2148" ->Adding New Printers via the Windows NT APW</A -></DT -><DT ->14.2.5. <A -HREF="#AEN2178" ->Samba and Printer Ports</A -></DT -></DL -></DD -><DT ->14.3. <A -HREF="#AEN2186" ->The Imprints Toolset</A -></DT -><DD -><DL -><DT ->14.3.1. <A -HREF="#AEN2190" ->What is Imprints?</A -></DT -><DT ->14.3.2. <A -HREF="#AEN2200" ->Creating Printer Driver Packages</A -></DT -><DT ->14.3.3. <A -HREF="#AEN2203" ->The Imprints server</A -></DT -><DT ->14.3.4. <A -HREF="#AEN2207" ->The Installation Client</A -></DT -></DL -></DD -><DT ->14.4. <A -HREF="#AEN2229" ->Diagnosis</A -></DT -><DD -><DL -><DT ->14.4.1. <A -HREF="#AEN2231" ->Introduction</A -></DT -><DT ->14.4.2. <A -HREF="#AEN2247" ->Debugging printer problems</A -></DT -><DT ->14.4.3. <A -HREF="#AEN2256" ->What printers do I have?</A -></DT -><DT ->14.4.4. <A -HREF="#AEN2264" ->Setting up printcap and print servers</A -></DT -><DT ->14.4.5. <A -HREF="#AEN2292" ->Job sent, no output</A -></DT -><DT ->14.4.6. <A -HREF="#AEN2303" ->Job sent, strange output</A -></DT -><DT ->14.4.7. <A -HREF="#AEN2315" ->Raw PostScript printed</A -></DT -><DT ->14.4.8. <A -HREF="#AEN2318" ->Advanced Printing</A -></DT -><DT ->14.4.9. <A -HREF="#AEN2321" ->Real debugging</A -></DT -></DL -></DD -></DL -></DD -><DT ->15. <A -HREF="#WINBIND" ->Unified Logons between Windows NT and UNIX using Winbind</A -></DT -><DD -><DL -><DT ->15.1. <A -HREF="#AEN2362" ->Abstract</A -></DT -><DT ->15.2. <A -HREF="#AEN2366" ->Introduction</A -></DT -><DT ->15.3. <A -HREF="#AEN2379" ->What Winbind Provides</A -></DT -><DD -><DL -><DT ->15.3.1. <A -HREF="#AEN2386" ->Target Uses</A -></DT -></DL -></DD -><DT ->15.4. <A -HREF="#AEN2390" ->How Winbind Works</A -></DT -><DD -><DL -><DT ->15.4.1. <A -HREF="#AEN2395" ->Microsoft Remote Procedure Calls</A -></DT -><DT ->15.4.2. <A -HREF="#AEN2399" ->Microsoft Active Directory Services</A -></DT -><DT ->15.4.3. <A -HREF="#AEN2402" ->Name Service Switch</A -></DT -><DT ->15.4.4. <A -HREF="#AEN2418" ->Pluggable Authentication Modules</A -></DT -><DT ->15.4.5. <A -HREF="#AEN2426" ->User and Group ID Allocation</A -></DT -><DT ->15.4.6. <A -HREF="#AEN2430" ->Result Caching</A -></DT -></DL -></DD -><DT ->15.5. <A -HREF="#AEN2433" ->Installation and Configuration</A -></DT -><DD -><DL -><DT ->15.5.1. <A -HREF="#AEN2438" ->Introduction</A -></DT -><DT ->15.5.2. <A -HREF="#AEN2451" ->Requirements</A -></DT -><DT ->15.5.3. <A -HREF="#AEN2465" ->Testing Things Out</A -></DT -></DL -></DD -><DT ->15.6. <A -HREF="#AEN2690" ->Limitations</A -></DT -><DT ->15.7. <A -HREF="#AEN2700" ->Conclusion</A -></DT -></DL -></DD -><DT ->16. <A -HREF="#IMPROVED-BROWSING" ->Improved browsing in samba</A -></DT -><DD -><DL -><DT ->16.1. <A -HREF="#AEN2710" ->Overview of browsing</A -></DT -><DT ->16.2. <A -HREF="#AEN2715" ->Browsing support in samba</A -></DT -><DT ->16.3. <A -HREF="#AEN2723" ->Problem resolution</A -></DT -><DT ->16.4. <A -HREF="#AEN2732" ->Browsing across subnets</A -></DT -><DD -><DL -><DT ->16.4.1. <A -HREF="#AEN2737" ->How does cross subnet browsing work ?</A -></DT -></DL -></DD -><DT ->16.5. <A -HREF="#AEN2772" ->Setting up a WINS server</A -></DT -><DT ->16.6. <A -HREF="#AEN2791" ->Setting up Browsing in a WORKGROUP</A -></DT -><DT ->16.7. <A -HREF="#AEN2809" ->Setting up Browsing in a DOMAIN</A -></DT -><DT ->16.8. <A -HREF="#AEN2819" ->Forcing samba to be the master</A -></DT -><DT ->16.9. <A -HREF="#AEN2828" ->Making samba the domain master</A -></DT -><DT ->16.10. <A -HREF="#AEN2846" ->Note about broadcast addresses</A -></DT -><DT ->16.11. <A -HREF="#AEN2849" ->Multiple interfaces</A -></DT -></DL -></DD -><DT ->17. <A -HREF="#VFS" ->Stackable VFS modules</A -></DT -><DD -><DL -><DT ->17.1. <A -HREF="#AEN2867" ->Introduction and configuration</A -></DT -><DT ->17.2. <A -HREF="#AEN2876" ->Included modules</A -></DT -><DD -><DL -><DT ->17.2.1. <A -HREF="#AEN2878" ->audit</A -></DT -><DT ->17.2.2. <A -HREF="#AEN2886" ->recycle</A -></DT -><DT ->17.2.3. <A -HREF="#AEN2923" ->netatalk</A -></DT -></DL -></DD -><DT ->17.3. <A -HREF="#AEN2930" ->VFS modules available elsewhere</A -></DT -><DD -><DL -><DT ->17.3.1. <A -HREF="#AEN2934" ->DatabaseFS</A -></DT -><DT ->17.3.2. <A -HREF="#AEN2942" ->vscan</A -></DT -></DL -></DD -></DL -></DD -><DT ->18. <A -HREF="#GROUPMAPPING" ->Group mapping HOWTO</A -></DT -><DT ->19. <A -HREF="#SPEED" ->Samba performance issues</A -></DT -><DD -><DL -><DT ->19.1. <A -HREF="#AEN2997" ->Comparisons</A -></DT -><DT ->19.2. <A -HREF="#AEN3003" ->Socket options</A -></DT -><DT ->19.3. <A -HREF="#AEN3010" ->Read size</A -></DT -><DT ->19.4. <A -HREF="#AEN3015" ->Max xmit</A -></DT -><DT ->19.5. <A -HREF="#AEN3020" ->Log level</A -></DT -><DT ->19.6. <A -HREF="#AEN3023" ->Read raw</A -></DT -><DT ->19.7. <A -HREF="#AEN3028" ->Write raw</A -></DT -><DT ->19.8. <A -HREF="#AEN3032" ->Slow Clients</A -></DT -><DT ->19.9. <A -HREF="#AEN3036" ->Slow Logins</A -></DT -><DT ->19.10. <A -HREF="#AEN3039" ->Client tuning</A -></DT -></DL -></DD -><DT ->20. <A -HREF="#GROUPPROFILES" ->Creating Group Prolicy Files</A -></DT -><DD -><DL -><DT ->20.1. <A -HREF="#AEN3087" ->Windows '9x</A -></DT -><DT ->20.2. <A -HREF="#AEN3097" ->Windows NT 4</A -></DT -><DD -><DL -><DT ->20.2.1. <A -HREF="#AEN3120" ->Side bar Notes</A -></DT -><DT ->20.2.2. <A -HREF="#AEN3124" ->Mandatory profiles</A -></DT -><DT ->20.2.3. <A -HREF="#AEN3127" ->moveuser.exe</A -></DT -><DT ->20.2.4. <A -HREF="#AEN3130" ->Get SID</A -></DT -></DL -></DD -><DT ->20.3. <A -HREF="#AEN3135" ->Windows 2000/XP</A -></DT -></DL -></DD -><DT ->21. <A -HREF="#SECURING-SAMBA" ->Securing Samba</A -></DT -><DD -><DL -><DT ->21.1. <A -HREF="#AEN3216" ->Introduction</A -></DT -><DT ->21.2. <A -HREF="#AEN3219" ->Using host based protection</A -></DT -><DT ->21.3. <A -HREF="#AEN3226" ->Using interface protection</A -></DT -><DT ->21.4. <A -HREF="#AEN3235" ->Using a firewall</A -></DT -><DT ->21.5. <A -HREF="#AEN3242" ->Using a IPC$ share deny</A -></DT -><DT ->21.6. <A -HREF="#AEN3251" ->Upgrading Samba</A -></DT -></DL -></DD -><DT ->22. <A -HREF="#UNICODE" ->Unicode/Charsets</A -></DT -><DD -><DL -><DT ->22.1. <A -HREF="#AEN3265" ->What are charsets and unicode?</A -></DT -><DT ->22.2. <A -HREF="#AEN3274" ->Samba and charsets</A -></DT -></DL -></DD -></DL -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="INTEGRATE-MS-NETWORKS" -></A ->Chapter 10. Integrating MS Windows networks with Samba</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN1515" ->10.1. Agenda</A -></H2 -><P ->To identify the key functional mechanisms of MS Windows networking -to enable the deployment of Samba as a means of extending and/or -replacing MS Windows NT/2000 technology.</P -><P ->We will examine:</P -><P -></P -><OL -TYPE="1" -><LI -><P ->Name resolution in a pure Unix/Linux TCP/IP - environment - </P -></LI -><LI -><P ->Name resolution as used within MS Windows - networking - </P -></LI -><LI -><P ->How browsing functions and how to deploy stable - and dependable browsing using Samba - </P -></LI -><LI -><P ->MS Windows security options and how to - configure Samba for seemless integration - </P -></LI -><LI -><P ->Configuration of Samba as:</P -><P -></P -><OL -TYPE="a" -><LI -><P ->A stand-alone server</P -></LI -><LI -><P ->An MS Windows NT 3.x/4.0 security domain member - </P -></LI -><LI -><P ->An alternative to an MS Windows NT 3.x/4.0 Domain Controller - </P -></LI -></OL -></LI -></OL -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1537" ->10.2. Name Resolution in a pure Unix/Linux world</A -></H2 -><P ->The key configuration files covered in this section are:</P -><P -></P -><UL -><LI -><P -><TT -CLASS="FILENAME" ->/etc/hosts</TT -></P -></LI -><LI -><P -><TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></P -></LI -><LI -><P -><TT -CLASS="FILENAME" ->/etc/host.conf</TT -></P -></LI -><LI -><P -><TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -></P -></LI -></UL -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1553" ->10.2.1. <TT -CLASS="FILENAME" ->/etc/hosts</TT -></A -></H3 -><P ->Contains a static list of IP Addresses and names. -eg:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> 127.0.0.1 localhost localhost.localdomain - 192.168.1.1 bigbox.caldera.com bigbox alias4box</PRE -></P -><P ->The purpose of <TT -CLASS="FILENAME" ->/etc/hosts</TT -> is to provide a -name resolution mechanism so that uses do not need to remember -IP addresses.</P -><P ->Network packets that are sent over the physical network transport -layer communicate not via IP addresses but rather using the Media -Access Control address, or MAC address. IP Addresses are currently -32 bits in length and are typically presented as four (4) decimal -numbers that are separated by a dot (or period). eg: 168.192.1.1</P -><P ->MAC Addresses use 48 bits (or 6 bytes) and are typically represented -as two digit hexadecimal numbers separated by colons. eg: -40:8e:0a:12:34:56</P -><P ->Every network interfrace must have an MAC address. Associated with -a MAC address there may be one or more IP addresses. There is NO -relationship between an IP address and a MAC address, all such assignments -are arbitary or discretionary in nature. At the most basic level all -network communications takes place using MAC addressing. Since MAC -addresses must be globally unique, and generally remains fixed for -any particular interface, the assignment of an IP address makes sense -from a network management perspective. More than one IP address can -be assigned per MAC address. One address must be the primary IP address, -this is the address that will be returned in the ARP reply.</P -><P ->When a user or a process wants to communicate with another machine -the protocol implementation ensures that the "machine name" or "host -name" is resolved to an IP address in a manner that is controlled -by the TCP/IP configuration control files. The file -<TT -CLASS="FILENAME" ->/etc/hosts</TT -> is one such file.</P -><P ->When the IP address of the destination interface has been -determined a protocol called ARP/RARP is used to identify -the MAC address of the target interface. ARP stands for Address -Resolution Protocol, and is a broadcast oriented method that -uses UDP (User Datagram Protocol) to send a request to all -interfaces on the local network segment using the all 1's MAC -address. Network interfaces are programmed to respond to two -MAC addresses only; their own unique address and the address -ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will -contain the MAC address and the primary IP address for each -interface.</P -><P ->The <TT -CLASS="FILENAME" ->/etc/hosts</TT -> file is foundational to all -Unix/Linux TCP/IP installations and as a minumum will contain -the localhost and local network interface IP addresses and the -primary names by which they are known within the local machine. -This file helps to prime the pump so that a basic level of name -resolution can exist before any other method of name resolution -becomes available.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1569" ->10.2.2. <TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></A -></H3 -><P ->This file tells the name resolution libraries:</P -><P -></P -><UL -><LI -><P ->The name of the domain to which the machine - belongs - </P -></LI -><LI -><P ->The name(s) of any domains that should be - automatically searched when trying to resolve unqualified - host names to their IP address - </P -></LI -><LI -><P ->The name or IP address of available Domain - Name Servers that may be asked to perform name to address - translation lookups - </P -></LI -></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1580" ->10.2.3. <TT -CLASS="FILENAME" ->/etc/host.conf</TT -></A -></H3 -><P -><TT -CLASS="FILENAME" ->/etc/host.conf</TT -> is the primary means by -which the setting in /etc/resolv.conf may be affected. It is a -critical configuration file. This file controls the order by -which name resolution may procede. The typical structure is:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> order hosts,bind - multi on</PRE -></P -><P ->then both addresses should be returned. Please refer to the -man page for host.conf for further details.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1588" ->10.2.4. <TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -></A -></H3 -><P ->This file controls the actual name resolution targets. The -file typically has resolver object specifications as follows:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> # /etc/nsswitch.conf - # - # Name Service Switch configuration file. - # - - passwd: compat - # Alternative entries for password authentication are: - # passwd: compat files nis ldap winbind - shadow: compat - group: compat - - hosts: files nis dns - # Alternative entries for host name resolution are: - # hosts: files dns nis nis+ hesoid db compat ldap wins - networks: nis files dns - - ethers: nis files - protocols: nis files - rpc: nis files - services: nis files</PRE -></P -><P ->Of course, each of these mechanisms requires that the appropriate -facilities and/or services are correctly configured.</P -><P ->It should be noted that unless a network request/message must be -sent, TCP/IP networks are silent. All TCP/IP communications assumes a -principal of speaking only when necessary.</P -><P ->Starting with version 2.2.0 samba has Linux support for extensions to -the name service switch infrastructure so that linux clients will -be able to obtain resolution of MS Windows NetBIOS names to IP -Addresses. To gain this functionality Samba needs to be compiled -with appropriate arguments to the make command (ie: <B -CLASS="COMMAND" ->make -nsswitch/libnss_wins.so</B ->). The resulting library should -then be installed in the <TT -CLASS="FILENAME" ->/lib</TT -> directory and -the "wins" parameter needs to be added to the "hosts:" line in -the <TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -> file. At this point it -will be possible to ping any MS Windows machine by it's NetBIOS -machine name, so long as that machine is within the workgroup to -which both the samba machine and the MS Windows machine belong.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1600" ->10.3. Name resolution as used within MS Windows networking</A -></H2 -><P ->MS Windows networking is predicated about the name each machine -is given. This name is known variously (and inconsistently) as -the "computer name", "machine name", "networking name", "netbios name", -"SMB name". All terms mean the same thing with the exception of -"netbios name" which can apply also to the name of the workgroup or the -domain name. The terms "workgroup" and "domain" are really just a -simply name with which the machine is associated. All NetBIOS names -are exactly 16 characters in length. The 16th character is reserved. -It is used to store a one byte value that indicates service level -information for the NetBIOS name that is registered. A NetBIOS machine -name is therefore registered for each service type that is provided by -the client/server.</P -><P ->The following are typical NetBIOS name/service type registrations:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> Unique NetBIOS Names: - MACHINENAME<00> = Server Service is running on MACHINENAME - MACHINENAME<03> = Generic Machine Name (NetBIOS name) - MACHINENAME<20> = LanMan Server service is running on MACHINENAME - WORKGROUP<1b> = Domain Master Browser - - Group Names: - WORKGROUP<03> = Generic Name registered by all members of WORKGROUP - WORKGROUP<1c> = Domain Controllers / Netlogon Servers - WORKGROUP<1d> = Local Master Browsers - WORKGROUP<1e> = Internet Name Resolvers</PRE -></P -><P ->It should be noted that all NetBIOS machines register their own -names as per the above. This is in vast contrast to TCP/IP -installations where traditionally the system administrator will -determine in the /etc/hosts or in the DNS database what names -are associated with each IP address.</P -><P ->One further point of clarification should be noted, the <TT -CLASS="FILENAME" ->/etc/hosts</TT -> -file and the DNS records do not provide the NetBIOS name type information -that MS Windows clients depend on to locate the type of service that may -be needed. An example of this is what happens when an MS Windows client -wants to locate a domain logon server. It find this service and the IP -address of a server that provides it by performing a lookup (via a -NetBIOS broadcast) for enumeration of all machines that have -registered the name type *<1c>. A logon request is then sent to each -IP address that is returned in the enumerated list of IP addresses. Which -ever machine first replies then ends up providing the logon services.</P -><P ->The name "workgroup" or "domain" really can be confusing since these -have the added significance of indicating what is the security -architecture of the MS Windows network. The term "workgroup" indicates -that the primary nature of the network environment is that of a -peer-to-peer design. In a WORKGROUP all machines are responsible for -their own security, and generally such security is limited to use of -just a password (known as SHARE MODE security). In most situations -with peer-to-peer networking the users who control their own machines -will simply opt to have no security at all. It is possible to have -USER MODE security in a WORKGROUP environment, thus requiring use -of a user name and a matching password.</P -><P ->MS Windows networking is thus predetermined to use machine names -for all local and remote machine message passing. The protocol used is -called Server Message Block (SMB) and this is implemented using -the NetBIOS protocol (Network Basic Input Output System). NetBIOS can -be encapsulated using LLC (Logical Link Control) protocol - in which case -the resulting protocol is called NetBEUI (Network Basic Extended User -Interface). NetBIOS can also be run over IPX (Internetworking Packet -Exchange) protocol as used by Novell NetWare, and it can be run -over TCP/IP protocols - in which case the resulting protocol is called -NBT or NetBT, the NetBIOS over TCP/IP.</P -><P ->MS Windows machines use a complex array of name resolution mechanisms. -Since we are primarily concerned with TCP/IP this demonstration is -limited to this area.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1612" ->10.3.1. The NetBIOS Name Cache</A -></H3 -><P ->All MS Windows machines employ an in memory buffer in which is -stored the NetBIOS names and IP addresses for all external -machines that that machine has communicated with over the -past 10-15 minutes. It is more efficient to obtain an IP address -for a machine from the local cache than it is to go through all the -configured name resolution mechanisms.</P -><P ->If a machine whose name is in the local name cache has been shut -down before the name had been expired and flushed from the cache, then -an attempt to exchange a message with that machine will be subject -to time-out delays. i.e.: Its name is in the cache, so a name resolution -lookup will succeed, but the machine can not respond. This can be -frustrating for users - but it is a characteristic of the protocol.</P -><P ->The MS Windows utility that allows examination of the NetBIOS -name cache is called "nbtstat". The Samba equivalent of this -is called "nmblookup".</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1617" ->10.3.2. The LMHOSTS file</A -></H3 -><P ->This file is usually located in MS Windows NT 4.0 or -2000 in <TT -CLASS="FILENAME" ->C:\WINNT\SYSTEM32\DRIVERS\ETC</TT -> and contains -the IP Address and the machine name in matched pairs. The -<TT -CLASS="FILENAME" ->LMHOSTS</TT -> file performs NetBIOS name -to IP address mapping oriented.</P -><P ->It typically looks like:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> # Copyright (c) 1998 Microsoft Corp. - # - # This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS - # over TCP/IP) stack for Windows98 - # - # This file contains the mappings of IP addresses to NT computernames - # (NetBIOS) names. Each entry should be kept on an individual line. - # The IP address should be placed in the first column followed by the - # corresponding computername. The address and the comptername - # should be separated by at least one space or tab. The "#" character - # is generally used to denote the start of a comment (see the exceptions - # below). - # - # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts - # files and offers the following extensions: - # - # #PRE - # #DOM:<domain> - # #INCLUDE <filename> - # #BEGIN_ALTERNATE - # #END_ALTERNATE - # \0xnn (non-printing character support) - # - # Following any entry in the file with the characters "#PRE" will cause - # the entry to be preloaded into the name cache. By default, entries are - # not preloaded, but are parsed only after dynamic name resolution fails. - # - # Following an entry with the "#DOM:<domain>" tag will associate the - # entry with the domain specified by <domain>. This affects how the - # browser and logon services behave in TCP/IP environments. To preload - # the host name associated with #DOM entry, it is necessary to also add a - # #PRE to the line. The <domain> is always preloaded although it will not - # be shown when the name cache is viewed. - # - # Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT) - # software to seek the specified <filename> and parse it as if it were - # local. <filename> is generally a UNC-based name, allowing a - # centralized lmhosts file to be maintained on a server. - # It is ALWAYS necessary to provide a mapping for the IP address of the - # server prior to the #INCLUDE. This mapping must use the #PRE directive. - # In addtion the share "public" in the example below must be in the - # LanManServer list of "NullSessionShares" in order for client machines to - # be able to read the lmhosts file successfully. This key is under - # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares - # in the registry. Simply add "public" to the list found there. - # - # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE - # statements to be grouped together. Any single successful include - # will cause the group to succeed. - # - # Finally, non-printing characters can be embedded in mappings by - # first surrounding the NetBIOS name in quotations, then using the - # \0xnn notation to specify a hex value for a non-printing character. - # - # The following example illustrates all of these extensions: - # - # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC - # 102.54.94.102 "appname \0x14" #special app server - # 102.54.94.123 popular #PRE #source server - # 102.54.94.117 localsrv #PRE #needed for the include - # - # #BEGIN_ALTERNATE - # #INCLUDE \\localsrv\public\lmhosts - # #INCLUDE \\rhino\public\lmhosts - # #END_ALTERNATE - # - # In the above example, the "appname" server contains a special - # character in its name, the "popular" and "localsrv" server names are - # preloaded, and the "rhino" server name is specified so it can be used - # to later #INCLUDE a centrally maintained lmhosts file if the "localsrv" - # system is unavailable. - # - # Note that the whole file is parsed including comments on each lookup, - # so keeping the number of comments to a minimum will improve performance. - # Therefore it is not advisable to simply add lmhosts file entries onto the - # end of this file.</PRE -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1625" ->10.3.3. HOSTS file</A -></H3 -><P ->This file is usually located in MS Windows NT 4.0 or 2000 in -<TT -CLASS="FILENAME" ->C:\WINNT\SYSTEM32\DRIVERS\ETC</TT -> and contains -the IP Address and the IP hostname in matched pairs. It can be -used by the name resolution infrastructure in MS Windows, depending -on how the TCP/IP environment is configured. This file is in -every way the equivalent of the Unix/Linux <TT -CLASS="FILENAME" ->/etc/hosts</TT -> file.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1630" ->10.3.4. DNS Lookup</A -></H3 -><P ->This capability is configured in the TCP/IP setup area in the network -configuration facility. If enabled an elaborate name resolution sequence -is followed the precise nature of which isdependant on what the NetBIOS -Node Type parameter is configured to. A Node Type of 0 means use -NetBIOS broadcast (over UDP broadcast) is first used if the name -that is the subject of a name lookup is not found in the NetBIOS name -cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to -Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the -WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast -lookup is used.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1633" ->10.3.5. WINS Lookup</A -></H3 -><P ->A WINS (Windows Internet Name Server) service is the equivaent of the -rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores -the names and IP addresses that are registered by a Windows client -if the TCP/IP setup has been given at least one WINS Server IP Address.</P -><P ->To configure Samba to be a WINS server the following parameter needs -to be added to the <TT -CLASS="FILENAME" ->smb.conf</TT -> file:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> wins support = Yes</PRE -></P -><P ->To configure Samba to use a WINS server the following parameters are -needed in the smb.conf file:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> wins support = No - wins server = xxx.xxx.xxx.xxx</PRE -></P -><P ->where <VAR -CLASS="REPLACEABLE" ->xxx.xxx.xxx.xxx</VAR -> is the IP address -of the WINS server.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1645" ->10.4. How browsing functions and how to deploy stable and -dependable browsing using Samba</A -></H2 -><P ->As stated above, MS Windows machines register their NetBIOS names -(i.e.: the machine name for each service type in operation) on start -up. Also, as stated above, the exact method by which this name registration -takes place is determined by whether or not the MS Windows client/server -has been given a WINS server address, whether or not LMHOSTS lookup -is enabled, or if DNS for NetBIOS name resolution is enabled, etc.</P -><P ->In the case where there is no WINS server all name registrations as -well as name lookups are done by UDP broadcast. This isolates name -resolution to the local subnet, unless LMHOSTS is used to list all -names and IP addresses. In such situations Samba provides a means by -which the samba server name may be forcibly injected into the browse -list of a remote MS Windows network (using the "remote announce" parameter).</P -><P ->Where a WINS server is used, the MS Windows client will use UDP -unicast to register with the WINS server. Such packets can be routed -and thus WINS allows name resolution to function across routed networks.</P -><P ->During the startup process an election will take place to create a -local master browser if one does not already exist. On each NetBIOS network -one machine will be elected to function as the domain master browser. This -domain browsing has nothing to do with MS security domain control. -Instead, the domain master browser serves the role of contacting each local -master browser (found by asking WINS or from LMHOSTS) and exchanging browse -list contents. This way every master browser will eventually obtain a complete -list of all machines that are on the network. Every 11-15 minutes an election -is held to determine which machine will be the master browser. By the nature of -the election criteria used, the machine with the highest uptime, or the -most senior protocol version, or other criteria, will win the election -as domain master browser.</P -><P ->Clients wishing to browse the network make use of this list, but also depend -on the availability of correct name resolution to the respective IP -address/addresses. </P -><P ->Any configuration that breaks name resolution and/or browsing intrinsics -will annoy users because they will have to put up with protracted -inability to use the network services.</P -><P ->Samba supports a feature that allows forced synchonisation -of browse lists across routed networks using the "remote -browse sync" parameter in the smb.conf file. This causes Samba -to contact the local master browser on a remote network and -to request browse list synchronisation. This effectively bridges -two networks that are separated by routers. The two remote -networks may use either broadcast based name resolution or WINS -based name resolution, but it should be noted that the "remote -browse sync" parameter provides browse list synchronisation - and -that is distinct from name to address resolution, in other -words, for cross subnet browsing to function correctly it is -essential that a name to address resolution mechanism be provided. -This mechanism could be via DNS, <TT -CLASS="FILENAME" ->/etc/hosts</TT ->, -and so on.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1655" ->10.5. MS Windows security options and how to configure -Samba for seemless integration</A -></H2 -><P ->MS Windows clients may use encrypted passwords as part of a -challenege/response authentication model (a.k.a. NTLMv1) or -alone, or clear text strings for simple password based -authentication. It should be realized that with the SMB -protocol the password is passed over the network either -in plain text or encrypted, but not both in the same -authentication requets.</P -><P ->When encrypted passwords are used a password that has been -entered by the user is encrypted in two ways:</P -><P -></P -><UL -><LI -><P ->An MD4 hash of the UNICODE of the password - string. This is known as the NT hash. - </P -></LI -><LI -><P ->The password is converted to upper case, - and then padded or trucated to 14 bytes. This string is - then appended with 5 bytes of NULL characters and split to - form two 56 bit DES keys to encrypt a "magic" 8 byte value. - The resulting 16 bytes for the LanMan hash. - </P -></LI -></UL -><P ->You should refer to the <A -HREF="ENCRYPTION.html" -TARGET="_top" ->Password Encryption</A -> chapter in this HOWTO collection -for more details on the inner workings</P -><P ->MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x -and version 4.0 pre-service pack 3 will use either mode of -password authentication. All versions of MS Windows that follow -these versions no longer support plain text passwords by default.</P -><P ->MS Windows clients have a habit of dropping network mappings that -have been idle for 10 minutes or longer. When the user attempts to -use the mapped drive connection that has been dropped, the client -re-establishes the connection using -a cached copy of the password.</P -><P ->When Microsoft changed the default password mode, they dropped support for -caching of the plain text password. This means that when the registry -parameter is changed to re-enable use of plain text passwords it appears to -work, but when a dropped mapping attempts to revalidate it will fail if -the remote authentication server does not support encrypted passwords. -This means that it is definitely not a good idea to re-enable plain text -password support in such clients.</P -><P ->The following parameters can be used to work around the -issue of Windows 9x client upper casing usernames and -password before transmitting them to the SMB server -when using clear text authentication.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> <A -HREF="smb.conf.5.html#PASSWORDLEVEL" -TARGET="_top" ->passsword level</A -> = <VAR -CLASS="REPLACEABLE" ->integer</VAR -> - <A -HREF="smb.conf.5.html#USERNAMELEVEL" -TARGET="_top" ->username level</A -> = <VAR -CLASS="REPLACEABLE" ->integer</VAR -></PRE -></P -><P ->By default Samba will lower case the username before attempting -to lookup the user in the database of local system accounts. -Because UNIX usernames conventionally only contain lower case -character, the <VAR -CLASS="PARAMETER" ->username level</VAR -> parameter -is rarely even needed.</P -><P ->However, password on UNIX systems often make use of mixed case -characters. This means that in order for a user on a Windows 9x -client to connect to a Samba server using clear text authentication, -the <VAR -CLASS="PARAMETER" ->password level</VAR -> must be set to the maximum -number of upper case letter which <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->could</I -></SPAN -> appear -is a password. Note that is the server OS uses the traditional -DES version of crypt(), then a <VAR -CLASS="PARAMETER" ->password level</VAR -> -of 8 will result in case insensitive passwords as seen from Windows -users. This will also result in longer login times as Samba -hash to compute the permutations of the password string and -try them one by one until a match is located (or all combinations fail).</P -><P ->The best option to adopt is to enable support for encrypted passwords -where ever Samba is used. There are three configuration possibilities -for support of encrypted passwords:</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1683" ->10.5.1. Use MS Windows NT as an authentication server</A -></H3 -><P ->This method involves the additions of the following parameters -in the smb.conf file:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> encrypt passwords = Yes - security = server - password server = "NetBIOS_name_of_PDC"</PRE -></P -><P ->There are two ways of identifying whether or not a username and -password pair was valid or not. One uses the reply information provided -as part of the authentication messaging process, the other uses -just and error code.</P -><P ->The down-side of this mode of configuration is the fact that -for security reasons Samba will send the password server a bogus -username and a bogus password and if the remote server fails to -reject the username and password pair then an alternative mode -of identification of validation is used. Where a site uses password -lock out after a certain number of failed authentication attempts -this will result in user lockouts.</P -><P ->Use of this mode of authentication does require there to be -a standard Unix account for the user, this account can be blocked -to prevent logons by other than MS Windows clients.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1691" ->10.5.2. Make Samba a member of an MS Windows NT security domain</A -></H3 -><P ->This method involves additon of the following paramters in the smb.conf file:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> encrypt passwords = Yes - security = domain - workgroup = "name of NT domain" - password server = *</PRE -></P -><P ->The use of the "*" argument to "password server" will cause samba -to locate the domain controller in a way analogous to the way -this is done within MS Windows NT.</P -><P ->In order for this method to work the Samba server needs to join the -MS Windows NT security domain. This is done as follows:</P -><P -></P -><UL -><LI -><P ->On the MS Windows NT domain controller using - the Server Manager add a machine account for the Samba server. - </P -></LI -><LI -><P ->Next, on the Linux system execute: - <B -CLASS="COMMAND" ->smbpasswd -r PDC_NAME -j DOMAIN_NAME</B -> - </P -></LI -></UL -><P ->Use of this mode of authentication does require there to be -a standard Unix account for the user in order to assign -a uid once the account has been authenticated by the remote -Windows DC. This account can be blocked to prevent logons by -other than MS Windows clients by things such as setting an invalid -shell in the <TT -CLASS="FILENAME" ->/etc/passwd</TT -> entry.</P -><P ->An alternative to assigning UIDs to Windows users on a -Samba member server is presented in the <A -HREF="winbind.html" -TARGET="_top" ->Winbind Overview</A -> chapter in -this HOWTO collection.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1708" ->10.5.3. Configure Samba as an authentication server</A -></H3 -><P ->This mode of authentication demands that there be on the -Unix/Linux system both a Unix style account as well as an -smbpasswd entry for the user. The Unix system account can be -locked if required as only the encrypted password will be -used for SMB client authentication.</P -><P ->This method involves addition of the following parameters to -the smb.conf file:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->## please refer to the Samba PDC HOWTO chapter later in -## this collection for more details -[global] - encrypt passwords = Yes - security = user - domain logons = Yes - ; an OS level of 33 or more is recommended - os level = 33 - -[NETLOGON] - path = /somewhare/in/file/system - read only = yes</PRE -></P -><P ->in order for this method to work a Unix system account needs -to be created for each user, as well as for each MS Windows NT/2000 -machine. The following structure is required.</P -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1715" ->10.5.3.1. Users</A -></H4 -><P ->A user account that may provide a home directory should be -created. The following Linux system commands are typical of -the procedure for creating an account.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> # useradd -s /bin/bash -d /home/"userid" -m "userid" - # passwd "userid" - Enter Password: <pw> - - # smbpasswd -a "userid" - Enter Password: <pw></PRE -></P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1720" ->10.5.3.2. MS Windows NT Machine Accounts</A -></H4 -><P ->These are required only when Samba is used as a domain -controller. Refer to the Samba-PDC-HOWTO for more details.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> # useradd -s /bin/false -d /dev/null "machine_name"\$ - # passwd -l "machine_name"\$ - # smbpasswd -a -m "machine_name"</PRE -></P -></DIV -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1725" ->10.6. Conclusions</A -></H2 -><P ->Samba provides a flexible means to operate as...</P -><P -></P -><UL -><LI -><P ->A Stand-alone server - No special action is needed - other than to create user accounts. Stand-alone servers do NOT - provide network logon services, meaning that machines that use this - server do NOT perform a domain logon but instead make use only of - the MS Windows logon which is local to the MS Windows - workstation/server. - </P -></LI -><LI -><P ->An MS Windows NT 3.x/4.0 security domain member. - </P -></LI -><LI -><P ->An alternative to an MS Windows NT 3.x/4.0 - Domain Controller. - </P -></LI -></UL -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="UNIX-PERMISSIONS" -></A ->Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN1746" ->11.1. Viewing and changing UNIX permissions using the NT - security dialogs</A -></H2 -><P ->New in the Samba 2.0.4 release is the ability for Windows - NT clients to use their native security settings dialog box to - view and modify the underlying UNIX permissions.</P -><P ->Note that this ability is careful not to compromise - the security of the UNIX host Samba is running on, and - still obeys all the file permission rules that a Samba - administrator can set.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1750" ->11.2. How to view file security on a Samba share</A -></H2 -><P ->From an NT 4.0 client, single-click with the right - mouse button on any file or directory in a Samba mounted - drive letter or UNC path. When the menu pops-up, click - on the <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Properties</I -></SPAN -> entry at the bottom of - the menu. This brings up the normal file properties dialog - box, but with Samba 2.0.4 this will have a new tab along the top - marked <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Security</I -></SPAN ->. Click on this tab and you - will see three buttons, <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Permissions</I -></SPAN ->, - <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Auditing</I -></SPAN ->, and <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Ownership</I -></SPAN ->. - The <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Auditing</I -></SPAN -> button will cause either - an error message <SPAN -CLASS="ERRORNAME" ->A requested privilege is not held - by the client</SPAN -> to appear if the user is not the - NT Administrator, or a dialog which is intended to allow an - Administrator to add auditing requirements to a file if the - user is logged on as the NT Administrator. This dialog is - non-functional with a Samba share at this time, as the only - useful button, the <B -CLASS="COMMAND" ->Add</B -> button will not currently - allow a list of users to be seen.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1761" ->11.3. Viewing file ownership</A -></H2 -><P ->Clicking on the <B -CLASS="COMMAND" ->"Ownership"</B -> button - brings up a dialog box telling you who owns the given file. The - owner name will be of the form :</P -><P -><B -CLASS="COMMAND" ->"SERVER\user (Long name)"</B -></P -><P ->Where <VAR -CLASS="REPLACEABLE" ->SERVER</VAR -> is the NetBIOS name of - the Samba server, <VAR -CLASS="REPLACEABLE" ->user</VAR -> is the user name of - the UNIX user who owns the file, and <VAR -CLASS="REPLACEABLE" ->(Long name)</VAR -> - is the descriptive string identifying the user (normally found in the - GECOS field of the UNIX password database). Click on the <B -CLASS="COMMAND" ->Close - </B -> button to remove this dialog.</P -><P ->If the parameter <VAR -CLASS="PARAMETER" ->nt acl support</VAR -> - is set to <CODE -CLASS="CONSTANT" ->false</CODE -> then the file owner will - be shown as the NT user <B -CLASS="COMMAND" ->"Everyone"</B ->.</P -><P ->The <B -CLASS="COMMAND" ->Take Ownership</B -> button will not allow - you to change the ownership of this file to yourself (clicking on - it will display a dialog box complaining that the user you are - currently logged onto the NT client cannot be found). The reason - for this is that changing the ownership of a file is a privileged - operation in UNIX, available only to the <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->root</I -></SPAN -> - user. As clicking on this button causes NT to attempt to change - the ownership of a file to the current user logged into the NT - client this will not work with Samba at this time.</P -><P ->There is an NT chown command that will work with Samba - and allow a user with Administrator privilege connected - to a Samba 2.0.4 server as root to change the ownership of - files on both a local NTFS filesystem or remote mounted NTFS - or Samba drive. This is available as part of the <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Seclib - </I -></SPAN -> NT security library written by Jeremy Allison of - the Samba Team, available from the main Samba ftp site.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1781" ->11.4. Viewing file or directory permissions</A -></H2 -><P ->The third button is the <B -CLASS="COMMAND" ->"Permissions"</B -> - button. Clicking on this brings up a dialog box that shows both - the permissions and the UNIX owner of the file or directory. - The owner is displayed in the form :</P -><P -><B -CLASS="COMMAND" ->"SERVER\user (Long name)"</B -></P -><P ->Where <VAR -CLASS="REPLACEABLE" ->SERVER</VAR -> is the NetBIOS name of - the Samba server, <VAR -CLASS="REPLACEABLE" ->user</VAR -> is the user name of - the UNIX user who owns the file, and <VAR -CLASS="REPLACEABLE" ->(Long name)</VAR -> - is the descriptive string identifying the user (normally found in the - GECOS field of the UNIX password database).</P -><P ->If the parameter <VAR -CLASS="PARAMETER" ->nt acl support</VAR -> - is set to <CODE -CLASS="CONSTANT" ->false</CODE -> then the file owner will - be shown as the NT user <B -CLASS="COMMAND" ->"Everyone"</B -> and the - permissions will be shown as NT "Full Control".</P -><P ->The permissions field is displayed differently for files - and directories, so I'll describe the way file permissions - are displayed first.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1796" ->11.4.1. File Permissions</A -></H3 -><P ->The standard UNIX user/group/world triple and - the corresponding "read", "write", "execute" permissions - triples are mapped by Samba into a three element NT ACL - with the 'r', 'w', and 'x' bits mapped into the corresponding - NT permissions. The UNIX world permissions are mapped into - the global NT group <B -CLASS="COMMAND" ->Everyone</B ->, followed - by the list of permissions allowed for UNIX world. The UNIX - owner and group permissions are displayed as an NT - <B -CLASS="COMMAND" ->user</B -> icon and an NT <B -CLASS="COMMAND" ->local - group</B -> icon respectively followed by the list - of permissions allowed for the UNIX user and group.</P -><P ->As many UNIX permission sets don't map into common - NT names such as <B -CLASS="COMMAND" ->"read"</B ->, <B -CLASS="COMMAND" -> "change"</B -> or <B -CLASS="COMMAND" ->"full control"</B -> then - usually the permissions will be prefixed by the words <B -CLASS="COMMAND" -> "Special Access"</B -> in the NT display list.</P -><P ->But what happens if the file has no permissions allowed - for a particular UNIX user group or world component ? In order - to allow "no permissions" to be seen and modified then Samba - overloads the NT <B -CLASS="COMMAND" ->"Take Ownership"</B -> ACL attribute - (which has no meaning in UNIX) and reports a component with - no permissions as having the NT <B -CLASS="COMMAND" ->"O"</B -> bit set. - This was chosen of course to make it look like a zero, meaning - zero permissions. More details on the decision behind this will - be given below.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1810" ->11.4.2. Directory Permissions</A -></H3 -><P ->Directories on an NT NTFS file system have two - different sets of permissions. The first set of permissions - is the ACL set on the directory itself, this is usually displayed - in the first set of parentheses in the normal <B -CLASS="COMMAND" ->"RW"</B -> - NT style. This first set of permissions is created by Samba in - exactly the same way as normal file permissions are, described - above, and is displayed in the same way.</P -><P ->The second set of directory permissions has no real meaning - in the UNIX permissions world and represents the <B -CLASS="COMMAND" -> "inherited"</B -> permissions that any file created within - this directory would inherit.</P -><P ->Samba synthesises these inherited permissions for NT by - returning as an NT ACL the UNIX permission mode that a new file - created by Samba on this share would receive.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1817" ->11.5. Modifying file or directory permissions</A -></H2 -><P ->Modifying file and directory permissions is as simple - as changing the displayed permissions in the dialog box, and - clicking the <B -CLASS="COMMAND" ->OK</B -> button. However, there are - limitations that a user needs to be aware of, and also interactions - with the standard Samba permission masks and mapping of DOS - attributes that need to also be taken into account.</P -><P ->If the parameter <VAR -CLASS="PARAMETER" ->nt acl support</VAR -> - is set to <CODE -CLASS="CONSTANT" ->false</CODE -> then any attempt to set - security permissions will fail with an <B -CLASS="COMMAND" ->"Access Denied" - </B -> message.</P -><P ->The first thing to note is that the <B -CLASS="COMMAND" ->"Add"</B -> - button will not return a list of users in Samba 2.0.4 (it will give - an error message of <B -CLASS="COMMAND" ->"The remote procedure call failed - and did not execute"</B ->). This means that you can only - manipulate the current user/group/world permissions listed in - the dialog box. This actually works quite well as these are the - only permissions that UNIX actually has.</P -><P ->If a permission triple (either user, group, or world) - is removed from the list of permissions in the NT dialog box, - then when the <B -CLASS="COMMAND" ->"OK"</B -> button is pressed it will - be applied as "no permissions" on the UNIX side. If you then - view the permissions again the "no permissions" entry will appear - as the NT <B -CLASS="COMMAND" ->"O"</B -> flag, as described above. This - allows you to add permissions back to a file or directory once - you have removed them from a triple component.</P -><P ->As UNIX supports only the "r", "w" and "x" bits of - an NT ACL then if other NT security attributes such as "Delete - access" are selected then they will be ignored when applied on - the Samba server.</P -><P ->When setting permissions on a directory the second - set of permissions (in the second set of parentheses) is - by default applied to all files within that directory. If this - is not what you want you must uncheck the <B -CLASS="COMMAND" ->"Replace - permissions on existing files"</B -> checkbox in the NT - dialog before clicking <B -CLASS="COMMAND" ->"OK"</B ->.</P -><P ->If you wish to remove all permissions from a - user/group/world component then you may either highlight the - component and click the <B -CLASS="COMMAND" ->"Remove"</B -> button, - or set the component to only have the special <B -CLASS="COMMAND" ->"Take - Ownership"</B -> permission (displayed as <B -CLASS="COMMAND" ->"O" - </B ->) highlighted.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1839" ->11.6. Interaction with the standard Samba create mask - parameters</A -></H2 -><P ->Note that with Samba 2.0.5 there are four new parameters - to control this interaction. These are :</P -><P -><VAR -CLASS="PARAMETER" ->security mask</VAR -></P -><P -><VAR -CLASS="PARAMETER" ->force security mode</VAR -></P -><P -><VAR -CLASS="PARAMETER" ->directory security mask</VAR -></P -><P -><VAR -CLASS="PARAMETER" ->force directory security mode</VAR -></P -><P ->Once a user clicks <B -CLASS="COMMAND" ->"OK"</B -> to apply the - permissions Samba maps the given permissions into a user/group/world - r/w/x triple set, and then will check the changed permissions for a - file against the bits set in the <A -HREF="smb.conf.5.html#SECURITYMASK" -TARGET="_top" -> - <VAR -CLASS="PARAMETER" ->security mask</VAR -></A -> parameter. Any bits that - were changed that are not set to '1' in this parameter are left alone - in the file permissions.</P -><P ->Essentially, zero bits in the <VAR -CLASS="PARAMETER" ->security mask</VAR -> - mask may be treated as a set of bits the user is <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->not</I -></SPAN -> - allowed to change, and one bits are those the user is allowed to change. - </P -><P ->If not set explicitly this parameter is set to the same value as - the <A -HREF="smb.conf.5.html#CREATEMASK" -TARGET="_top" -><VAR -CLASS="PARAMETER" ->create mask - </VAR -></A -> parameter to provide compatibility with Samba 2.0.4 - where this permission change facility was introduced. To allow a user to - modify all the user/group/world permissions on a file, set this parameter - to 0777.</P -><P ->Next Samba checks the changed permissions for a file against - the bits set in the <A -HREF="smb.conf.5.html#FORCESECURITYMODE" -TARGET="_top" -> <VAR -CLASS="PARAMETER" ->force security mode</VAR -></A -> parameter. Any bits - that were changed that correspond to bits set to '1' in this parameter - are forced to be set.</P -><P ->Essentially, bits set in the <VAR -CLASS="PARAMETER" ->force security mode - </VAR -> parameter may be treated as a set of bits that, when - modifying security on a file, the user has always set to be 'on'.</P -><P ->If not set explicitly this parameter is set to the same value - as the <A -HREF="smb.conf.5.html#FORCECREATEMODE" -TARGET="_top" -><VAR -CLASS="PARAMETER" ->force - create mode</VAR -></A -> parameter to provide compatibility - with Samba 2.0.4 where the permission change facility was introduced. - To allow a user to modify all the user/group/world permissions on a file - with no restrictions set this parameter to 000.</P -><P ->The <VAR -CLASS="PARAMETER" ->security mask</VAR -> and <VAR -CLASS="PARAMETER" ->force - security mode</VAR -> parameters are applied to the change - request in that order.</P -><P ->For a directory Samba will perform the same operations as - described above for a file except using the parameter <VAR -CLASS="PARAMETER" -> directory security mask</VAR -> instead of <VAR -CLASS="PARAMETER" ->security - mask</VAR ->, and <VAR -CLASS="PARAMETER" ->force directory security mode - </VAR -> parameter instead of <VAR -CLASS="PARAMETER" ->force security mode - </VAR ->.</P -><P ->The <VAR -CLASS="PARAMETER" ->directory security mask</VAR -> parameter - by default is set to the same value as the <VAR -CLASS="PARAMETER" ->directory mask - </VAR -> parameter and the <VAR -CLASS="PARAMETER" ->force directory security - mode</VAR -> parameter by default is set to the same value as - the <VAR -CLASS="PARAMETER" ->force directory mode</VAR -> parameter to provide - compatibility with Samba 2.0.4 where the permission change facility - was introduced.</P -><P ->In this way Samba enforces the permission restrictions that - an administrator can set on a Samba share, whilst still allowing users - to modify the permission bits within that restriction.</P -><P ->If you want to set up a share that allows users full control - in modifying the permission bits on their files and directories and - doesn't force any particular bits to be set 'on', then set the following - parameters in the <A -HREF="smb.conf.5.html" -TARGET="_top" -><TT -CLASS="FILENAME" ->smb.conf(5) - </TT -></A -> file in that share specific section :</P -><P -><VAR -CLASS="PARAMETER" ->security mask = 0777</VAR -></P -><P -><VAR -CLASS="PARAMETER" ->force security mode = 0</VAR -></P -><P -><VAR -CLASS="PARAMETER" ->directory security mask = 0777</VAR -></P -><P -><VAR -CLASS="PARAMETER" ->force directory security mode = 0</VAR -></P -><P ->As described, in Samba 2.0.4 the parameters :</P -><P -><VAR -CLASS="PARAMETER" ->create mask</VAR -></P -><P -><VAR -CLASS="PARAMETER" ->force create mode</VAR -></P -><P -><VAR -CLASS="PARAMETER" ->directory mask</VAR -></P -><P -><VAR -CLASS="PARAMETER" ->force directory mode</VAR -></P -><P ->were used instead of the parameters discussed here.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1903" ->11.7. Interaction with the standard Samba file attribute - mapping</A -></H2 -><P ->Samba maps some of the DOS attribute bits (such as "read - only") into the UNIX permissions of a file. This means there can - be a conflict between the permission bits set via the security - dialog and the permission bits set by the file attribute mapping. - </P -><P ->One way this can show up is if a file has no UNIX read access - for the owner it will show up as "read only" in the standard - file attributes tabbed dialog. Unfortunately this dialog is - the same one that contains the security info in another tab.</P -><P ->What this can mean is that if the owner changes the permissions - to allow themselves read access using the security dialog, clicks - <B -CLASS="COMMAND" ->"OK"</B -> to get back to the standard attributes tab - dialog, and then clicks <B -CLASS="COMMAND" ->"OK"</B -> on that dialog, then - NT will set the file permissions back to read-only (as that is what - the attributes still say in the dialog). This means that after setting - permissions and clicking <B -CLASS="COMMAND" ->"OK"</B -> to get back to the - attributes dialog you should always hit <B -CLASS="COMMAND" ->"Cancel"</B -> - rather than <B -CLASS="COMMAND" ->"OK"</B -> to ensure that your changes - are not overridden.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="PAM" -></A ->Chapter 12. Configuring PAM for distributed but centrally -managed authentication</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN1924" ->12.1. Samba and PAM</A -></H2 -><P ->A number of Unix systems (eg: Sun Solaris), as well as the -xxxxBSD family and Linux, now utilize the Pluggable Authentication -Modules (PAM) facility to provide all authentication, -authorization and resource control services. Prior to the -introduction of PAM, a decision to use an alternative to -the system password database (<TT -CLASS="FILENAME" ->/etc/passwd</TT ->) -would require the provision of alternatives for all programs that provide -security services. Such a choice would involve provision of -alternatives to such programs as: <B -CLASS="COMMAND" ->login</B ->, -<B -CLASS="COMMAND" ->passwd</B ->, <B -CLASS="COMMAND" ->chown</B ->, etc.</P -><P ->PAM provides a mechanism that disconnects these security programs -from the underlying authentication/authorization infrastructure. -PAM is configured either through one file <TT -CLASS="FILENAME" ->/etc/pam.conf</TT -> (Solaris), -or by editing individual files that are located in <TT -CLASS="FILENAME" ->/etc/pam.d</TT ->.</P -><P ->The following is an example <TT -CLASS="FILENAME" ->/etc/pam.d/login</TT -> configuration file. -This example had all options been uncommented is probably not usable -as it stacks many conditions before allowing successful completion -of the login process. Essentially all conditions can be disabled -by commenting them out except the calls to <TT -CLASS="FILENAME" ->pam_pwdb.so</TT ->.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->#%PAM-1.0 -# The PAM configuration file for the `login' service -# -auth required pam_securetty.so -auth required pam_nologin.so -# auth required pam_dialup.so -# auth optional pam_mail.so -auth required pam_pwdb.so shadow md5 -# account requisite pam_time.so -account required pam_pwdb.so -session required pam_pwdb.so -# session optional pam_lastlog.so -# password required pam_cracklib.so retry=3 -password required pam_pwdb.so shadow md5</PRE -></P -><P ->PAM allows use of replacable modules. Those available on a -sample system include:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->$ /bin/ls /lib/security -pam_access.so pam_ftp.so pam_limits.so -pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so -pam_cracklib.so pam_group.so pam_listfile.so -pam_nologin.so pam_rootok.so pam_tally.so -pam_deny.so pam_issue.so pam_mail.so -pam_permit.so pam_securetty.so pam_time.so -pam_dialup.so pam_lastlog.so pam_mkhomedir.so -pam_pwdb.so pam_shells.so pam_unix.so -pam_env.so pam_ldap.so pam_motd.so -pam_radius.so pam_smbpass.so pam_unix_acct.so -pam_wheel.so pam_unix_auth.so pam_unix_passwd.so -pam_userdb.so pam_warn.so pam_unix_session.so</PRE -></P -><P ->The following example for the login program replaces the use of -the <TT -CLASS="FILENAME" ->pam_pwdb.so</TT -> module which uses the system -password database (<TT -CLASS="FILENAME" ->/etc/passwd</TT ->, -<TT -CLASS="FILENAME" ->/etc/shadow</TT ->, <TT -CLASS="FILENAME" ->/etc/group</TT ->) with -the module <TT -CLASS="FILENAME" ->pam_smbpass.so</TT -> which uses the Samba -database which contains the Microsoft MD4 encrypted password -hashes. This database is stored in either -<TT -CLASS="FILENAME" ->/usr/local/samba/private/smbpasswd</TT ->, -<TT -CLASS="FILENAME" ->/etc/samba/smbpasswd</TT ->, or in -<TT -CLASS="FILENAME" ->/etc/samba.d/smbpasswd</TT ->, depending on the -Samba implementation for your Unix/Linux system. The -<TT -CLASS="FILENAME" ->pam_smbpass.so</TT -> module is provided by -Samba version 2.2.1 or later. It can be compiled by specifying the -<B -CLASS="COMMAND" ->--with-pam_smbpass</B -> options when running Samba's -<TT -CLASS="FILENAME" ->configure</TT -> script. For more information -on the <TT -CLASS="FILENAME" ->pam_smbpass</TT -> module, see the documentation -in the <TT -CLASS="FILENAME" ->source/pam_smbpass</TT -> directory of the Samba -source distribution.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->#%PAM-1.0 -# The PAM configuration file for the `login' service -# -auth required pam_smbpass.so nodelay -account required pam_smbpass.so nodelay -session required pam_smbpass.so nodelay -password required pam_smbpass.so nodelay</PRE -></P -><P ->The following is the PAM configuration file for a particular -Linux system. The default condition uses <TT -CLASS="FILENAME" ->pam_pwdb.so</TT ->.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->#%PAM-1.0 -# The PAM configuration file for the `samba' service -# -auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit -account required /lib/security/pam_pwdb.so audit nodelay -session required /lib/security/pam_pwdb.so nodelay -password required /lib/security/pam_pwdb.so shadow md5</PRE -></P -><P ->In the following example the decision has been made to use the -smbpasswd database even for basic samba authentication. Such a -decision could also be made for the passwd program and would -thus allow the smbpasswd passwords to be changed using the passwd -program.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->#%PAM-1.0 -# The PAM configuration file for the `samba' service -# -auth required /lib/security/pam_smbpass.so nodelay -account required /lib/security/pam_pwdb.so audit nodelay -session required /lib/security/pam_pwdb.so nodelay -password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE -></P -><P ->Note: PAM allows stacking of authentication mechanisms. It is -also possible to pass information obtained within one PAM module through -to the next module in the PAM stack. Please refer to the documentation for -your particular system implementation for details regarding the specific -capabilities of PAM in this environment. Some Linux implmentations also -provide the <TT -CLASS="FILENAME" ->pam_stack.so</TT -> module that allows all -authentication to be configured in a single central file. The -<TT -CLASS="FILENAME" ->pam_stack.so</TT -> method has some very devoted followers -on the basis that it allows for easier administration. As with all issues in -life though, every decision makes trade-offs, so you may want examine the -PAM documentation for further helpful information.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1968" ->12.2. Distributed Authentication</A -></H2 -><P ->The astute administrator will realize from this that the -combination of <TT -CLASS="FILENAME" ->pam_smbpass.so</TT ->, -<B -CLASS="COMMAND" ->winbindd</B ->, and <B -CLASS="COMMAND" ->rsync</B -> (see -<A -HREF="http://rsync.samba.org/" -TARGET="_top" ->http://rsync.samba.org/</A ->) -will allow the establishment of a centrally managed, distributed -user/password database that can also be used by all -PAM (eg: Linux) aware programs and applications. This arrangement -can have particularly potent advantages compared with the -use of Microsoft Active Directory Service (ADS) in so far as -reduction of wide area network authentication traffic.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1975" ->12.3. PAM Configuration in smb.conf</A -></H2 -><P ->There is an option in smb.conf called <A -HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS" -TARGET="_top" ->obey pam restrictions</A ->. -The following is from the on-line help for this option in SWAT;</P -><P ->When Samba 2.2 is configure to enable PAM support (i.e. -<CODE -CLASS="CONSTANT" ->--with-pam</CODE ->), this parameter will -control whether or not Samba should obey PAM's account -and session management directives. The default behavior -is to use PAM for clear text authentication only and to -ignore any account or session management. Note that Samba always -ignores PAM for authentication in the case of -<A -HREF="smb.conf.5.html#ENCRYPTPASSWORDS" -TARGET="_top" ->encrypt passwords = yes</A ->. -The reason is that PAM modules cannot support the challenge/response -authentication mechanism needed in the presence of SMB -password encryption. </P -><P ->Default: <B -CLASS="COMMAND" ->obey pam restrictions = no</B -></P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="MSDFS" -></A ->Chapter 13. Hosting a Microsoft Distributed File System tree on Samba</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN1995" ->13.1. Instructions</A -></H2 -><P ->The Distributed File System (or Dfs) provides a means of - separating the logical view of files and directories that users - see from the actual physical locations of these resources on the - network. It allows for higher availability, smoother storage expansion, - load balancing etc. For more information about Dfs, refer to <A -HREF="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp" -TARGET="_top" -> Microsoft documentation</A ->. </P -><P ->This document explains how to host a Dfs tree on a Unix - machine (for Dfs-aware clients to browse) using Samba.</P -><P ->To enable SMB-based DFS for Samba, configure it with the - <VAR -CLASS="PARAMETER" ->--with-msdfs</VAR -> option. Once built, a - Samba server can be made a Dfs server by setting the global - boolean <A -HREF="smb.conf.5.html#HOSTMSDFS" -TARGET="_top" -><VAR -CLASS="PARAMETER" -> host msdfs</VAR -></A -> parameter in the <TT -CLASS="FILENAME" ->smb.conf - </TT -> file. You designate a share as a Dfs root using the share - level boolean <A -HREF="smb.conf.5.html#MSDFSROOT" -TARGET="_top" -><VAR -CLASS="PARAMETER" -> msdfs root</VAR -></A -> parameter. A Dfs root directory on - Samba hosts Dfs links in the form of symbolic links that point - to other servers. For example, a symbolic link - <TT -CLASS="FILENAME" ->junction->msdfs:storage1\share1</TT -> in - the share directory acts as the Dfs junction. When Dfs-aware - clients attempt to access the junction link, they are redirected - to the storage location (in this case, \\storage1\share1).</P -><P ->Dfs trees on Samba work with all Dfs-aware clients ranging - from Windows 95 to 2000.</P -><P ->Here's an example of setting up a Dfs tree on a Samba - server.</P -><P -><PRE -CLASS="PROGRAMLISTING" -># The smb.conf file: -[global] - netbios name = SAMBA - host msdfs = yes - -[dfs] - path = /export/dfsroot - msdfs root = yes - </PRE -></P -><P ->In the /export/dfsroot directory we set up our dfs links to - other servers on the network.</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->cd /export/dfsroot</KBD -></P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->chown root /export/dfsroot</KBD -></P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->chmod 755 /export/dfsroot</KBD -></P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->ln -s msdfs:storageA\\shareA linka</KBD -></P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->ln -s msdfs:serverB\\share,serverC\\share linkb</KBD -></P -><P ->You should set up the permissions and ownership of - the directory acting as the Dfs root such that only designated - users can create, delete or modify the msdfs links. Also note - that symlink names should be all lowercase. This limitation exists - to have Samba avoid trying all the case combinations to get at - the link name. Finally set up the symbolic links to point to the - network shares you want, and start Samba.</P -><P ->Users on Dfs-aware clients can now browse the Dfs tree - on the Samba server at \\samba\dfs. Accessing - links linka or linkb (which appear as directories to the client) - takes users directly to the appropriate shares on the network.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2030" ->13.1.1. Notes</A -></H3 -><P -></P -><UL -><LI -><P ->Windows clients need to be rebooted - if a previously mounted non-dfs share is made a dfs - root or vice versa. A better way is to introduce a - new share and make it the dfs root.</P -></LI -><LI -><P ->Currently there's a restriction that msdfs - symlink names should all be lowercase.</P -></LI -><LI -><P ->For security purposes, the directory - acting as the root of the Dfs tree should have ownership - and permissions set so that only designated users can - modify the symbolic links in the directory.</P -></LI -></UL -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="PRINTING" -></A ->Chapter 14. Printing Support</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN2056" ->14.1. Introduction</A -></H2 -><P ->Beginning with the 2.2.0 release, Samba supports -the native Windows NT printing mechanisms implemented via -MS-RPC (i.e. the SPOOLSS named pipe). Previous versions of -Samba only supported LanMan printing calls.</P -><P ->The additional functionality provided by the new -SPOOLSS support includes:</P -><P -></P -><UL -><LI -><P ->Support for downloading printer driver - files to Windows 95/98/NT/2000 clients upon demand. - </P -></LI -><LI -><P ->Uploading of printer drivers via the - Windows NT Add Printer Wizard (APW) or the - Imprints tool set (refer to <A -HREF="http://imprints.sourceforge.net" -TARGET="_top" ->http://imprints.sourceforge.net</A ->). - </P -></LI -><LI -><P ->Support for the native MS-RPC printing - calls such as StartDocPrinter, EnumJobs(), etc... (See - the MSDN documentation at <A -HREF="http://msdn.microsoft.com/" -TARGET="_top" ->http://msdn.microsoft.com/</A -> - for more information on the Win32 printing API) - </P -></LI -><LI -><P ->Support for NT Access Control Lists (ACL) - on printer objects</P -></LI -><LI -><P ->Improved support for printer queue manipulation - through the use of an internal databases for spooled job - information</P -></LI -></UL -><P ->There has been some initial confusion about what all this means -and whether or not it is a requirement for printer drivers to be -installed on a Samba host in order to support printing from Windows -clients. As a side note, Samba does not use these drivers in any way to process -spooled files. They are utilized entirely by the clients.</P -><P ->The following MS KB article, may be of some help if you are dealing with -Windows 2000 clients: <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->How to Add Printers with No User -Interaction in Windows 2000</I -></SPAN -></P -><P -><A -HREF="http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP" -TARGET="_top" ->http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP</A -></P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2078" ->14.2. Configuration</A -></H2 -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" -HSPACE="5" -ALT="Warning"></TD -><TH -ALIGN="LEFT" -VALIGN="CENTER" -><B ->[print$] vs. [printer$]</B -></TH -></TR -><TR -><TD -> </TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->Previous versions of Samba recommended using a share named [printer$]. -This name was taken from the printer$ service created by Windows 9x -clients when a printer was shared. Windows 9x printer servers always have -a printer$ service which provides read-only access via no -password in order to support printer driver downloads.</P -><P ->However, the initial implementation allowed for a -parameter named <VAR -CLASS="PARAMETER" ->printer driver location</VAR -> -to be used on a per share basis to specify the location of -the driver files associated with that printer. Another -parameter named <VAR -CLASS="PARAMETER" ->printer driver</VAR -> provided -a means of defining the printer driver name to be sent to -the client.</P -></TD -></TR -></TABLE -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2086" ->14.2.1. Creating [print$]</A -></H3 -><P ->In order to support the uploading of printer driver -files, you must first configure a file share named [print$]. -The name of this share is hard coded in Samba's internals so -the name is very important (print$ is the service used by -Windows NT print servers to provide support for printer driver -download).</P -><P ->You should modify the server's smb.conf file to add the global -parameters and to create the -following file share (of course, some of the parameter values, -such as 'path' are arbitrary and should be replaced with -appropriate values for your site):</P -><P -><PRE -CLASS="PROGRAMLISTING" ->[global] - ; members of the ntadmin group should be able - ; to add drivers and set printer properties - ; root is implicitly a 'printer admin' - printer admin = @ntadmin - -[print$] - path = /usr/local/samba/printers - guest ok = yes - browseable = yes - read only = yes - ; since this share is configured as read only, then we need - ; a 'write list'. Check the file system permissions to make - ; sure this account can copy files to the share. If this - ; is setup to a non-root account, then it should also exist - ; as a 'printer admin' - write list = @ntadmin,root</PRE -></P -><P ->The <A -HREF="smb.conf.5.html#WRITELIST" -TARGET="_top" -><VAR -CLASS="PARAMETER" ->write list</VAR -></A -> is used to allow administrative -level user accounts to have write access in order to update files -on the share. See the <A -HREF="smb.conf.5.html" -TARGET="_top" ->smb.conf(5) -man page</A -> for more information on configuring file shares.</P -><P ->The requirement for <A -HREF="smb.conf.5.html#GUESTOK" -TARGET="_top" -><B -CLASS="COMMAND" ->guest -ok = yes</B -></A -> depends upon how your -site is configured. If users will be guaranteed to have -an account on the Samba host, then this is a non-issue.</P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TH -ALIGN="LEFT" -VALIGN="CENTER" -><B ->Author's Note</B -></TH -></TR -><TR -><TD -> </TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->The non-issue is that if all your Windows NT users are guaranteed to be -authenticated by the Samba server (such as a domain member server and the NT -user has already been validated by the Domain Controller in -order to logon to the Windows NT console), then guest access -is not necessary. Of course, in a workgroup environment where -you just want to be able to print without worrying about -silly accounts and security, then configure the share for -guest access. You'll probably want to add <A -HREF="smb.conf.5.html#MAPTOGUEST" -TARGET="_top" -><B -CLASS="COMMAND" ->map to guest = Bad User</B -></A -> in the [global] section as well. Make sure -you understand what this parameter does before using it -though. --jerry</P -></TD -></TR -></TABLE -></DIV -><P ->In order for a Windows NT print server to support -the downloading of driver files by multiple client architectures, -it must create subdirectories within the [print$] service -which correspond to each of the supported client architectures. -Samba follows this model as well.</P -><P ->Next create the directory tree below the [print$] share -for each architecture you wish to support.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->[print$]----- - |-W32X86 ; "Windows NT x86" - |-WIN40 ; "Windows 95/98" - |-W32ALPHA ; "Windows NT Alpha_AXP" - |-W32MIPS ; "Windows NT R4000" - |-W32PPC ; "Windows NT PowerPC"</PRE -></P -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" -HSPACE="5" -ALT="Warning"></TD -><TH -ALIGN="LEFT" -VALIGN="CENTER" -><B ->ATTENTION! REQUIRED PERMISSIONS</B -></TH -></TR -><TR -><TD -> </TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->In order to currently add a new driver to you Samba host, -one of two conditions must hold true:</P -><P -></P -><UL -><LI -><P ->The account used to connect to the Samba host - must have a uid of 0 (i.e. a root account)</P -></LI -><LI -><P ->The account used to connect to the Samba host - must be a member of the <A -HREF="smb.conf.5.html#PRINTERADMIN" -TARGET="_top" -><VAR -CLASS="PARAMETER" ->printer - admin</VAR -></A -> list.</P -></LI -></UL -><P ->Of course, the connected account must still possess access -to add files to the subdirectories beneath [print$]. Remember -that all file shares are set to 'read only' by default.</P -></TD -></TR -></TABLE -></DIV -><P ->Once you have created the required [print$] service and -associated subdirectories, simply log onto the Samba server using -a root (or <VAR -CLASS="PARAMETER" ->printer admin</VAR ->) account -from a Windows NT 4.0/2k client. Open "Network Neighbourhood" or -"My Network Places" and browse for the Samba host. Once you have located -the server, navigate to the "Printers..." folder. -You should see an initial listing of printers -that matches the printer shares defined on your Samba host.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2121" ->14.2.2. Setting Drivers for Existing Printers</A -></H3 -><P ->The initial listing of printers in the Samba host's -Printers folder will have no real printer driver assigned -to them. This defaults to a NULL string to allow the use -of the local Add Printer Wizard on NT/2000 clients. -Attempting to view the printer properties for a printer -which has this default driver assigned will result in -the error message:</P -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Device settings cannot be displayed. The driver -for the specified printer is not installed, only spooler -properties will be displayed. Do you want to install the -driver now?</I -></SPAN -></P -><P ->Click "No" in the error dialog and you will be presented with -the printer properties window. The way to assign a driver to a -printer is to either</P -><P -></P -><UL -><LI -><P ->Use the "New Driver..." button to install - a new printer driver, or</P -></LI -><LI -><P ->Select a driver from the popup list of - installed drivers. Initially this list will be empty.</P -></LI -></UL -><P ->If you wish to install printer drivers for client -operating systems other than "Windows NT x86", you will need -to use the "Sharing" tab of the printer properties dialog.</P -><P ->Assuming you have connected with a root account, you -will also be able modify other printer properties such as -ACLs and device settings using this dialog box.</P -><P ->A few closing comments for this section, it is possible -on a Windows NT print server to have printers -listed in the Printers folder which are not shared. Samba does -not make this distinction. By definition, the only printers of -which Samba is aware are those which are specified as shares in -<TT -CLASS="FILENAME" ->smb.conf</TT ->.</P -><P ->Another interesting side note is that Windows NT clients do -not use the SMB printer share, but rather can print directly -to any printer on another Windows NT host using MS-RPC. This -of course assumes that the printing client has the necessary -privileges on the remote host serving the printer. The default -permissions assigned by Windows NT to a printer gives the "Print" -permissions to the "Everyone" well-known group.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2137" ->14.2.3. Support a large number of printers</A -></H3 -><P ->One issue that has arisen during the development -phase of Samba 2.2 is the need to support driver downloads for -100's of printers. Using the Windows NT APW is somewhat -awkward to say the list. If more than one printer are using the -same driver, the <A -HREF="rpcclient.1.html" -TARGET="_top" -><B -CLASS="COMMAND" ->rpcclient's -setdriver command</B -></A -> can be used to set the driver -associated with an installed driver. The following is example -of how this could be accomplished:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> -<SAMP -CLASS="PROMPT" ->$ </SAMP ->rpcclient pogo -U root%secret -c "enumdrivers" -Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] - -[Windows NT x86] -Printer Driver Info 1: - Driver Name: [HP LaserJet 4000 Series PS] - -Printer Driver Info 1: - Driver Name: [HP LaserJet 2100 Series PS] - -Printer Driver Info 1: - Driver Name: [HP LaserJet 4Si/4SiMX PS] - -<SAMP -CLASS="PROMPT" ->$ </SAMP ->rpcclient pogo -U root%secret -c "enumprinters" -Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] - flags:[0x800000] - name:[\\POGO\hp-print] - description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,] - comment:[] - -<SAMP -CLASS="PROMPT" ->$ </SAMP ->rpcclient pogo -U root%secret \ -<SAMP -CLASS="PROMPT" ->> </SAMP -> -c "setdriver hp-print \"HP LaserJet 4000 Series PS\"" -Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] -Successfully set hp-print to driver HP LaserJet 4000 Series PS.</PRE -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2148" ->14.2.4. Adding New Printers via the Windows NT APW</A -></H3 -><P ->By default, Samba offers all printer shares defined in <TT -CLASS="FILENAME" ->smb.conf</TT -> -in the "Printers..." folder. Also existing in this folder is the Windows NT -Add Printer Wizard icon. The APW will be show only if</P -><P -></P -><UL -><LI -><P ->The connected user is able to successfully - execute an OpenPrinterEx(\\server) with administrative - privileges (i.e. root or <VAR -CLASS="PARAMETER" ->printer admin</VAR ->). - </P -></LI -><LI -><P -><A -HREF="smb.conf.5.html#SHOWADDPRINTERWIZARD" -TARGET="_top" -><VAR -CLASS="PARAMETER" ->show - add printer wizard = yes</VAR -></A -> (the default). - </P -></LI -></UL -><P ->In order to be able to use the APW to successfully add a printer to a Samba -server, the <A -HREF="smb.conf.5.html#ADDPRINTERCOMMAND" -TARGET="_top" -><VAR -CLASS="PARAMETER" ->add -printer command</VAR -></A -> must have a defined value. The program -hook must successfully add the printer to the system (i.e. -<TT -CLASS="FILENAME" ->/etc/printcap</TT -> or appropriate files) and -<TT -CLASS="FILENAME" ->smb.conf</TT -> if necessary.</P -><P ->When using the APW from a client, if the named printer share does -not exist, <B -CLASS="COMMAND" ->smbd</B -> will execute the <VAR -CLASS="PARAMETER" ->add printer -command</VAR -> and reparse to the <TT -CLASS="FILENAME" ->smb.conf</TT -> -to attempt to locate the new printer share. If the share is still not defined, -an error of "Access Denied" is returned to the client. Note that the -<VAR -CLASS="PARAMETER" ->add printer program</VAR -> is executed under the context -of the connected user, not necessarily a root account.</P -><P ->There is a complementary <A -HREF="smb.conf.5.html#DELETEPRINTERCOMMAND" -TARGET="_top" -><VAR -CLASS="PARAMETER" ->delete -printer command</VAR -></A -> for removing entries from the "Printers..." -folder.</P -><P ->The following is an example <A -HREF="smb.conf.5.html#ADDPRINTERCOMMAN" -TARGET="_top" -><VAR -CLASS="PARAMETER" ->add printer command</VAR -></A -> script. It adds the appropriate entries to <TT -CLASS="FILENAME" ->/etc/printcap.local</TT -> (change that to what you need) and returns a line of 'Done' which is needed for the whole process to work.</P -><PRE -CLASS="PROGRAMLISTING" ->#!/bin/sh - -# Script to insert a new printer entry into printcap.local -# -# $1, printer name, used as the descriptive name -# $2, share name, used as the printer name for Linux -# $3, port name -# $4, driver name -# $5, location, used for the device file of the printer -# $6, win9x location - -# -# Make sure we use the location that RedHat uses for local printer defs -PRINTCAP=/etc/printcap.local -DATE=`date +%Y%m%d-%H%M%S` -LP=lp -RESTART="service lpd restart" - -# Keep a copy -cp $PRINTCAP $PRINTCAP.$DATE -# Add the printer to $PRINTCAP -echo "" >> $PRINTCAP -echo "$2|$1:\\" >> $PRINTCAP -echo " :sd=/var/spool/lpd/$2:\\" >> $PRINTCAP -echo " :mx=0:ml=0:sh:\\" >> $PRINTCAP -echo " :lp=/usr/local/samba/var/print/$5.prn:" >> $PRINTCAP - -touch "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1 -chown $LP "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1 - -mkdir /var/spool/lpd/$2 -chmod 700 /var/spool/lpd/$2 -chown $LP /var/spool/lpd/$2 -#echo $1 >> "/usr/local/samba/var/print/$5.prn" -#echo $2 >> "/usr/local/samba/var/print/$5.prn" -#echo $3 >> "/usr/local/samba/var/print/$5.prn" -#echo $4 >> "/usr/local/samba/var/print/$5.prn" -#echo $5 >> "/usr/local/samba/var/print/$5.prn" -#echo $6 >> "/usr/local/samba/var/print/$5.prn" -$RESTART >> "/usr/local/samba/var/print/$5.prn" -# Not sure if this is needed -touch /usr/local/samba/lib/smb.conf -# -# You need to return a value, but I am not sure what it means. -# -echo "Done" -exit 0</PRE -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2178" ->14.2.5. Samba and Printer Ports</A -></H3 -><P ->Windows NT/2000 print servers associate a port with each printer. These normally -take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the -concept of ports associated with a printer. By default, only one printer port, -named "Samba Printer Port", exists on a system. Samba does not really a port in -order to print, rather it is a requirement of Windows clients. </P -><P ->Note that Samba does not support the concept of "Printer Pooling" internally -either. This is when a logical printer is assigned to multiple ports as -a form of load balancing or fail over.</P -><P ->If you require that multiple ports be defined for some reason, -<TT -CLASS="FILENAME" ->smb.conf</TT -> possesses a <A -HREF="smb.conf.5.html#ENUMPORTSCOMMAND" -TARGET="_top" -><VAR -CLASS="PARAMETER" ->enumports -command</VAR -></A -> which can be used to define an external program -that generates a listing of ports on a system.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2186" ->14.3. The Imprints Toolset</A -></H2 -><P ->The Imprints tool set provides a UNIX equivalent of the - Windows NT Add Printer Wizard. For complete information, please - refer to the Imprints web site at <A -HREF="http://imprints.sourceforge.net/" -TARGET="_top" -> http://imprints.sourceforge.net/</A -> as well as the documentation - included with the imprints source distribution. This section will - only provide a brief introduction to the features of Imprints.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2190" ->14.3.1. What is Imprints?</A -></H3 -><P ->Imprints is a collection of tools for supporting the goals - of</P -><P -></P -><UL -><LI -><P ->Providing a central repository information - regarding Windows NT and 95/98 printer driver packages</P -></LI -><LI -><P ->Providing the tools necessary for creating - the Imprints printer driver packages.</P -></LI -><LI -><P ->Providing an installation client which - will obtain and install printer drivers on remote Samba - and Windows NT 4 print servers.</P -></LI -></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2200" ->14.3.2. Creating Printer Driver Packages</A -></H3 -><P ->The process of creating printer driver packages is beyond - the scope of this document (refer to Imprints.txt also included - with the Samba distribution for more information). In short, - an Imprints driver package is a gzipped tarball containing the - driver files, related INF files, and a control file needed by the - installation client.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2203" ->14.3.3. The Imprints server</A -></H3 -><P ->The Imprints server is really a database server that - may be queried via standard HTTP mechanisms. Each printer - entry in the database has an associated URL for the actual - downloading of the package. Each package is digitally signed - via GnuPG which can be used to verify that package downloaded - is actually the one referred in the Imprints database. It is - <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->not</I -></SPAN -> recommended that this security check - be disabled.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2207" ->14.3.4. The Installation Client</A -></H3 -><P ->More information regarding the Imprints installation client - is available in the <TT -CLASS="FILENAME" ->Imprints-Client-HOWTO.ps</TT -> - file included with the imprints source package.</P -><P ->The Imprints installation client comes in two forms.</P -><P -></P -><UL -><LI -><P ->a set of command line Perl scripts</P -></LI -><LI -><P ->a GTK+ based graphical interface to - the command line perl scripts</P -></LI -></UL -><P ->The installation client (in both forms) provides a means - of querying the Imprints database server for a matching - list of known printer model names as well as a means to - download and install the drivers on remote Samba and Windows - NT print servers.</P -><P ->The basic installation process is in four steps and - perl code is wrapped around <B -CLASS="COMMAND" ->smbclient</B -> - and <B -CLASS="COMMAND" ->rpcclient</B ->.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> -foreach (supported architecture for a given driver) -{ - 1. rpcclient: Get the appropriate upload directory - on the remote server - 2. smbclient: Upload the driver files - 3. rpcclient: Issues an AddPrinterDriver() MS-RPC -} - -4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually - create the printer</PRE -></P -><P ->One of the problems encountered when implementing - the Imprints tool set was the name space issues between - various supported client architectures. For example, Windows - NT includes a driver named "Apple LaserWriter II NTX v51.8" - and Windows 95 calls its version of this driver "Apple - LaserWriter II NTX"</P -><P ->The problem is how to know what client drivers have - been uploaded for a printer. As astute reader will remember - that the Windows NT Printer Properties dialog only includes - space for one printer driver name. A quick look in the - Windows NT 4.0 system registry at</P -><P -><TT -CLASS="FILENAME" ->HKLM\System\CurrentControlSet\Control\Print\Environment - </TT -></P -><P ->will reveal that Windows NT always uses the NT driver - name. This is ok as Windows NT always requires that at least - the Windows NT version of the printer driver is present. - However, Samba does not have the requirement internally. - Therefore, how can you use the NT driver name if is has not - already been installed?</P -><P ->The way of sidestepping this limitation is to require - that all Imprints printer driver packages include both the Intel - Windows NT and 95/98 printer drivers and that NT driver is - installed first.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2229" ->14.4. Diagnosis</A -></H2 -><DIV -CLASS="SECT2" -><H3 -CLASS="SECT2" -><A -NAME="AEN2231" ->14.4.1. Introduction</A -></H3 -><P ->This is a short description of how to debug printing problems with -Samba. This describes how to debug problems with printing from a SMB -client to a Samba server, not the other way around. For the reverse -see the examples/printing directory.</P -><P ->Ok, so you want to print to a Samba server from your PC. The first -thing you need to understand is that Samba does not actually do any -printing itself, it just acts as a middleman between your PC client -and your Unix printing subsystem. Samba receives the file from the PC -then passes the file to a external "print command". What print command -you use is up to you.</P -><P ->The whole things is controlled using options in smb.conf. The most -relevant options (which you should look up in the smb.conf man page) -are:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> [global] - print command - send a file to a spooler - lpq command - get spool queue status - lprm command - remove a job - [printers] - path = /var/spool/lpd/samba</PRE -></P -><P ->The following are nice to know about:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> queuepause command - stop a printer or print queue - queueresume command - start a printer or print queue</PRE -></P -><P ->Example:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> print command = /usr/bin/lpr -r -P%p %s - lpq command = /usr/bin/lpq -P%p %s - lprm command = /usr/bin/lprm -P%p %j - queuepause command = /usr/sbin/lpc -P%p stop - queuepause command = /usr/sbin/lpc -P%p start</PRE -></P -><P ->Samba should set reasonable defaults for these depending on your -system type, but it isn't clairvoyant. It is not uncommon that you -have to tweak these for local conditions. The commands should -always have fully specified pathnames, as the smdb may not have -the correct PATH values.</P -><P ->When you send a job to Samba to be printed, it will make a temporary -copy of it in the directory specified in the [printers] section. -and it should be periodically cleaned out. The lpr -r option -requests that the temporary copy be removed after printing; If -printing fails then you might find leftover files in this directory, -and it should be periodically cleaned out. Samba used the lpq -command to determine the "job number" assigned to your print job -by the spooler.</P -><P ->The %>letter< are "macros" that get dynamically replaced with appropriate -values when they are used. The %s gets replaced with the name of the spool -file that Samba creates and the %p gets replaced with the name of the -printer. The %j gets replaced with the "job number" which comes from -the lpq output.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2247" ->14.4.2. Debugging printer problems</A -></H3 -><P ->One way to debug printing problems is to start by replacing these -command with shell scripts that record the arguments and the contents -of the print file. A simple example of this kind of things might -be:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> print command = /tmp/saveprint %p %s - - #!/bin/saveprint - # we make sure that we are the right user - /usr/bin/id -p >/tmp/tmp.print - # we run the command and save the error messages - # replace the command with the one appropriate for your system - /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print</PRE -></P -><P ->Then you print a file and try removing it. You may find that the -print queue needs to be stopped in order to see the queue status -and remove the job:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> h4: {42} % echo hi >/tmp/hi -h4: {43} % smbclient //localhost/lw4 -added interface ip=10.0.0.4 bcast=10.0.0.255 nmask=255.255.255.0 -Password: -Domain=[ASTART] OS=[Unix] Server=[Samba 2.0.7] -smb: \> print /tmp/hi -putting file /tmp/hi as hi-17534 (0.0 kb/s) (average 0.0 kb/s) -smb: \> queue -1049 3 hi-17534 -smb: \> cancel 1049 -Error cancelling job 1049 : code 0 -smb: \> cancel 1049 -Job 1049 cancelled -smb: \> queue -smb: \> exit</PRE -></P -><P ->The 'code 0' indicates that the job was removed. The comment -by the smbclient is a bit misleading on this. -You can observe the command output and then and look at the -/tmp/tmp.print file to see what the results are. You can quickly -find out if the problem is with your printing system. Often people -have problems with their /etc/printcap file or permissions on -various print queues.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2256" ->14.4.3. What printers do I have?</A -></H3 -><P ->You can use the 'testprns' program to check to see if the printer -name you are using is recognized by Samba. For example, you can -use:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> testprns printer /etc/printcap</PRE -></P -><P ->Samba can get its printcap information from a file or from a program. -You can try the following to see the format of the extracted -information:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> testprns -a printer /etc/printcap - - testprns -a printer '|/bin/cat printcap'</PRE -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2264" ->14.4.4. Setting up printcap and print servers</A -></H3 -><P ->You may need to set up some printcaps for your Samba system to use. -It is strongly recommended that you use the facilities provided by -the print spooler to set up queues and printcap information.</P -><P ->Samba requires either a printcap or program to deliver printcap -information. This printcap information has the format:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> name|alias1|alias2...:option=value:...</PRE -></P -><P ->For almost all printing systems, the printer 'name' must be composed -only of alphanumeric or underscore '_' characters. Some systems also -allow hyphens ('-') as well. An alias is an alternative name for the -printer, and an alias with a space in it is used as a 'comment' -about the printer. The printcap format optionally uses a \ at the end of lines -to extend the printcap to multiple lines.</P -><P ->Here are some examples of printcap files:</P -><P -><P -></P -><OL -TYPE="1" -><LI -><P ->pr just printer name</P -></LI -><LI -><P ->pr|alias printer name and alias</P -></LI -><LI -><P ->pr|My Printer printer name, alias used as comment</P -></LI -><LI -><P ->pr:sh:\ Same as pr:sh:cm= testing - :cm= \ - testing</P -></LI -><LI -><P ->pr:sh Same as pr:sh:cm= testing - :cm= testing</P -></LI -></OL -></P -><P ->Samba reads the printcap information when first started. If you make -changes in the printcap information, then you must do the following:</P -><P -></P -><OL -TYPE="1" -><LI -><P ->make sure that the print spooler is aware of these changes. -The LPRng system uses the 'lpc reread' command to do this.</P -></LI -><LI -><P ->make sure that the spool queues, etc., exist and have the -correct permissions. The LPRng system uses the 'checkpc -f' -command to do this.</P -></LI -><LI -><P ->You now should send a SIGHUP signal to the smbd server to have -it reread the printcap information.</P -></LI -></OL -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2292" ->14.4.5. Job sent, no output</A -></H3 -><P ->This is the most frustrating part of printing. You may have sent the -job, verified that the job was forwarded, set up a wrapper around -the command to send the file, but there was no output from the printer.</P -><P ->First, check to make sure that the job REALLY is getting to the -right print queue. If you are using a BSD or LPRng print spooler, -you can temporarily stop the printing of jobs. Jobs can still be -submitted, but they will not be printed. Use:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> lpc -Pprinter stop</PRE -></P -><P ->Now submit a print job and then use 'lpq -Pprinter' to see if the -job is in the print queue. If it is not in the print queue then -you will have to find out why it is not being accepted for printing.</P -><P ->Next, you may want to check to see what the format of the job really -was. With the assistance of the system administrator you can view -the submitted jobs files. You may be surprised to find that these -are not in what you would expect to call a printable format. -You can use the UNIX 'file' utitily to determine what the job -format actually is:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> cd /var/spool/lpd/printer # spool directory of print jobs - ls # find job files - file dfA001myhost</PRE -></P -><P ->You should make sure that your printer supports this format OR that -your system administrator has installed a 'print filter' that will -convert the file to a format appropriate for your printer.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2303" ->14.4.6. Job sent, strange output</A -></H3 -><P ->Once you have the job printing, you can then start worrying about -making it print nicely.</P -><P ->The most common problem is extra pages of output: banner pages -OR blank pages at the end.</P -><P ->If you are getting banner pages, check and make sure that the -printcap option or printer option is configured for no banners. -If you have a printcap, this is the :sh (suppress header or banner -page) option. You should have the following in your printer.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> printer: ... :sh</PRE -></P -><P ->If you have this option and are still getting banner pages, there -is a strong chance that your printer is generating them for you -automatically. You should make sure that banner printing is disabled -for the printer. This usually requires using the printer setup software -or procedures supplied by the printer manufacturer.</P -><P ->If you get an extra page of output, this could be due to problems -with your job format, or if you are generating PostScript jobs, -incorrect setting on your printer driver on the MicroSoft client. -For example, under Win95 there is a option:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> Printers|Printer Name|(Right Click)Properties|Postscript|Advanced|</PRE -></P -><P ->that allows you to choose if a Ctrl-D is appended to all jobs. -This is a very bad thing to do, as most spooling systems will -automatically add a ^D to the end of the job if it is detected as -PostScript. The multiple ^D may cause an additional page of output.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2315" ->14.4.7. Raw PostScript printed</A -></H3 -><P ->This is a problem that is usually caused by either the print spooling -system putting information at the start of the print job that makes -the printer think the job is a text file, or your printer simply -does not support PostScript. You may need to enable 'Automatic -Format Detection' on your printer.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2318" ->14.4.8. Advanced Printing</A -></H3 -><P ->Note that you can do some pretty magic things by using your -imagination with the "print command" option and some shell scripts. -Doing print accounting is easy by passing the %U option to a print -command shell script. You could even make the print command detect -the type of output and its size and send it to an appropriate -printer.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2321" ->14.4.9. Real debugging</A -></H3 -><P ->If the above debug tips don't help, then maybe you need to bring in -the bug guns, system tracing. See Tracing.txt in this directory.</P -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="WINBIND" -></A ->Chapter 15. Unified Logons between Windows NT and UNIX using Winbind</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN2362" ->15.1. Abstract</A -></H2 -><P ->Integration of UNIX and Microsoft Windows NT through - a unified logon has been considered a "holy grail" in heterogeneous - computing environments for a long time. We present - <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->winbind</I -></SPAN ->, a component of the Samba suite - of programs as a solution to the unified logon problem. Winbind - uses a UNIX implementation - of Microsoft RPC calls, Pluggable Authentication Modules, and the Name - Service Switch to allow Windows NT domain users to appear and operate - as UNIX users on a UNIX machine. This paper describes the winbind - system, explaining the functionality it provides, how it is configured, - and how it works internally.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2366" ->15.2. Introduction</A -></H2 -><P ->It is well known that UNIX and Microsoft Windows NT have - different models for representing user and group information and - use different technologies for implementing them. This fact has - made it difficult to integrate the two systems in a satisfactory - manner.</P -><P ->One common solution in use today has been to create - identically named user accounts on both the UNIX and Windows systems - and use the Samba suite of programs to provide file and print services - between the two. This solution is far from perfect however, as - adding and deleting users on both sets of machines becomes a chore - and two sets of passwords are required both of which - can lead to synchronization problems between the UNIX and Windows - systems and confusion for users.</P -><P ->We divide the unified logon problem for UNIX machines into - three smaller problems:</P -><P -></P -><UL -><LI -><P ->Obtaining Windows NT user and group information - </P -></LI -><LI -><P ->Authenticating Windows NT users - </P -></LI -><LI -><P ->Password changing for Windows NT users - </P -></LI -></UL -><P ->Ideally, a prospective solution to the unified logon problem - would satisfy all the above components without duplication of - information on the UNIX machines and without creating additional - tasks for the system administrator when maintaining users and - groups on either system. The winbind system provides a simple - and elegant solution to all three components of the unified logon - problem.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2379" ->15.3. What Winbind Provides</A -></H2 -><P ->Winbind unifies UNIX and Windows NT account management by - allowing a UNIX box to become a full member of a NT domain. Once - this is done the UNIX box will see NT users and groups as if - they were native UNIX users and groups, allowing the NT domain - to be used in much the same manner that NIS+ is used within - UNIX-only environments.</P -><P ->The end result is that whenever any - program on the UNIX machine asks the operating system to lookup - a user or group name, the query will be resolved by asking the - NT domain controller for the specified domain to do the lookup. - Because Winbind hooks into the operating system at a low level - (via the NSS name resolution modules in the C library) this - redirection to the NT domain controller is completely - transparent.</P -><P ->Users on the UNIX machine can then use NT user and group - names as they would use "native" UNIX names. They can chown files - so that they are owned by NT domain users or even login to the - UNIX machine and run a UNIX X-Window session as a domain user.</P -><P ->The only obvious indication that Winbind is being used is - that user and group names take the form DOMAIN\user and - DOMAIN\group. This is necessary as it allows Winbind to determine - that redirection to a domain controller is wanted for a particular - lookup and which trusted domain is being referenced.</P -><P ->Additionally, Winbind provides an authentication service - that hooks into the Pluggable Authentication Modules (PAM) system - to provide authentication via a NT domain to any PAM enabled - applications. This capability solves the problem of synchronizing - passwords between systems since all passwords are stored in a single - location (on the domain controller).</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2386" ->15.3.1. Target Uses</A -></H3 -><P ->Winbind is targeted at organizations that have an - existing NT based domain infrastructure into which they wish - to put UNIX workstations or servers. Winbind will allow these - organizations to deploy UNIX workstations without having to - maintain a separate account infrastructure. This greatly - simplifies the administrative overhead of deploying UNIX - workstations into a NT based organization.</P -><P ->Another interesting way in which we expect Winbind to - be used is as a central part of UNIX based appliances. Appliances - that provide file and print services to Microsoft based networks - will be able to use Winbind to provide seamless integration of - the appliance into the domain.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2390" ->15.4. How Winbind Works</A -></H2 -><P ->The winbind system is designed around a client/server - architecture. A long running <B -CLASS="COMMAND" ->winbindd</B -> daemon - listens on a UNIX domain socket waiting for requests - to arrive. These requests are generated by the NSS and PAM - clients and processed sequentially.</P -><P ->The technologies used to implement winbind are described - in detail below.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2395" ->15.4.1. Microsoft Remote Procedure Calls</A -></H3 -><P ->Over the last few years, efforts have been underway - by various Samba Team members to decode various aspects of - the Microsoft Remote Procedure Call (MSRPC) system. This - system is used for most network related operations between - Windows NT machines including remote management, user authentication - and print spooling. Although initially this work was done - to aid the implementation of Primary Domain Controller (PDC) - functionality in Samba, it has also yielded a body of code which - can be used for other purposes.</P -><P ->Winbind uses various MSRPC calls to enumerate domain users - and groups and to obtain detailed information about individual - users or groups. Other MSRPC calls can be used to authenticate - NT domain users and to change user passwords. By directly querying - a Windows PDC for user and group information, winbind maps the - NT account information onto UNIX user and group names.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2399" ->15.4.2. Microsoft Active Directory Services</A -></H3 -><P -> Since late 2001, Samba has gained the ability to - interact with Microsoft Windows 2000 using its 'Native - Mode' protocols, rather than the NT4 RPC services. - Using LDAP and Kerberos, a domain member running - winbind can enumerate users and groups in exactly the - same way as a Win2k client would, and in so doing - provide a much more efficient and - effective winbind implementation. - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2402" ->15.4.3. Name Service Switch</A -></H3 -><P ->The Name Service Switch, or NSS, is a feature that is - present in many UNIX operating systems. It allows system - information such as hostnames, mail aliases and user information - to be resolved from different sources. For example, a standalone - UNIX workstation may resolve system information from a series of - flat files stored on the local filesystem. A networked workstation - may first attempt to resolve system information from local files, - and then consult a NIS database for user information or a DNS server - for hostname information.</P -><P ->The NSS application programming interface allows winbind - to present itself as a source of system information when - resolving UNIX usernames and groups. Winbind uses this interface, - and information obtained from a Windows NT server using MSRPC - calls to provide a new source of account enumeration. Using standard - UNIX library calls, one can enumerate the users and groups on - a UNIX machine running winbind and see all users and groups in - a NT domain plus any trusted domain as though they were local - users and groups.</P -><P ->The primary control file for NSS is - <TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT ->. - When a UNIX application makes a request to do a lookup - the C library looks in <TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -> - for a line which matches the service type being requested, for - example the "passwd" service type is used when user or group names - are looked up. This config line species which implementations - of that service should be tried and in what order. If the passwd - config line is:</P -><P -><B -CLASS="COMMAND" ->passwd: files example</B -></P -><P ->then the C library will first load a module called - <TT -CLASS="FILENAME" ->/lib/libnss_files.so</TT -> followed by - the module <TT -CLASS="FILENAME" ->/lib/libnss_example.so</TT ->. The - C library will dynamically load each of these modules in turn - and call resolver functions within the modules to try to resolve - the request. Once the request is resolved the C library returns the - result to the application.</P -><P ->This NSS interface provides a very easy way for Winbind - to hook into the operating system. All that needs to be done - is to put <TT -CLASS="FILENAME" ->libnss_winbind.so</TT -> in <TT -CLASS="FILENAME" ->/lib/</TT -> - then add "winbind" into <TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -> at - the appropriate place. The C library will then call Winbind to - resolve user and group names.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2418" ->15.4.4. Pluggable Authentication Modules</A -></H3 -><P ->Pluggable Authentication Modules, also known as PAM, - is a system for abstracting authentication and authorization - technologies. With a PAM module it is possible to specify different - authentication methods for different system applications without - having to recompile these applications. PAM is also useful - for implementing a particular policy for authorization. For example, - a system administrator may only allow console logins from users - stored in the local password file but only allow users resolved from - a NIS database to log in over the network.</P -><P ->Winbind uses the authentication management and password - management PAM interface to integrate Windows NT users into a - UNIX system. This allows Windows NT users to log in to a UNIX - machine and be authenticated against a suitable Primary Domain - Controller. These users can also change their passwords and have - this change take effect directly on the Primary Domain Controller. - </P -><P ->PAM is configured by providing control files in the directory - <TT -CLASS="FILENAME" ->/etc/pam.d/</TT -> for each of the services that - require authentication. When an authentication request is made - by an application the PAM code in the C library looks up this - control file to determine what modules to load to do the - authentication check and in what order. This interface makes adding - a new authentication service for Winbind very easy, all that needs - to be done is that the <TT -CLASS="FILENAME" ->pam_winbind.so</TT -> module - is copied to <TT -CLASS="FILENAME" ->/lib/security/</TT -> and the PAM - control files for relevant services are updated to allow - authentication via winbind. See the PAM documentation - for more details.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2426" ->15.4.5. User and Group ID Allocation</A -></H3 -><P ->When a user or group is created under Windows NT - is it allocated a numerical relative identifier (RID). This is - slightly different to UNIX which has a range of numbers that are - used to identify users, and the same range in which to identify - groups. It is winbind's job to convert RIDs to UNIX id numbers and - vice versa. When winbind is configured it is given part of the UNIX - user id space and a part of the UNIX group id space in which to - store Windows NT users and groups. If a Windows NT user is - resolved for the first time, it is allocated the next UNIX id from - the range. The same process applies for Windows NT groups. Over - time, winbind will have mapped all Windows NT users and groups - to UNIX user ids and group ids.</P -><P ->The results of this mapping are stored persistently in - an ID mapping database held in a tdb database). This ensures that - RIDs are mapped to UNIX IDs in a consistent way.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2430" ->15.4.6. Result Caching</A -></H3 -><P ->An active system can generate a lot of user and group - name lookups. To reduce the network cost of these lookups winbind - uses a caching scheme based on the SAM sequence number supplied - by NT domain controllers. User or group information returned - by a PDC is cached by winbind along with a sequence number also - returned by the PDC. This sequence number is incremented by - Windows NT whenever any user or group information is modified. If - a cached entry has expired, the sequence number is requested from - the PDC and compared against the sequence number of the cached entry. - If the sequence numbers do not match, then the cached information - is discarded and up to date information is requested directly - from the PDC.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2433" ->15.5. Installation and Configuration</A -></H2 -><P ->Many thanks to John Trostel <A -HREF="mailto:jtrostel@snapserver.com" -TARGET="_top" ->jtrostel@snapserver.com</A -> -for providing the HOWTO for this section.</P -><P ->This HOWTO describes how to get winbind services up and running -to control access and authenticate users on your Linux box using -the winbind services which come with SAMBA 2.2.2.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2438" ->15.5.1. Introduction</A -></H3 -><P ->This HOWTO describes the procedures used to get winbind up and -running on my RedHat 7.1 system. Winbind is capable of providing access -and authentication control for Windows Domain users through an NT -or Win2K PDC for 'regular' services, such as telnet a nd ftp, as -well for SAMBA services.</P -><P ->This HOWTO has been written from a 'RedHat-centric' perspective, so if -you are using another distribution, you may have to modify the instructions -somewhat to fit the way your distribution works.</P -><P -></P -><UL -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Why should I to this?</I -></SPAN -> - </P -><P ->This allows the SAMBA administrator to rely on the - authentication mechanisms on the NT/Win2K PDC for the authentication - of domain members. NT/Win2K users no longer need to have separate - accounts on the SAMBA server. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Who should be reading this document?</I -></SPAN -> - </P -><P -> This HOWTO is designed for system administrators. If you are - implementing SAMBA on a file server and wish to (fairly easily) - integrate existing NT/Win2K users from your PDC onto the - SAMBA server, this HOWTO is for you. That said, I am no NT or PAM - expert, so you may find a better or easier way to accomplish - these tasks. - </P -></LI -></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2451" ->15.5.2. Requirements</A -></H3 -><P ->If you have a samba configuration file that you are currently -using... <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->BACK IT UP!</I -></SPAN -> If your system already uses PAM, -<SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->back up the <TT -CLASS="FILENAME" ->/etc/pam.d</TT -> directory -contents!</I -></SPAN -> If you haven't already made a boot disk, -<SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->MAKE ONE NOW!</I -></SPAN -></P -><P ->Messing with the pam configuration files can make it nearly impossible -to log in to yourmachine. That's why you want to be able to boot back -into your machine in single user mode and restore your -<TT -CLASS="FILENAME" ->/etc/pam.d</TT -> back to the original state they were in if -you get frustrated with the way things are going. ;-)</P -><P ->The latest version of SAMBA (version 3.0 as of this writing), now -includes a functioning winbindd daemon. Please refer to the -<A -HREF="http://samba.org/" -TARGET="_top" ->main SAMBA web page</A -> or, -better yet, your closest SAMBA mirror site for instructions on -downloading the source code.</P -><P ->To allow Domain users the ability to access SAMBA shares and -files, as well as potentially other services provided by your -SAMBA machine, PAM (pluggable authentication modules) must -be setup properly on your machine. In order to compile the -winbind modules, you should have at least the pam libraries resident -on your system. For recent RedHat systems (7.1, for instance), that -means <TT -CLASS="FILENAME" ->pam-0.74-22</TT ->. For best results, it is helpful to also -install the development packages in <TT -CLASS="FILENAME" ->pam-devel-0.74-22</TT ->.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2465" ->15.5.3. Testing Things Out</A -></H3 -><P ->Before starting, it is probably best to kill off all the SAMBA -related daemons running on your server. Kill off all <B -CLASS="COMMAND" ->smbd</B ->, -<B -CLASS="COMMAND" ->nmbd</B ->, and <B -CLASS="COMMAND" ->winbindd</B -> processes that may -be running. To use PAM, you will want to make sure that you have the -standard PAM package (for RedHat) which supplies the <TT -CLASS="FILENAME" ->/etc/pam.d</TT -> -directory structure, including the pam modules are used by pam-aware -services, several pam libraries, and the <TT -CLASS="FILENAME" ->/usr/doc</TT -> -and <TT -CLASS="FILENAME" ->/usr/man</TT -> entries for pam. Winbind built better -in SAMBA if the pam-devel package was also installed. This package includes -the header files needed to compile pam-aware applications. For instance, -my RedHat system has both <TT -CLASS="FILENAME" ->pam-0.74-22</TT -> and -<TT -CLASS="FILENAME" ->pam-devel-0.74-22</TT -> RPMs installed.</P -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN2476" ->15.5.3.1. Configure and compile SAMBA</A -></H4 -><P ->The configuration and compilation of SAMBA is pretty straightforward. -The first three steps may not be necessary depending upon -whether or not you have previously built the Samba binaries.</P -><P -><PRE -CLASS="PROGRAMLISTING" -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->autoconf</B -> -<SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->make clean</B -> -<SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->rm config.cache</B -> -<SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->./configure</B -> -<SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->make</B -> -<SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->make install</B -></PRE -></P -><P ->This will, by default, install SAMBA in <TT -CLASS="FILENAME" ->/usr/local/samba</TT ->. -See the main SAMBA documentation if you want to install SAMBA somewhere else. -It will also build the winbindd executable and libraries. </P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN2495" ->15.5.3.2. Configure <TT -CLASS="FILENAME" ->nsswitch.conf</TT -> and the -winbind libraries</A -></H4 -><P ->The libraries needed to run the <B -CLASS="COMMAND" ->winbindd</B -> daemon -through nsswitch need to be copied to their proper locations, so</P -><P -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->cp ../samba/source/nsswitch/libnss_winbind.so /lib</B -></P -><P ->I also found it necessary to make the following symbolic link:</P -><P -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</B -></P -><P ->And, in the case of Sun solaris:</P -><P -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</B -> -<SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</B -> -<SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</B -></P -><P ->Now, as root you need to edit <TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -> to -allow user and group entries to be visible from the <B -CLASS="COMMAND" ->winbindd</B -> -daemon. My <TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -> file look like -this after editing:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> passwd: files winbind - shadow: files - group: files winbind</PRE -></P -><P -> -The libraries needed by the winbind daemon will be automatically -entered into the <B -CLASS="COMMAND" ->ldconfig</B -> cache the next time -your system reboots, but it -is faster (and you don't need to reboot) if you do it manually:</P -><P -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->/sbin/ldconfig -v | grep winbind</B -></P -><P ->This makes <TT -CLASS="FILENAME" ->libnss_winbind</TT -> available to winbindd -and echos back a check to you.</P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN2528" ->15.5.3.3. Configure smb.conf</A -></H4 -><P ->Several parameters are needed in the smb.conf file to control -the behavior of <B -CLASS="COMMAND" ->winbindd</B ->. Configure -<TT -CLASS="FILENAME" ->smb.conf</TT -> These are described in more detail in -the <A -HREF="winbindd.8.html" -TARGET="_top" ->winbindd(8)</A -> man page. My -<TT -CLASS="FILENAME" ->smb.conf</TT -> file was modified to -include the following entries in the [global] section:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->[global] - <...> - # separate domain and username with '+', like DOMAIN+username - <A -HREF="winbindd.8.html#WINBINDSEPARATOR" -TARGET="_top" ->winbind separator</A -> = + - # use uids from 10000 to 20000 for domain users - <A -HREF="winbindd.8.html#WINBINDUID" -TARGET="_top" ->winbind uid</A -> = 10000-20000 - # use gids from 10000 to 20000 for domain groups - <A -HREF="winbindd.8.html#WINBINDGID" -TARGET="_top" ->winbind gid</A -> = 10000-20000 - # allow enumeration of winbind users and groups - <A -HREF="winbindd.8.html#WINBINDENUMUSERS" -TARGET="_top" ->winbind enum users</A -> = yes - <A -HREF="winbindd.8.html#WINBINDENUMGROUP" -TARGET="_top" ->winbind enum groups</A -> = yes - # give winbind users a real shell (only needed if they have telnet access) - <A -HREF="winbindd.8.html#TEMPLATEHOMEDIR" -TARGET="_top" ->template homedir</A -> = /home/winnt/%D/%U - <A -HREF="winbindd.8.html#TEMPLATESHELL" -TARGET="_top" ->template shell</A -> = /bin/bash</PRE -></P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN2544" ->15.5.3.4. Join the SAMBA server to the PDC domain</A -></H4 -><P ->Enter the following command to make the SAMBA server join the -PDC domain, where <VAR -CLASS="REPLACEABLE" ->DOMAIN</VAR -> is the name of -your Windows domain and <VAR -CLASS="REPLACEABLE" ->Administrator</VAR -> is -a domain user who has administrative privileges in the domain.</P -><P -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->/usr/local/samba/bin/net join -S PDC -U Administrator</B -></P -><P ->The proper response to the command should be: "Joined the domain -<VAR -CLASS="REPLACEABLE" ->DOMAIN</VAR ->" where <VAR -CLASS="REPLACEABLE" ->DOMAIN</VAR -> -is your DOMAIN name.</P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN2555" ->15.5.3.5. Start up the winbindd daemon and test it!</A -></H4 -><P ->Eventually, you will want to modify your smb startup script to -automatically invoke the winbindd daemon when the other parts of -SAMBA start, but it is possible to test out just the winbind -portion first. To start up winbind services, enter the following -command as root:</P -><P -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->/usr/local/samba/bin/winbindd</B -></P -><P ->Winbindd can now also run in 'dual daemon mode'. This will make it -run as 2 processes. The first will answer all requests from the cache, -thus making responses to clients faster. The other will -update the cache for the query that the first has just responded. -Advantage of this is that responses stay accurate and are faster. -You can enable dual daemon mode by adding '-B' to the commandline:</P -><P -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->/usr/local/samba/bin/winbindd -B</B -></P -><P ->I'm always paranoid and like to make sure the daemon -is really running...</P -><P -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->ps -ae | grep winbindd</B -></P -><P ->This command should produce output like this, if the daemon is running</P -><P ->3025 ? 00:00:00 winbindd</P -><P ->Now... for the real test, try to get some information about the -users on your PDC</P -><P -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->/usr/local/samba/bin/wbinfo -u</B -></P -><P -> -This should echo back a list of users on your Windows users on -your PDC. For example, I get the following response:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->CEO+Administrator -CEO+burdell -CEO+Guest -CEO+jt-ad -CEO+krbtgt -CEO+TsInternetUser</PRE -></P -><P ->Obviously, I have named my domain 'CEO' and my <VAR -CLASS="PARAMETER" ->winbind -separator</VAR -> is '+'.</P -><P ->You can do the same sort of thing to get group information from -the PDC:</P -><P -><PRE -CLASS="PROGRAMLISTING" -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->/usr/local/samba/bin/wbinfo -g</B -> -CEO+Domain Admins -CEO+Domain Users -CEO+Domain Guests -CEO+Domain Computers -CEO+Domain Controllers -CEO+Cert Publishers -CEO+Schema Admins -CEO+Enterprise Admins -CEO+Group Policy Creator Owners</PRE -></P -><P ->The function 'getent' can now be used to get unified -lists of both local and PDC users and groups. -Try the following command:</P -><P -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->getent passwd</B -></P -><P ->You should get a list that looks like your <TT -CLASS="FILENAME" ->/etc/passwd</TT -> -list followed by the domain users with their new uids, gids, home -directories and default shells.</P -><P ->The same thing can be done for groups with the command</P -><P -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->getent group</B -></P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN2595" ->15.5.3.6. Fix the init.d startup scripts</A -></H4 -><DIV -CLASS="SECT4" -><H5 -CLASS="SECT4" -><A -NAME="AEN2597" ->15.5.3.6.1. Linux</A -></H5 -><P ->The <B -CLASS="COMMAND" ->winbindd</B -> daemon needs to start up after the -<B -CLASS="COMMAND" ->smbd</B -> and <B -CLASS="COMMAND" ->nmbd</B -> daemons are running. -To accomplish this task, you need to modify the startup scripts of your system. They are located at <TT -CLASS="FILENAME" ->/etc/init.d/smb</TT -> in RedHat and -<TT -CLASS="FILENAME" ->/etc/init.d/samba</TT -> in Debian. -script to add commands to invoke this daemon in the proper sequence. My -startup script starts up <B -CLASS="COMMAND" ->smbd</B ->, -<B -CLASS="COMMAND" ->nmbd</B ->, and <B -CLASS="COMMAND" ->winbindd</B -> from the -<TT -CLASS="FILENAME" ->/usr/local/samba/bin</TT -> directory directly. The 'start' -function in the script looks like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->start() { - KIND="SMB" - echo -n $"Starting $KIND services: " - daemon /usr/local/samba/bin/smbd $SMBDOPTIONS - RETVAL=$? - echo - KIND="NMB" - echo -n $"Starting $KIND services: " - daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS - RETVAL2=$? - echo - KIND="Winbind" - echo -n $"Starting $KIND services: " - daemon /usr/local/samba/bin/winbindd - RETVAL3=$? - echo - [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \ - RETVAL=1 - return $RETVAL -}</PRE -></P -><P ->If you would like to run winbindd in dual daemon mode, replace -the line -<PRE -CLASS="PROGRAMLISTING" -> daemon /usr/local/samba/bin/winbindd</PRE -> - -in the example above with: - -<PRE -CLASS="PROGRAMLISTING" -> daemon /usr/local/samba/bin/winbindd -B</PRE ->.</P -><P ->The 'stop' function has a corresponding entry to shut down the -services and looks like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->stop() { - KIND="SMB" - echo -n $"Shutting down $KIND services: " - killproc smbd - RETVAL=$? - echo - KIND="NMB" - echo -n $"Shutting down $KIND services: " - killproc nmbd - RETVAL2=$? - echo - KIND="Winbind" - echo -n $"Shutting down $KIND services: " - killproc winbindd - RETVAL3=$? - [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb - echo "" - return $RETVAL -}</PRE -></P -></DIV -><DIV -CLASS="SECT4" -><HR><H5 -CLASS="SECT4" -><A -NAME="AEN2617" ->15.5.3.6.2. Solaris</A -></H5 -><P ->On solaris, you need to modify the -<TT -CLASS="FILENAME" ->/etc/init.d/samba.server</TT -> startup script. It usually -only starts smbd and nmbd but should now start winbindd too. If you -have samba installed in <TT -CLASS="FILENAME" ->/usr/local/samba/bin</TT ->, -the file could contains something like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->## -## samba.server -## - -if [ ! -d /usr/bin ] -then # /usr not mounted - exit -fi - -killproc() { # kill the named process(es) - pid=`/usr/bin/ps -e | - /usr/bin/grep -w $1 | - /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` - [ "$pid" != "" ] && kill $pid -} - -# Start/stop processes required for samba server - -case "$1" in - -'start') -# -# Edit these lines to suit your installation (paths, workgroup, host) -# -echo Starting SMBD - /usr/local/samba/bin/smbd -D -s \ - /usr/local/samba/smb.conf - -echo Starting NMBD - /usr/local/samba/bin/nmbd -D -l \ - /usr/local/samba/var/log -s /usr/local/samba/smb.conf - -echo Starting Winbind Daemon - /usr/local/samba/bin/winbindd - ;; - -'stop') - killproc nmbd - killproc smbd - killproc winbindd - ;; - -*) - echo "Usage: /etc/init.d/samba.server { start | stop }" - ;; -esac</PRE -></P -><P ->Again, if you would like to run samba in dual daemon mode, replace -<PRE -CLASS="PROGRAMLISTING" -> /usr/local/samba/bin/winbindd</PRE -> - -in the script above with: - -<PRE -CLASS="PROGRAMLISTING" -> /usr/local/samba/bin/winbindd -B</PRE -></P -></DIV -><DIV -CLASS="SECT4" -><HR><H5 -CLASS="SECT4" -><A -NAME="AEN2627" ->15.5.3.6.3. Restarting</A -></H5 -><P ->If you restart the <B -CLASS="COMMAND" ->smbd</B ->, <B -CLASS="COMMAND" ->nmbd</B ->, -and <B -CLASS="COMMAND" ->winbindd</B -> daemons at this point, you -should be able to connect to the samba server as a domain member just as -if you were a local user.</P -></DIV -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN2633" ->15.5.3.7. Configure Winbind and PAM</A -></H4 -><P ->If you have made it this far, you know that winbindd and samba are working -together. If you want to use winbind to provide authentication for other -services, keep reading. The pam configuration files need to be altered in -this step. (Did you remember to make backups of your original -<TT -CLASS="FILENAME" ->/etc/pam.d</TT -> files? If not, do it now.)</P -><P ->You will need a pam module to use winbindd with these other services. This -module will be compiled in the <TT -CLASS="FILENAME" ->../source/nsswitch</TT -> directory -by invoking the command</P -><P -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->make nsswitch/pam_winbind.so</B -></P -><P ->from the <TT -CLASS="FILENAME" ->../source</TT -> directory. The -<TT -CLASS="FILENAME" ->pam_winbind.so</TT -> file should be copied to the location of -your other pam security modules. On my RedHat system, this was the -<TT -CLASS="FILENAME" ->/lib/security</TT -> directory. On Solaris, the pam security -modules reside in <TT -CLASS="FILENAME" ->/usr/lib/security</TT ->.</P -><P -><SAMP -CLASS="PROMPT" ->root#</SAMP -> <B -CLASS="COMMAND" ->cp ../samba/source/nsswitch/pam_winbind.so /lib/security</B -></P -><DIV -CLASS="SECT4" -><HR><H5 -CLASS="SECT4" -><A -NAME="AEN2650" ->15.5.3.7.1. Linux/FreeBSD-specific PAM configuration</A -></H5 -><P ->The <TT -CLASS="FILENAME" ->/etc/pam.d/samba</TT -> file does not need to be changed. I -just left this fileas it was:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_stack.so service=system-auth</PRE -></P -><P ->The other services that I modified to allow the use of winbind -as an authentication service were the normal login on the console (or a terminal -session), telnet logins, and ftp service. In order to enable these -services, you may first need to change the entries in -<TT -CLASS="FILENAME" ->/etc/xinetd.d</TT -> (or <TT -CLASS="FILENAME" ->/etc/inetd.conf</TT ->). -RedHat 7.1 uses the new xinetd.d structure, in this case you need -to change the lines in <TT -CLASS="FILENAME" ->/etc/xinetd.d/telnet</TT -> -and <TT -CLASS="FILENAME" ->/etc/xinetd.d/wu-ftp</TT -> from </P -><P -><PRE -CLASS="PROGRAMLISTING" ->enable = no</PRE -></P -><P ->to</P -><P -><PRE -CLASS="PROGRAMLISTING" ->enable = yes</PRE -></P -><P -> -For ftp services to work properly, you will also need to either -have individual directories for the domain users already present on -the server, or change the home directory template to a general -directory for all domain users. These can be easily set using -the <TT -CLASS="FILENAME" ->smb.conf</TT -> global entry -<B -CLASS="COMMAND" ->template homedir</B ->.</P -><P ->The <TT -CLASS="FILENAME" ->/etc/pam.d/ftp</TT -> file can be changed -to allow winbind ftp access in a manner similar to the -samba file. My <TT -CLASS="FILENAME" ->/etc/pam.d/ftp</TT -> file was -changed to look like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed -auth sufficient /lib/security/pam_winbind.so -auth required /lib/security/pam_stack.so service=system-auth -auth required /lib/security/pam_shells.so -account sufficient /lib/security/pam_winbind.so -account required /lib/security/pam_stack.so service=system-auth -session required /lib/security/pam_stack.so service=system-auth</PRE -></P -><P ->The <TT -CLASS="FILENAME" ->/etc/pam.d/login</TT -> file can be changed nearly the -same way. It now looks like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->auth required /lib/security/pam_securetty.so -auth sufficient /lib/security/pam_winbind.so -auth sufficient /lib/security/pam_unix.so use_first_pass -auth required /lib/security/pam_stack.so service=system-auth -auth required /lib/security/pam_nologin.so -account sufficient /lib/security/pam_winbind.so -account required /lib/security/pam_stack.so service=system-auth -password required /lib/security/pam_stack.so service=system-auth -session required /lib/security/pam_stack.so service=system-auth -session optional /lib/security/pam_console.so</PRE -></P -><P ->In this case, I added the <B -CLASS="COMMAND" ->auth sufficient /lib/security/pam_winbind.so</B -> -lines as before, but also added the <B -CLASS="COMMAND" ->required pam_securetty.so</B -> -above it, to disallow root logins over the network. I also added a -<B -CLASS="COMMAND" ->sufficient /lib/security/pam_unix.so use_first_pass</B -> -line after the <B -CLASS="COMMAND" ->winbind.so</B -> line to get rid of annoying -double prompts for passwords.</P -></DIV -><DIV -CLASS="SECT4" -><HR><H5 -CLASS="SECT4" -><A -NAME="AEN2683" ->15.5.3.7.2. Solaris-specific configuration</A -></H5 -><P ->The /etc/pam.conf needs to be changed. I changed this file so that my Domain -users can logon both locally as well as telnet.The following are the changes -that I made.You can customize the pam.conf file as per your requirements,but -be sure of those changes because in the worst case it will leave your system -nearly impossible to boot.</P -><P -><PRE -CLASS="PROGRAMLISTING" -># -#ident "@(#)pam.conf 1.14 99/09/16 SMI" -# -# Copyright (c) 1996-1999, Sun Microsystems, Inc. -# All Rights Reserved. -# -# PAM configuration -# -# Authentication management -# -login auth required /usr/lib/security/pam_winbind.so -login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass -# -rlogin auth sufficient /usr/lib/security/pam_winbind.so -rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 -rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -dtlogin auth sufficient /usr/lib/security/pam_winbind.so -dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 -other auth sufficient /usr/lib/security/pam_winbind.so -other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -# Account management -# -login account sufficient /usr/lib/security/pam_winbind.so -login account requisite /usr/lib/security/$ISA/pam_roles.so.1 -login account required /usr/lib/security/$ISA/pam_unix.so.1 -# -dtlogin account sufficient /usr/lib/security/pam_winbind.so -dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 -dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 -# -other account sufficient /usr/lib/security/pam_winbind.so -other account requisite /usr/lib/security/$ISA/pam_roles.so.1 -other account required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Session management -# -other session required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Password management -# -#other password sufficient /usr/lib/security/pam_winbind.so -other password required /usr/lib/security/$ISA/pam_unix.so.1 -dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Support for Kerberos V5 authentication (uncomment to use Kerberos) -# -#rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other account optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other session optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass</PRE -></P -><P ->I also added a try_first_pass line after the winbind.so line to get rid of -annoying double prompts for passwords.</P -><P ->Now restart your Samba and try connecting through your application that you -configured in the pam.conf.</P -></DIV -></DIV -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2690" ->15.6. Limitations</A -></H2 -><P ->Winbind has a number of limitations in its current - released version that we hope to overcome in future - releases:</P -><P -></P -><UL -><LI -><P ->Winbind is currently only available for - the Linux, Solaris and IRIX operating systems, although ports to other operating - systems are certainly possible. For such ports to be feasible, - we require the C library of the target operating system to - support the Name Service Switch and Pluggable Authentication - Modules systems. This is becoming more common as NSS and - PAM gain support among UNIX vendors.</P -></LI -><LI -><P ->The mappings of Windows NT RIDs to UNIX ids - is not made algorithmically and depends on the order in which - unmapped users or groups are seen by winbind. It may be difficult - to recover the mappings of rid to UNIX id mapping if the file - containing this information is corrupted or destroyed.</P -></LI -><LI -><P ->Currently the winbind PAM module does not take - into account possible workstation and logon time restrictions - that may be been set for Windows NT users, this is - instead up to the PDC to enforce.</P -></LI -></UL -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2700" ->15.7. Conclusion</A -></H2 -><P ->The winbind system, through the use of the Name Service - Switch, Pluggable Authentication Modules, and appropriate - Microsoft RPC calls have allowed us to provide seamless - integration of Microsoft Windows NT domain users on a - UNIX system. The result is a great reduction in the administrative - cost of running a mixed UNIX and NT network.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="IMPROVED-BROWSING" -></A ->Chapter 16. Improved browsing in samba</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN2710" ->16.1. Overview of browsing</A -></H2 -><P ->SMB networking provides a mechanism by which clients can access a list -of machines in a network, a so-called "browse list". This list -contains machines that are ready to offer file and/or print services -to other machines within the network. Thus it does not include -machines which aren't currently able to do server tasks. The browse -list is heavily used by all SMB clients. Configuration of SMB -browsing has been problematic for some Samba users, hence this -document.</P -><P ->MS Windows 2000 and later, as with Samba-3 and later, can be -configured to not use NetBIOS over TCP/IP. When configured this way -it is imperative that name resolution (using DNS/LDAP/ADS) be correctly -configured and operative. Browsing will NOT work if name resolution -from SMB machine names to IP addresses does not function correctly.</P -><P ->Where NetBIOS over TCP/IP is enabled use of a WINS server is highly -recommended to aid the resolution of NetBIOS (SMB) names to IP addresses. -WINS allows remote segment clients to obtain NetBIOS name_type information -that can NOT be provided by any other means of name resolution.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2715" ->16.2. Browsing support in samba</A -></H2 -><P ->Samba facilitates browsing. The browsing is supported by nmbd -and is also controlled by options in the smb.conf file (see smb.conf(5)). -Samba can act as a local browse master for a workgroup and the ability -for samba to support domain logons and scripts is now available.</P -><P ->Samba can also act as a domain master browser for a workgroup. This -means that it will collate lists from local browse masters into a -wide area network server list. In order for browse clients to -resolve the names they may find in this list, it is recommended that -both samba and your clients use a WINS server.</P -><P ->Note that you should NOT set Samba to be the domain master for a -workgroup that has the same name as an NT Domain: on each wide area -network, you must only ever have one domain master browser per workgroup, -regardless of whether it is NT, Samba or any other type of domain master -that is providing this service.</P -><P ->[Note that nmbd can be configured as a WINS server, but it is not -necessary to specifically use samba as your WINS server. MS Windows -NT4, Server or Advanced Server 2000 or 2003 can be configured as -your WINS server. In a mixed NT/2000/2003 server and samba environment on -a Wide Area Network, it is recommended that you use the Microsoft -WINS server capabilities. In a samba-only environment, it is -recommended that you use one and only one Samba server as your WINS server.</P -><P ->To get browsing to work you need to run nmbd as usual, but will need -to use the "workgroup" option in smb.conf to control what workgroup -Samba becomes a part of.</P -><P ->Samba also has a useful option for a Samba server to offer itself for -browsing on another subnet. It is recommended that this option is only -used for 'unusual' purposes: announcements over the internet, for -example. See "remote announce" in the smb.conf man page. </P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2723" ->16.3. Problem resolution</A -></H2 -><P ->If something doesn't work then hopefully the log.nmb file will help -you track down the problem. Try a debug level of 2 or 3 for finding -problems. Also note that the current browse list usually gets stored -in text form in a file called browse.dat.</P -><P ->Note that if it doesn't work for you, then you should still be able to -type the server name as \\SERVER in filemanager then hit enter and -filemanager should display the list of available shares.</P -><P ->Some people find browsing fails because they don't have the global -"guest account" set to a valid account. Remember that the IPC$ -connection that lists the shares is done as guest, and thus you must -have a valid guest account.</P -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->MS Windows 2000 and upwards (as with Samba) can be configured to disallow -anonymous (ie: Guest account) access to the IPC$ share. In that case, the -MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the -name of the currently logged in user to query the IPC$ share. MS Windows -9X clients are not able to do this and thus will NOT be able to browse -server resources.</I -></SPAN -></P -><P ->Also, a lot of people are getting bitten by the problem of too many -parameters on the command line of nmbd in inetd.conf. This trick is to -not use spaces between the option and the parameter (eg: -d2 instead -of -d 2), and to not use the -B and -N options. New versions of nmbd -are now far more likely to correctly find your broadcast and network -address, so in most cases these aren't needed.</P -><P ->The other big problem people have is that their broadcast address, -netmask or IP address is wrong (specified with the "interfaces" option -in smb.conf)</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2732" ->16.4. Browsing across subnets</A -></H2 -><P ->Since the release of Samba 1.9.17(alpha1) Samba has been -updated to enable it to support the replication of browse lists -across subnet boundaries. New code and options have been added to -achieve this. This section describes how to set this feature up -in different settings.</P -><P ->To see browse lists that span TCP/IP subnets (ie. networks separated -by routers that don't pass broadcast traffic) you must set up at least -one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing -NetBIOS name to IP address translation to be done by doing a direct -query of the WINS server. This is done via a directed UDP packet on -port 137 to the WINS server machine. The reason for a WINS server is -that by default, all NetBIOS name to IP address translation is done -by broadcasts from the querying machine. This means that machines -on one subnet will not be able to resolve the names of machines on -another subnet without using a WINS server.</P -><P ->Remember, for browsing across subnets to work correctly, all machines, -be they Windows 95, Windows NT, or Samba servers must have the IP address -of a WINS server given to them by a DHCP server, or by manual configuration -(for Win95 and WinNT, this is in the TCP/IP Properties, under Network -settings) for Samba this is in the smb.conf file.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2737" ->16.4.1. How does cross subnet browsing work ?</A -></H3 -><P ->Cross subnet browsing is a complicated dance, containing multiple -moving parts. It has taken Microsoft several years to get the code -that achieves this correct, and Samba lags behind in some areas. -Samba is capable of cross subnet browsing when configured correctly.</P -><P ->Consider a network set up as follows :</P -><P -><PRE -CLASS="PROGRAMLISTING" -> (DMB) - N1_A N1_B N1_C N1_D N1_E - | | | | | - ------------------------------------------------------- - | subnet 1 | - +---+ +---+ - |R1 | Router 1 Router 2 |R2 | - +---+ +---+ - | | - | subnet 2 subnet 3 | - -------------------------- ------------------------------------ - | | | | | | | | - N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D - (WINS)</PRE -></P -><P ->Consisting of 3 subnets (1, 2, 3) connected by two routers -(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines -on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume -for the moment that all these machines are configured to be in the -same workgroup (for simplicities sake). Machine N1_C on subnet 1 -is configured as Domain Master Browser (ie. it will collate the -browse lists for the workgroup). Machine N2_D is configured as -WINS server and all the other machines are configured to register -their NetBIOS names with it.</P -><P ->As all these machines are booted up, elections for master browsers -will take place on each of the three subnets. Assume that machine -N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on -subnet 3 - these machines are known as local master browsers for -their particular subnet. N1_C has an advantage in winning as the -local master browser on subnet 1 as it is set up as Domain Master -Browser.</P -><P ->On each of the three networks, machines that are configured to -offer sharing services will broadcast that they are offering -these services. The local master browser on each subnet will -receive these broadcasts and keep a record of the fact that -the machine is offering a service. This list of records is -the basis of the browse list. For this case, assume that -all the machines are configured to offer services so all machines -will be on the browse list.</P -><P ->For each network, the local master browser on that network is -considered 'authoritative' for all the names it receives via -local broadcast. This is because a machine seen by the local -master browser via a local broadcast must be on the same -network as the local master browser and thus is a 'trusted' -and 'verifiable' resource. Machines on other networks that -the local master browsers learn about when collating their -browse lists have not been directly seen - these records are -called 'non-authoritative'.</P -><P ->At this point the browse lists look as follows (these are -the machines you would see in your network neighborhood if -you looked in it on a particular network right now).</P -><P -><PRE -CLASS="PROGRAMLISTING" ->Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D</PRE -></P -><P ->Note that at this point all the subnets are separate, no -machine is seen across any of the subnets.</P -><P ->Now examine subnet 2. As soon as N2_B has become the local -master browser it looks for a Domain master browser to synchronize -its browse list with. It does this by querying the WINS server -(N2_D) for the IP address associated with the NetBIOS name -WORKGROUP>1B<. This name was registerd by the Domain master -browser (N1_C) with the WINS server as soon as it was booted.</P -><P ->Once N2_B knows the address of the Domain master browser it -tells it that is the local master browser for subnet 2 by -sending a MasterAnnouncement packet as a UDP port 138 packet. -It then synchronizes with it by doing a NetServerEnum2 call. This -tells the Domain Master Browser to send it all the server -names it knows about. Once the domain master browser receives -the MasterAnnouncement packet it schedules a synchronization -request to the sender of that packet. After both synchronizations -are done the browse lists look like :</P -><P -><PRE -CLASS="PROGRAMLISTING" ->Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, - N2_A(*), N2_B(*), N2_C(*), N2_D(*) - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) - -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D - -Servers with a (*) after them are non-authoritative names.</PRE -></P -><P ->At this point users looking in their network neighborhood on -subnets 1 or 2 will see all the servers on both, users on -subnet 3 will still only see the servers on their own subnet.</P -><P ->The same sequence of events that occured for N2_B now occurs -for the local master browser on subnet 3 (N3_D). When it -synchronizes browse lists with the domain master browser (N1_A) -it gets both the server entries on subnet 1, and those on -subnet 2. After N3_D has synchronized with N1_C and vica-versa -the browse lists look like.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, - N2_A(*), N2_B(*), N2_C(*), N2_D(*), - N3_A(*), N3_B(*), N3_C(*), N3_D(*) - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) - -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), - N2_A(*), N2_B(*), N2_C(*), N2_D(*) - -Servers with a (*) after them are non-authoritative names.</PRE -></P -><P ->At this point users looking in their network neighborhood on -subnets 1 or 3 will see all the servers on all sunbets, users on -subnet 2 will still only see the servers on subnets 1 and 2, but not 3.</P -><P ->Finally, the local master browser for subnet 2 (N2_B) will sync again -with the domain master browser (N1_C) and will recieve the missing -server entries. Finally - and as a steady state (if no machines -are removed or shut off) the browse lists will look like :</P -><P -><PRE -CLASS="PROGRAMLISTING" ->Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, - N2_A(*), N2_B(*), N2_C(*), N2_D(*), - N3_A(*), N3_B(*), N3_C(*), N3_D(*) - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) - N3_A(*), N3_B(*), N3_C(*), N3_D(*) - -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), - N2_A(*), N2_B(*), N2_C(*), N2_D(*) - -Servers with a (*) after them are non-authoritative names.</PRE -></P -><P ->Synchronizations between the domain master browser and local -master browsers will continue to occur, but this should be a -steady state situation.</P -><P ->If either router R1 or R2 fails the following will occur:</P -><P -></P -><OL -TYPE="1" -><LI -><P -> Names of computers on each side of the inaccessible network fragments - will be maintained for as long as 36 minutes, in the network neighbourhood - lists. - </P -></LI -><LI -><P -> Attempts to connect to these inaccessible computers will fail, but the - names will not be removed from the network neighbourhood lists. - </P -></LI -><LI -><P -> If one of the fragments is cut off from the WINS server, it will only - be able to access servers on its local subnet, by using subnet-isolated - broadcast NetBIOS name resolution. The effects are similar to that of - losing access to a DNS server. - </P -></LI -></OL -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2772" ->16.5. Setting up a WINS server</A -></H2 -><P ->Either a Samba machine or a Windows NT Server machine may be set up -as a WINS server. To set a Samba machine to be a WINS server you must -add the following option to the smb.conf file on the selected machine : -in the [globals] section add the line </P -><P -><B -CLASS="COMMAND" -> wins support = yes</B -></P -><P ->Versions of Samba prior to 1.9.17 had this parameter default to -yes. If you have any older versions of Samba on your network it is -strongly suggested you upgrade to a recent version, or at the very -least set the parameter to 'no' on all these machines.</P -><P ->Machines with "<B -CLASS="COMMAND" ->wins support = yes</B ->" will keep a list of -all NetBIOS names registered with them, acting as a DNS for NetBIOS names.</P -><P ->You should set up only ONE wins server. Do NOT set the -"<B -CLASS="COMMAND" ->wins support = yes</B ->" option on more than one Samba -server.</P -><P ->To set up a Windows NT Server as a WINS server you need to set up -the WINS service - see your NT documentation for details. Note that -Windows NT WINS Servers can replicate to each other, allowing more -than one to be set up in a complex subnet environment. As Microsoft -refuse to document these replication protocols Samba cannot currently -participate in these replications. It is possible in the future that -a Samba->Samba WINS replication protocol may be defined, in which -case more than one Samba machine could be set up as a WINS server -but currently only one Samba server should have the "wins support = yes" -parameter set.</P -><P ->After the WINS server has been configured you must ensure that all -machines participating on the network are configured with the address -of this WINS server. If your WINS server is a Samba machine, fill in -the Samba machine IP address in the "Primary WINS Server" field of -the "Control Panel->Network->Protocols->TCP->WINS Server" dialogs -in Windows 95 or Windows NT. To tell a Samba server the IP address -of the WINS server add the following line to the [global] section of -all smb.conf files :</P -><P -><B -CLASS="COMMAND" ->wins server = >name or IP address<</B -></P -><P ->where >name or IP address< is either the DNS name of the WINS server -machine or its IP address.</P -><P ->Note that this line MUST NOT BE SET in the smb.conf file of the Samba -server acting as the WINS server itself. If you set both the -"<B -CLASS="COMMAND" ->wins support = yes</B ->" option and the -"<B -CLASS="COMMAND" ->wins server = <name></B ->" option then -nmbd will fail to start.</P -><P ->There are two possible scenarios for setting up cross subnet browsing. -The first details setting up cross subnet browsing on a network containing -Windows 95, Samba and Windows NT machines that are not configured as -part of a Windows NT Domain. The second details setting up cross subnet -browsing on networks that contain NT Domains.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2791" ->16.6. Setting up Browsing in a WORKGROUP</A -></H2 -><P ->To set up cross subnet browsing on a network containing machines -in up to be in a WORKGROUP, not an NT Domain you need to set up one -Samba server to be the Domain Master Browser (note that this is *NOT* -the same as a Primary Domain Controller, although in an NT Domain the -same machine plays both roles). The role of a Domain master browser is -to collate the browse lists from local master browsers on all the -subnets that have a machine participating in the workgroup. Without -one machine configured as a domain master browser each subnet would -be an isolated workgroup, unable to see any machines on any other -subnet. It is the presense of a domain master browser that makes -cross subnet browsing possible for a workgroup.</P -><P ->In an WORKGROUP environment the domain master browser must be a -Samba server, and there must only be one domain master browser per -workgroup name. To set up a Samba server as a domain master browser, -set the following option in the [global] section of the smb.conf file :</P -><P -><B -CLASS="COMMAND" ->domain master = yes</B -></P -><P ->The domain master browser should also preferrably be the local master -browser for its own subnet. In order to achieve this set the following -options in the [global] section of the smb.conf file :</P -><P -><PRE -CLASS="PROGRAMLISTING" -> domain master = yes - local master = yes - preferred master = yes - os level = 65</PRE -></P -><P ->The domain master browser may be the same machine as the WINS -server, if you require.</P -><P ->Next, you should ensure that each of the subnets contains a -machine that can act as a local master browser for the -workgroup. Any MS Windows NT/2K/XP/2003 machine should be -able to do this, as will Windows 9x machines (although these -tend to get rebooted more often, so it's not such a good idea -to use these). To make a Samba server a local master browser -set the following options in the [global] section of the -smb.conf file :</P -><P -><PRE -CLASS="PROGRAMLISTING" -> domain master = no - local master = yes - preferred master = yes - os level = 65</PRE -></P -><P ->Do not do this for more than one Samba server on each subnet, -or they will war with each other over which is to be the local -master browser.</P -><P ->The "local master" parameter allows Samba to act as a local master -browser. The "preferred master" causes nmbd to force a browser -election on startup and the "os level" parameter sets Samba high -enough so that it should win any browser elections.</P -><P ->If you have an NT machine on the subnet that you wish to -be the local master browser then you can disable Samba from -becoming a local master browser by setting the following -options in the [global] section of the smb.conf file :</P -><P -><PRE -CLASS="PROGRAMLISTING" -> domain master = no - local master = no - preferred master = no - os level = 0</PRE -></P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2809" ->16.7. Setting up Browsing in a DOMAIN</A -></H2 -><P ->If you are adding Samba servers to a Windows NT Domain then -you must not set up a Samba server as a domain master browser. -By default, a Windows NT Primary Domain Controller for a Domain -name is also the Domain master browser for that name, and many -things will break if a Samba server registers the Domain master -browser NetBIOS name (DOMAIN<1B>) with WINS instead of the PDC.</P -><P ->For subnets other than the one containing the Windows NT PDC -you may set up Samba servers as local master browsers as -described. To make a Samba server a local master browser set -the following options in the [global] section of the smb.conf -file :</P -><P -><PRE -CLASS="PROGRAMLISTING" -> domain master = no - local master = yes - preferred master = yes - os level = 65</PRE -></P -><P ->If you wish to have a Samba server fight the election with machines -on the same subnet you may set the "os level" parameter to lower -levels. By doing this you can tune the order of machines that -will become local master browsers if they are running. For -more details on this see the section "FORCING SAMBA TO BE THE MASTER" -below.</P -><P ->If you have Windows NT machines that are members of the domain -on all subnets, and you are sure they will always be running then -you can disable Samba from taking part in browser elections and -ever becoming a local master browser by setting following options -in the [global] section of the smb.conf file :</P -><P -><B -CLASS="COMMAND" -> domain master = no - local master = no - preferred master = no - os level = 0</B -></P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2819" ->16.8. Forcing samba to be the master</A -></H2 -><P ->Who becomes the "master browser" is determined by an election process -using broadcasts. Each election packet contains a number of parameters -which determine what precedence (bias) a host should have in the -election. By default Samba uses a very low precedence and thus loses -elections to just about anyone else.</P -><P ->If you want Samba to win elections then just set the "os level" global -option in smb.conf to a higher number. It defaults to 0. Using 34 -would make it win all elections over every other system (except other -samba systems!)</P -><P ->A "os level" of 2 would make it beat WfWg and Win95, but not MS Windows -NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32.</P -><P ->The maximum os level is 255</P -><P ->If you want samba to force an election on startup, then set the -"preferred master" global option in smb.conf to "yes". Samba will -then have a slight advantage over other potential master browsers -that are not preferred master browsers. Use this parameter with -care, as if you have two hosts (whether they are windows 95 or NT or -samba) on the same local subnet both set with "preferred master" to -"yes", then periodically and continually they will force an election -in order to become the local master browser.</P -><P ->If you want samba to be a "domain master browser", then it is -recommended that you also set "preferred master" to "yes", because -samba will not become a domain master browser for the whole of your -LAN or WAN if it is not also a local master browser on its own -broadcast isolated subnet.</P -><P ->It is possible to configure two samba servers to attempt to become -the domain master browser for a domain. The first server that comes -up will be the domain master browser. All other samba servers will -attempt to become the domain master browser every 5 minutes. They -will find that another samba server is already the domain master -browser and will fail. This provides automatic redundancy, should -the current domain master browser fail.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2828" ->16.9. Making samba the domain master</A -></H2 -><P ->The domain master is responsible for collating the browse lists of -multiple subnets so that browsing can occur between subnets. You can -make samba act as the domain master by setting "domain master = yes" -in smb.conf. By default it will not be a domain master.</P -><P ->Note that you should NOT set Samba to be the domain master for a -workgroup that has the same name as an NT Domain.</P -><P ->When samba is the domain master and the master browser it will listen -for master announcements (made roughly every twelve minutes) from local -master browsers on other subnets and then contact them to synchronise -browse lists.</P -><P ->If you want samba to be the domain master then I suggest you also set -the "os level" high enough to make sure it wins elections, and set -"preferred master" to "yes", to get samba to force an election on -startup.</P -><P ->Note that all your servers (including samba) and clients should be -using a WINS server to resolve NetBIOS names. If your clients are only -using broadcasting to resolve NetBIOS names, then two things will occur:</P -><P -></P -><OL -TYPE="1" -><LI -><P -> your local master browsers will be unable to find a domain master - browser, as it will only be looking on the local subnet. - </P -></LI -><LI -><P -> if a client happens to get hold of a domain-wide browse list, and - a user attempts to access a host in that list, it will be unable to - resolve the NetBIOS name of that host. - </P -></LI -></OL -><P ->If, however, both samba and your clients are using a WINS server, then:</P -><P -></P -><OL -TYPE="1" -><LI -><P -> your local master browsers will contact the WINS server and, as long as - samba has registered that it is a domain master browser with the WINS - server, your local master browser will receive samba's ip address - as its domain master browser. - </P -></LI -><LI -><P -> when a client receives a domain-wide browse list, and a user attempts - to access a host in that list, it will contact the WINS server to - resolve the NetBIOS name of that host. as long as that host has - registered its NetBIOS name with the same WINS server, the user will - be able to see that host. - </P -></LI -></OL -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2846" ->16.10. Note about broadcast addresses</A -></H2 -><P ->If your network uses a "0" based broadcast address (for example if it -ends in a 0) then you will strike problems. Windows for Workgroups -does not seem to support a 0's broadcast and you will probably find -that browsing and name lookups won't work.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2849" ->16.11. Multiple interfaces</A -></H2 -><P ->Samba now supports machines with multiple network interfaces. If you -have multiple interfaces then you will need to use the "interfaces" -option in smb.conf to configure them. See smb.conf(5) for details.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="VFS" -></A ->Chapter 17. Stackable VFS modules</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN2867" ->17.1. Introduction and configuration</A -></H2 -><P ->Since samba 3.0, samba supports stackable VFS(Virtual File System) modules. -Samba passes each request to access the unix file system thru the loaded VFS modules. -This chapter covers all the modules that come with the samba source and references to -some external modules.</P -><P ->You may have problems to compile these modules, as shared libraries are -compiled and linked in different ways on different systems. -They currently have been tested against GNU/linux and IRIX.</P -><P ->To use the VFS modules, create a share similar to the one below. The -important parameter is the <B -CLASS="COMMAND" ->vfs object</B -> parameter which must point to -the exact pathname of the shared library objects. For example, to log all access -to files and use a recycle bin: - -<PRE -CLASS="PROGRAMLISTING" -> [audit] - comment = Audited /data directory - path = /data - vfs object = /path/to/audit.so /path/to/recycle.so - writeable = yes - browseable = yes</PRE -></P -><P ->The modules are used in the order they are specified.</P -><P ->Further documentation on writing VFS modules for Samba can be found in -the Samba Developers Guide.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2876" ->17.2. Included modules</A -></H2 -><DIV -CLASS="SECT2" -><H3 -CLASS="SECT2" -><A -NAME="AEN2878" ->17.2.1. audit</A -></H3 -><P ->A simple module to audit file access to the syslog -facility. The following operations are logged: -<P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->share</TD -></TR -><TR -><TD ->connect/disconnect</TD -></TR -><TR -><TD ->directory opens/create/remove</TD -></TR -><TR -><TD ->file open/close/rename/unlink/chmod</TD -></TR -></TBODY -></TABLE -><P -></P -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2886" ->17.2.2. recycle</A -></H3 -><P ->A recycle-bin like modules. When used any unlink call -will be intercepted and files moved to the recycle -directory instead of beeing deleted.</P -><P ->Supported options: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->vfs_recycle_bin:repository</DT -><DD -><P ->FIXME</P -></DD -><DT ->vfs_recycle_bin:keeptree</DT -><DD -><P ->FIXME</P -></DD -><DT ->vfs_recycle_bin:versions</DT -><DD -><P ->FIXME</P -></DD -><DT ->vfs_recycle_bin:touch</DT -><DD -><P ->FIXME</P -></DD -><DT ->vfs_recycle_bin:maxsize</DT -><DD -><P ->FIXME</P -></DD -><DT ->vfs_recycle_bin:exclude</DT -><DD -><P ->FIXME</P -></DD -><DT ->vfs_recycle_bin:exclude_dir</DT -><DD -><P ->FIXME</P -></DD -><DT ->vfs_recycle_bin:noversions</DT -><DD -><P ->FIXME</P -></DD -></DL -></DIV -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2923" ->17.2.3. netatalk</A -></H3 -><P ->A netatalk module, that will ease co-existence of samba and -netatalk file sharing services.</P -><P ->Advantages compared to the old netatalk module: -<P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->it doesn't care about creating of .AppleDouble forks, just keeps ones in sync</TD -></TR -><TR -><TD ->if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</TD -></TR -></TBODY -></TABLE -><P -></P -></P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN2930" ->17.3. VFS modules available elsewhere</A -></H2 -><P ->This section contains a listing of various other VFS modules that -have been posted but don't currently reside in the Samba CVS -tree for one reason ot another (e.g. it is easy for the maintainer -to have his or her own CVS tree).</P -><P ->No statemets about the stability or functionality any module -should be implied due to its presence here.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2934" ->17.3.1. DatabaseFS</A -></H3 -><P ->URL: <A -HREF="http://www.css.tayloru.edu/~elorimer/databasefs/index.php" -TARGET="_top" ->http://www.css.tayloru.edu/~elorimer/databasefs/index.php</A -></P -><P ->By <A -HREF="mailto:elorimer@css.tayloru.edu" -TARGET="_top" ->Eric Lorimer</A ->.</P -><P ->I have created a VFS module which implements a fairly complete read-only -filesystem. It presents information from a database as a filesystem in -a modular and generic way to allow different databases to be used -(originally designed for organizing MP3s under directories such as -"Artists," "Song Keywords," etc... I have since applied it to a student -roster database very easily). The directory structure is stored in the -database itself and the module makes no assumptions about the database -structure beyond the table it requires to run.</P -><P ->Any feedback would be appreciated: comments, suggestions, patches, -etc... If nothing else, hopefully it might prove useful for someone -else who wishes to create a virtual filesystem.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN2942" ->17.3.2. vscan</A -></H3 -><P ->URL: <A -HREF="http://www.openantivirus.org/" -TARGET="_top" ->http://www.openantivirus.org/</A -></P -><P ->samba-vscan is a proof-of-concept module for Samba, which -uses the VFS (virtual file system) features of Samba 2.2.x/3.0 -alphaX. Of couse, Samba has to be compiled with VFS support. -samba-vscan supports various virus scanners and is maintained -by Rainer Link.</P -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="GROUPMAPPING" -></A ->Chapter 18. Group mapping HOWTO</H1 -><P -> -Starting with Samba 3.0 alpha 2, a new group mapping function is available. The -current method (likely to change) to manage the groups is a new command called -<B -CLASS="COMMAND" ->smbgroupedit</B ->.</P -><P ->The first immediate reason to use the group mapping on a PDC, is that -the <B -CLASS="COMMAND" ->domain admin group</B -> of <TT -CLASS="FILENAME" ->smb.conf</TT -> is -now gone. This parameter was used to give the listed users local admin rights -on their workstations. It was some magic stuff that simply worked but didn't -scale very well for complex setups.</P -><P ->Let me explain how it works on NT/W2K, to have this magic fade away. -When installing NT/W2K on a computer, the installer program creates some users -and groups. Notably the 'Administrators' group, and gives to that group some -privileges like the ability to change the date and time or to kill any process -(or close too) running on the local machine. The 'Administrator' user is a -member of the 'Administrators' group, and thus 'inherit' the 'Administrators' -group privileges. If a 'joe' user is created and become a member of the -'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.</P -><P ->When a NT/W2K machine is joined to a domain, during that phase, the "Domain -Administrators' group of the PDC is added to the 'Administrators' group of the -workstation. Every members of the 'Domain Administrators' group 'inherit' the -rights of the 'Administrators' group when logging on the workstation.</P -><P ->You are now wondering how to make some of your samba PDC users members of the -'Domain Administrators' ? That's really easy.</P -><P -></P -><OL -TYPE="1" -><LI -><P ->create a unix group (usually in <TT -CLASS="FILENAME" ->/etc/group</TT ->), let's call it domadm</P -></LI -><LI -><P ->add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in <TT -CLASS="FILENAME" ->/etc/group</TT -> will look like:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->domadm:x:502:joe,john,mary</PRE -></P -></LI -><LI -><P ->Map this domadm group to the <B -CLASS="COMMAND" ->domain admins</B -> group by running the command:</P -><P -><B -CLASS="COMMAND" ->smbgroupedit -c "Domain Admins" -u domadm</B -></P -></LI -></OL -><P ->You're set, joe, john and mary are domain administrators !</P -><P ->Like the Domain Admins group, you can map any arbitrary Unix group to any NT -group. You can also make any Unix group a domain group. For example, on a domain -member machine (an NT/W2K or a samba server running winbind), you would like to -give access to a certain directory to some users who are member of a group on -your samba PDC. Flag that group as a domain group by running:</P -><P -><B -CLASS="COMMAND" ->smbgroupedit -a unixgroup -td</B -></P -><P ->You can list the various groups in the mapping database like this</P -><P -><B -CLASS="COMMAND" ->smbgroupedit -v</B -></P -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="SPEED" -></A ->Chapter 19. Samba performance issues</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN2997" ->19.1. Comparisons</A -></H2 -><P ->The Samba server uses TCP to talk to the client. Thus if you are -trying to see if it performs well you should really compare it to -programs that use the same protocol. The most readily available -programs for file transfer that use TCP are ftp or another TCP based -SMB server.</P -><P ->If you want to test against something like a NT or WfWg server then -you will have to disable all but TCP on either the client or -server. Otherwise you may well be using a totally different protocol -(such as Netbeui) and comparisons may not be valid.</P -><P ->Generally you should find that Samba performs similarly to ftp at raw -transfer speed. It should perform quite a bit faster than NFS, -although this very much depends on your system.</P -><P ->Several people have done comparisons between Samba and Novell, NFS or -WinNT. In some cases Samba performed the best, in others the worst. I -suspect the biggest factor is not Samba vs some other system but the -hardware and drivers used on the various systems. Given similar -hardware Samba should certainly be competitive in speed with other -systems.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3003" ->19.2. Socket options</A -></H2 -><P ->There are a number of socket options that can greatly affect the -performance of a TCP based server like Samba.</P -><P ->The socket options that Samba uses are settable both on the command -line with the -O option, or in the smb.conf file.</P -><P ->The "socket options" section of the smb.conf manual page describes how -to set these and gives recommendations.</P -><P ->Getting the socket options right can make a big difference to your -performance, but getting them wrong can degrade it by just as -much. The correct settings are very dependent on your local network.</P -><P ->The socket option TCP_NODELAY is the one that seems to make the -biggest single difference for most networks. Many people report that -adding "socket options = TCP_NODELAY" doubles the read performance of -a Samba drive. The best explanation I have seen for this is that the -Microsoft TCP/IP stack is slow in sending tcp ACKs.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3010" ->19.3. Read size</A -></H2 -><P ->The option "read size" affects the overlap of disk reads/writes with -network reads/writes. If the amount of data being transferred in -several of the SMB commands (currently SMBwrite, SMBwriteX and -SMBreadbraw) is larger than this value then the server begins writing -the data before it has received the whole packet from the network, or -in the case of SMBreadbraw, it begins writing to the network before -all the data has been read from disk.</P -><P ->This overlapping works best when the speeds of disk and network access -are similar, having very little effect when the speed of one is much -greater than the other.</P -><P ->The default value is 16384, but very little experimentation has been -done yet to determine the optimal value, and it is likely that the best -value will vary greatly between systems anyway. A value over 65536 is -pointless and will cause you to allocate memory unnecessarily.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3015" ->19.4. Max xmit</A -></H2 -><P ->At startup the client and server negotiate a "maximum transmit" size, -which limits the size of nearly all SMB commands. You can set the -maximum size that Samba will negotiate using the "max xmit = " option -in smb.conf. Note that this is the maximum size of SMB request that -Samba will accept, but not the maximum size that the *client* will accept. -The client maximum receive size is sent to Samba by the client and Samba -honours this limit.</P -><P ->It defaults to 65536 bytes (the maximum), but it is possible that some -clients may perform better with a smaller transmit unit. Trying values -of less than 2048 is likely to cause severe problems.</P -><P ->In most cases the default is the best option.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3020" ->19.5. Log level</A -></H2 -><P ->If you set the log level (also known as "debug level") higher than 2 -then you may suffer a large drop in performance. This is because the -server flushes the log file after each operation, which can be very -expensive. </P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3023" ->19.6. Read raw</A -></H2 -><P ->The "read raw" operation is designed to be an optimised, low-latency -file read operation. A server may choose to not support it, -however. and Samba makes support for "read raw" optional, with it -being enabled by default.</P -><P ->In some cases clients don't handle "read raw" very well and actually -get lower performance using it than they get using the conventional -read operations. </P -><P ->So you might like to try "read raw = no" and see what happens on your -network. It might lower, raise or not affect your performance. Only -testing can really tell.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3028" ->19.7. Write raw</A -></H2 -><P ->The "write raw" operation is designed to be an optimised, low-latency -file write operation. A server may choose to not support it, -however. and Samba makes support for "write raw" optional, with it -being enabled by default.</P -><P ->Some machines may find "write raw" slower than normal write, in which -case you may wish to change this option.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3032" ->19.8. Slow Clients</A -></H2 -><P ->One person has reported that setting the protocol to COREPLUS rather -than LANMAN2 gave a dramatic speed improvement (from 10k/s to 150k/s).</P -><P ->I suspect that his PC's (386sx16 based) were asking for more data than -they could chew. I suspect a similar speed could be had by setting -"read raw = no" and "max xmit = 2048", instead of changing the -protocol. Lowering the "read size" might also help.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3036" ->19.9. Slow Logins</A -></H2 -><P ->Slow logins are almost always due to the password checking time. Using -the lowest practical "password level" will improve things a lot. You -could also enable the "UFC crypt" option in the Makefile.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3039" ->19.10. Client tuning</A -></H2 -><P ->Often a speed problem can be traced to the client. The client (for -example Windows for Workgroups) can often be tuned for better TCP -performance.</P -><P ->See your client docs for details. In particular, I have heard rumours -that the WfWg options TCPWINDOWSIZE and TCPSEGMENTSIZE can have a -large impact on performance.</P -><P ->Also note that some people have found that setting DefaultRcvWindow in -the [MSTCP] section of the SYSTEM.INI file under WfWg to 3072 gives a -big improvement. I don't know why.</P -><P ->My own experience wth DefaultRcvWindow is that I get much better -performance with a large value (16384 or larger). Other people have -reported that anything over 3072 slows things down enourmously. One -person even reported a speed drop of a factor of 30 when he went from -3072 to 8192. I don't know why.</P -><P ->It probably depends a lot on your hardware, and the type of unix box -you have at the other end of the link.</P -><P ->Paul Cochrane has done some testing on client side tuning and come -to the following conclusions:</P -><P ->Install the W2setup.exe file from www.microsoft.com. This is an -update for the winsock stack and utilities which improve performance.</P -><P ->Configure the win95 TCPIP registry settings to give better -perfomance. I use a program called MTUSPEED.exe which I got off the -net. There are various other utilities of this type freely available. -The setting which give the best performance for me are:</P -><P -></P -><OL -TYPE="1" -><LI -><P ->MaxMTU Remove</P -></LI -><LI -><P ->RWIN Remove</P -></LI -><LI -><P ->MTUAutoDiscover Disable</P -></LI -><LI -><P ->MTUBlackHoleDetect Disable</P -></LI -><LI -><P ->Time To Live Enabled</P -></LI -><LI -><P ->Time To Live - HOPS 32</P -></LI -><LI -><P ->NDI Cache Size 0</P -></LI -></OL -><P ->I tried virtually all of the items mentioned in the document and -the only one which made a difference to me was the socket options. It -turned out I was better off without any!!!!!</P -><P ->In terms of overall speed of transfer, between various win95 clients -and a DX2-66 20MB server with a crappy NE2000 compatible and old IDE -drive (Kernel 2.0.30). The transfer rate was reasonable for 10 baseT.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->The figures are: Put Get -P166 client 3Com card: 420-440kB/s 500-520kB/s -P100 client 3Com card: 390-410kB/s 490-510kB/s -DX4-75 client NE2000: 370-380kB/s 330-350kB/s</PRE -></P -><P ->I based these test on transfer two files a 4.5MB text file and a 15MB -textfile. The results arn't bad considering the hardware Samba is -running on. It's a crap machine!!!!</P -><P ->The updates mentioned in 1 and 2 brought up the transfer rates from -just over 100kB/s in some clients.</P -><P ->A new client is a P333 connected via a 100MB/s card and hub. The -transfer rates from this were good: 450-500kB/s on put and 600+kB/s -on get.</P -><P ->Looking at standard FTP throughput, Samba is a bit slower (100kB/s -upwards). I suppose there is more going on in the samba protocol, but -if it could get up to the rate of FTP the perfomance would be quite -staggering.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="GROUPPROFILES" -></A ->Chapter 20. Creating Group Prolicy Files</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN3087" ->20.1. Windows '9x</A -></H2 -><P ->You need the Win98 Group Policy Editor to -set Group Profiles up under Windows '9x. It can be found on the Original -full product Win98 installation CD under -<TT -CLASS="FILENAME" ->tools/reskit/netadmin/poledit</TT ->. You install this -using the Add/Remove Programs facility and then click on the 'Have Disk' -tab.</P -><P ->Use the Group Policy Editor to create a policy file that specifies the -location of user profiles and/or the <TT -CLASS="FILENAME" ->My Documents</TT -> etc. -stuff. You then save these settings in a file called -<TT -CLASS="FILENAME" ->Config.POL</TT -> that needs to be placed in -the root of the [NETLOGON] share. If your Win98 is configured to log onto -the Samba Domain, it will automatically read this file and update the -Win9x/Me registry of the machine that is logging on.</P -><P ->All of this is covered in the Win98 Resource Kit documentation.</P -><P ->If you do not do it this way, then every so often Win9x/Me will check the -integrity of the registry and will restore it's settings from the back-up -copy of the registry it stores on each Win9x/Me machine. Hence, you will -occasionally notice things changing back to the original settings.</P -><P ->The following all refers to Windows NT/200x profile migration - not to policies. -We need a separate section on policies (NTConfig.Pol) for NT4/200x.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3097" ->20.2. Windows NT 4</A -></H2 -><P ->Unfortunately, the Resource Kit info is Win NT4 or 200x specific.</P -><P ->Here is a quick guide:</P -><P -></P -><UL -><LI -><P ->On your NT4 Domain Controller, right click on 'My Computer', then -select the tab labelled 'User Profiles'.</P -></LI -><LI -><P ->Select a user profile you want to migrate and click on it.</P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="90%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->I am using the term "migrate" lossely. You can copy a profile to -create a group profile. You can give the user 'Everyone' rights to the -profile you copy this to. That is what you need to do, since your samba -domain is not a member of a trust relationship with your NT4 PDC.</P -></TD -></TR -></TABLE -></DIV -></LI -><LI -><P ->Click the 'Copy To' button.</P -></LI -><LI -><P ->In the box labelled 'Copy Profile to' add your new path, eg: -<TT -CLASS="FILENAME" ->c:\temp\foobar</TT -></P -></LI -><LI -><P ->Click on the button labelled 'Change' in the "Permitted to use" box.</P -></LI -><LI -><P ->Click on the group 'Everyone' and then click OK. This closes the -'chose user' box.</P -></LI -><LI -><P ->Now click OK.</P -></LI -></UL -><P ->Follow the above for every profile you need to migrate.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3120" ->20.2.1. Side bar Notes</A -></H3 -><P ->You should obtain the SID of your NT4 domain. You can use smbpasswd to do -this. Read the man page.</P -><P ->With Samba-3.0.0 alpha code you can import all you NT4 domain accounts -using the net samsync method. This way you can retain your profile -settings as well as all your users.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3124" ->20.2.2. Mandatory profiles</A -></H3 -><P ->The above method can be used to create mandatory profiles also. To convert -a group profile into a mandatory profile simply locate the NTUser.DAT file -in the copied profile and rename it to NTUser.MAN.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3127" ->20.2.3. moveuser.exe</A -></H3 -><P ->The W2K professional resource kit has moveuser.exe. moveuser.exe changes -the security of a profile from one user to another. This allows the account -domain to change, and/or the user name to change.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3130" ->20.2.4. Get SID</A -></H3 -><P ->You can identify the SID by using GetSID.exe from the Windows NT Server 4.0 -Resource Kit.</P -><P ->Windows NT 4.0 stores the local profile information in the registry under -the following key: -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</P -><P ->Under the ProfileList key, there will be subkeys named with the SIDs of the -users who have logged on to this computer. (To find the profile information -for the user whose locally cached profile you want to move, find the SID for -the user with the GetSID.exe utility.) Inside of the appropriate user's -subkey, you will see a string value named ProfileImagePath.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3135" ->20.3. Windows 2000/XP</A -></H2 -><P ->You must first convert the profile from a local profile to a domain -profile on the MS Windows workstation as follows:</P -><P -></P -><UL -><LI -><P ->Log on as the LOCAL workstation administrator.</P -></LI -><LI -><P ->Right click on the 'My Computer' Icon, select 'Properties'</P -></LI -><LI -><P ->Click on the 'User Profiles' tab</P -></LI -><LI -><P ->Select the profile you wish to convert (click on it once)</P -></LI -><LI -><P ->Click on the button 'Copy To'</P -></LI -><LI -><P ->In the "Permitted to use" box, click on the 'Change' button.</P -></LI -><LI -><P ->Click on the 'Look in" area that lists the machine name, when you click -here it will open up a selection box. Click on the domain to which the -profile must be accessible.</P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="90%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->You will need to log on if a logon box opens up. Eg: In the connect -as: MIDEARTH\root, password: mypassword.</P -></TD -></TR -></TABLE -></DIV -></LI -><LI -><P ->To make the profile capable of being used by anyone select 'Everyone'</P -></LI -><LI -><P ->Click OK. The Selection box will close.</P -></LI -><LI -><P ->Now click on the 'Ok' button to create the profile in the path you -nominated.</P -></LI -></UL -><P ->Done. You now have a profile that can be editted using the samba-3.0.0 -profiles tool.</P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->Under NT/2K the use of mandotory profiles forces the use of MS Exchange -storage of mail data. That keeps desktop profiles usable.</P -></TD -></TR -></TABLE -></DIV -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P -></P -><UL -><LI -><P ->This is a security check new to Windows XP (or maybe only -Windows XP service pack 1). It can be disabled via a group policy in -Active Directory. The policy is:</P -><P ->"Computer Configuration\Administrative Templates\System\User -Profiles\Do not check for user ownership of Roaming Profile Folders"</P -><P ->...and it should be set to "Enabled". -Does the new version of samba have an Active Directory analogue? If so, -then you may be able to set the policy through this.</P -><P ->If you cannot set group policies in samba, then you may be able to set -the policy locally on each machine. If you want to try this, then do -the following (N.B. I don't know for sure that this will work in the -same way as a domain group policy):</P -></LI -><LI -><P ->On the XP workstation log in with an Administrator account.</P -></LI -><LI -><P ->Click: "Start", "Run"</P -></LI -><LI -><P ->Type: "mmc"</P -></LI -><LI -><P ->Click: "OK"</P -></LI -><LI -><P ->A Microsoft Management Console should appear.</P -></LI -><LI -><P ->Click: File, "Add/Remove Snap-in...", "Add"</P -></LI -><LI -><P ->Double-Click: "Group Policy"</P -></LI -><LI -><P ->Click: "Finish", "Close"</P -></LI -><LI -><P ->Click: "OK"</P -></LI -><LI -><P ->In the "Console Root" window:</P -></LI -><LI -><P ->Expand: "Local Computer Policy", "Computer Configuration",</P -></LI -><LI -><P ->"Administrative Templates", "System", "User Profiles"</P -></LI -><LI -><P ->Double-Click: "Do not check for user ownership of Roaming Profile</P -></LI -><LI -><P ->Folders"</P -></LI -><LI -><P ->Select: "Enabled"</P -></LI -><LI -><P ->Click: OK"</P -></LI -><LI -><P ->Close the whole console. You do not need to save the settings (this -refers to the console settings rather than the policies you have -changed).</P -></LI -><LI -><P ->Reboot</P -></LI -></UL -></TD -></TR -></TABLE -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="SECURING-SAMBA" -></A ->Chapter 21. Securing Samba</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN3216" ->21.1. Introduction</A -></H2 -><P ->This note was attached to the Samba 2.2.8 release notes as it contained an -important security fix. The information contained here applies to Samba -installations in general.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3219" ->21.2. Using host based protection</A -></H2 -><P ->In many installations of Samba the greatest threat comes for outside -your immediate network. By default Samba will accept connections from -any host, which means that if you run an insecure version of Samba on -a host that is directly connected to the Internet you can be -especially vulnerable.</P -><P ->One of the simplest fixes in this case is to use the 'hosts allow' and -'hosts deny' options in the Samba smb.conf configuration file to only -allow access to your server from a specific range of hosts. An example -might be:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 - hosts deny = 0.0.0.0/0</PRE -></P -><P ->The above will only allow SMB connections from 'localhost' (your own -computer) and from the two private networks 192.168.2 and -192.168.3. All other connections will be refused connections as soon -as the client sends its first packet. The refusal will be marked as a -'not listening on called name' error.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3226" ->21.3. Using interface protection</A -></H2 -><P ->By default Samba will accept connections on any network interface that -it finds on your system. That means if you have a ISDN line or a PPP -connection to the Internet then Samba will accept connections on those -links. This may not be what you want.</P -><P ->You can change this behaviour using options like the following:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> interfaces = eth* lo - bind interfaces only = yes</PRE -></P -><P -></P -><P ->This tells Samba to only listen for connections on interfaces with a -name starting with 'eth' such as eth0, eth1, plus on the loopback -interface called 'lo'. The name you will need to use depends on what -OS you are using, in the above I used the common name for Ethernet -adapters on Linux.</P -><P ->If you use the above and someone tries to make a SMB connection to -your host over a PPP interface called 'ppp0' then they will get a TCP -connection refused reply. In that case no Samba code is run at all as -the operating system has been told not to pass connections from that -interface to any process.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3235" ->21.4. Using a firewall</A -></H2 -><P ->Many people use a firewall to deny access to services that they don't -want exposed outside their network. This can be a very good idea, -although I would recommend using it in conjunction with the above -methods so that you are protected even if your firewall is not active -for some reason.</P -><P ->If you are setting up a firewall then you need to know what TCP and -UDP ports to allow and block. Samba uses the following:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->UDP/137 - used by nmbd -UDP/138 - used by nmbd -TCP/139 - used by smbd -TCP/445 - used by smbd</PRE -></P -><P ->The last one is important as many older firewall setups may not be -aware of it, given that this port was only added to the protocol in -recent years. </P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3242" ->21.5. Using a IPC$ share deny</A -></H2 -><P ->If the above methods are not suitable, then you could also place a -more specific deny on the IPC$ share that is used in the recently -discovered security hole. This allows you to offer access to other -shares while denying access to IPC$ from potentially untrustworthy -hosts.</P -><P ->To do that you could use:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> [ipc$] - hosts allow = 192.168.115.0/24 127.0.0.1 - hosts deny = 0.0.0.0/0</PRE -></P -><P ->this would tell Samba that IPC$ connections are not allowed from -anywhere but the two listed places (localhost and a local -subnet). Connections to other shares would still be allowed. As the -IPC$ share is the only share that is always accessible anonymously -this provides some level of protection against attackers that do not -know a username/password for your host.</P -><P ->If you use this method then clients will be given a 'access denied' -reply when they try to access the IPC$ share. That means that those -clients will not be able to browse shares, and may also be unable to -access some other resources. </P -><P ->This is not recommended unless you cannot use one of the other -methods listed above for some reason.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3251" ->21.6. Upgrading Samba</A -></H2 -><P ->Please check regularly on http://www.samba.org/ for updates and -important announcements. Occasionally security releases are made and -it is highly recommended to upgrade Samba when a security vulnerability -is discovered.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="UNICODE" -></A ->Chapter 22. Unicode/Charsets</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN3265" ->22.1. What are charsets and unicode?</A -></H2 -><P ->Computers communicate in numbers. In texts, each number will be -translated to a corresponding letter. The meaning that will be assigned -to a certain number depends on the <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->character set(charset)</I -></SPAN -> that is used. -A charset can be seen as a table that is used to translate numbers to -letters. Not all computers use the same charset (there are charsets -with German umlauts, Japanese characters, etc). Usually a charset contains -256 characters, which means that storing a character with it takes -exactly one byte. </P -><P ->There are also charsets that support even more characters, -but those need twice(or even more) as much storage space. These -charsets can contain <B -CLASS="COMMAND" ->256 * 256 = 65536</B -> characters, which -is more then all possible characters one could think of. They are called -multibyte charsets (because they use more then one byte to -store one character). </P -><P ->A standardised multibyte charset is unicode, info available at -<A -HREF="http://www.unicode.org/" -TARGET="_top" ->www.unicode.org</A ->. -Big advantage of using a multibyte charset is that you only need one; no -need to make sure two computers use the same charset when they are -communicating.</P -><P ->Old windows clients used to use single-byte charsets, named -'codepages' by microsoft. However, there is no support for -negotiating the charset to be used in the smb protocol. Thus, you -have to make sure you are using the same charset when talking to an old client. -Newer clients (Windows NT, 2K, XP) talk unicode over the wire.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3274" ->22.2. Samba and charsets</A -></H2 -><P ->As of samba 3.0, samba can (and will) talk unicode over the wire. Internally, -samba knows of three kinds of character sets: </P -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->unix charset</DT -><DD -><P -> This is the charset used internally by your operating system. - The default is <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->ASCII</I -></SPAN ->, which is fine for most - systems. - </P -></DD -><DT ->display charset</DT -><DD -><P ->This is the charset samba will use to print messages - on your screen. It should generally be the same as the <B -CLASS="COMMAND" ->unix charset</B ->. - </P -></DD -><DT ->dos charset</DT -><DD -><P ->This is the charset samba uses when communicating with - DOS and Windows 9x clients. It will talk unicode to all newer clients. - The default depends on the charsets you have installed on your system. - Run <B -CLASS="COMMAND" ->testparm -v | grep "dos charset"</B -> to see - what the default is on your system. - </P -></DD -></DL -></DIV -><P -></P -></DIV -></DIV -></DIV -><DIV -CLASS="PART" -><A -NAME="APPENDIXES" -></A -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" ->IV. Appendixes</H1 -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->23. <A -HREF="#PORTABILITY" ->Portability</A -></DT -><DD -><DL -><DT ->23.1. <A -HREF="#AEN3303" ->HPUX</A -></DT -><DT ->23.2. <A -HREF="#AEN3309" ->SCO Unix</A -></DT -><DT ->23.3. <A -HREF="#AEN3313" ->DNIX</A -></DT -><DT ->23.4. <A -HREF="#AEN3342" ->RedHat Linux Rembrandt-II</A -></DT -><DT ->23.5. <A -HREF="#AEN3348" ->AIX</A -></DT -><DD -><DL -><DT ->23.5.1. <A -HREF="#AEN3350" ->Sequential Read Ahead</A -></DT -></DL -></DD -></DL -></DD -><DT ->24. <A -HREF="#OTHER-CLIENTS" ->Samba and other CIFS clients</A -></DT -><DD -><DL -><DT ->24.1. <A -HREF="#AEN3368" ->Macintosh clients?</A -></DT -><DT ->24.2. <A -HREF="#AEN3377" ->OS2 Client</A -></DT -><DD -><DL -><DT ->24.2.1. <A -HREF="#AEN3379" ->How can I configure OS/2 Warp Connect or - OS/2 Warp 4 as a client for Samba?</A -></DT -><DT ->24.2.2. <A -HREF="#AEN3394" ->How can I configure OS/2 Warp 3 (not Connect), - OS/2 1.2, 1.3 or 2.x for Samba?</A -></DT -><DT ->24.2.3. <A -HREF="#AEN3403" ->Are there any other issues when OS/2 (any version) - is used as a client?</A -></DT -><DT ->24.2.4. <A -HREF="#AEN3407" ->How do I get printer driver download working - for OS/2 clients?</A -></DT -></DL -></DD -><DT ->24.3. <A -HREF="#AEN3417" ->Windows for Workgroups</A -></DT -><DD -><DL -><DT ->24.3.1. <A -HREF="#AEN3419" ->Use latest TCP/IP stack from Microsoft</A -></DT -><DT ->24.3.2. <A -HREF="#AEN3424" ->Delete .pwl files after password change</A -></DT -><DT ->24.3.3. <A -HREF="#AEN3429" ->Configure WfW password handling</A -></DT -><DT ->24.3.4. <A -HREF="#AEN3433" ->Case handling of passwords</A -></DT -><DT ->24.3.5. <A -HREF="#AEN3438" ->Use TCP/IP as default protocol</A -></DT -></DL -></DD -><DT ->24.4. <A -HREF="#AEN3441" ->Windows '95/'98</A -></DT -><DT ->24.5. <A -HREF="#AEN3457" ->Windows 2000 Service Pack 2</A -></DT -></DL -></DD -><DT ->25. <A -HREF="#COMPILING" ->How to compile SAMBA</A -></DT -><DD -><DL -><DT ->25.1. <A -HREF="#AEN3484" ->Access Samba source code via CVS</A -></DT -><DD -><DL -><DT ->25.1.1. <A -HREF="#AEN3486" ->Introduction</A -></DT -><DT ->25.1.2. <A -HREF="#AEN3491" ->CVS Access to samba.org</A -></DT -></DL -></DD -><DT ->25.2. <A -HREF="#AEN3527" ->Accessing the samba sources via rsync and ftp</A -></DT -><DT ->25.3. <A -HREF="#AEN3533" ->Building the Binaries</A -></DT -><DT ->25.4. <A -HREF="#AEN3561" ->Starting the smbd and nmbd</A -></DT -><DD -><DL -><DT ->25.4.1. <A -HREF="#AEN3571" ->Starting from inetd.conf</A -></DT -><DT ->25.4.2. <A -HREF="#AEN3600" ->Alternative: starting it as a daemon</A -></DT -></DL -></DD -></DL -></DD -><DT ->26. <A -HREF="#BUGREPORT" ->Reporting Bugs</A -></DT -><DD -><DL -><DT ->26.1. <A -HREF="#AEN3623" ->Introduction</A -></DT -><DT ->26.2. <A -HREF="#AEN3633" ->General info</A -></DT -><DT ->26.3. <A -HREF="#AEN3639" ->Debug levels</A -></DT -><DT ->26.4. <A -HREF="#AEN3656" ->Internal errors</A -></DT -><DT ->26.5. <A -HREF="#AEN3666" ->Attaching to a running process</A -></DT -><DT ->26.6. <A -HREF="#AEN3669" ->Patches</A -></DT -></DL -></DD -><DT ->27. <A -HREF="#DIAGNOSIS" ->The samba checklist</A -></DT -><DD -><DL -><DT ->27.1. <A -HREF="#AEN3692" ->Introduction</A -></DT -><DT ->27.2. <A -HREF="#AEN3697" ->Assumptions</A -></DT -><DT ->27.3. <A -HREF="#AEN3707" ->Tests</A -></DT -><DD -><DL -><DT ->27.3.1. <A -HREF="#AEN3709" ->Test 1</A -></DT -><DT ->27.3.2. <A -HREF="#AEN3715" ->Test 2</A -></DT -><DT ->27.3.3. <A -HREF="#AEN3721" ->Test 3</A -></DT -><DT ->27.3.4. <A -HREF="#AEN3736" ->Test 4</A -></DT -><DT ->27.3.5. <A -HREF="#AEN3741" ->Test 5</A -></DT -><DT ->27.3.6. <A -HREF="#AEN3747" ->Test 6</A -></DT -><DT ->27.3.7. <A -HREF="#AEN3755" ->Test 7</A -></DT -><DT ->27.3.8. <A -HREF="#AEN3781" ->Test 8</A -></DT -><DT ->27.3.9. <A -HREF="#AEN3798" ->Test 9</A -></DT -><DT ->27.3.10. <A -HREF="#AEN3806" ->Test 10</A -></DT -><DT ->27.3.11. <A -HREF="#AEN3812" ->Test 11</A -></DT -></DL -></DD -><DT ->27.4. <A -HREF="#AEN3817" ->Still having troubles?</A -></DT -></DL -></DD -></DL -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="PORTABILITY" -></A ->Chapter 23. Portability</H1 -><P ->Samba works on a wide range of platforms but the interface all the -platforms provide is not always compatible. This chapter contains -platform-specific information about compiling and using samba.</P -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3303" ->23.1. HPUX</A -></H2 -><P ->HP's implementation of supplementary groups is, er, non-standard (for -hysterical reasons). There are two group files, /etc/group and -/etc/logingroup; the system maps UIDs to numbers using the former, but -initgroups() reads the latter. Most system admins who know the ropes -symlink /etc/group to /etc/logingroup (hard link doesn't work for reasons -too stupid to go into here). initgroups() will complain if one of the -groups you're in in /etc/logingroup has what it considers to be an invalid -ID, which means outside the range [0..UID_MAX], where UID_MAX is (I think) -60000 currently on HP-UX. This precludes -2 and 65534, the usual 'nobody' -GIDs.</P -><P ->If you encounter this problem, make sure that the programs that are failing -to initgroups() be run as users not in any groups with GIDs outside the -allowed range.</P -><P ->This is documented in the HP manual pages under setgroups(2) and passwd(4).</P -><P ->On HPUX you must use gcc or the HP Ansi compiler. The free compiler -that comes with HP-UX is not Ansi compliant and cannot compile -Samba.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3309" ->23.2. SCO Unix</A -></H2 -><P -> -If you run an old version of SCO Unix then you may need to get important -TCP/IP patches for Samba to work correctly. Without the patch, you may -encounter corrupt data transfers using samba.</P -><P ->The patch you need is UOD385 Connection Drivers SLS. It is available from -SCO (ftp.sco.com, directory SLS, files uod385a.Z and uod385a.ltr.Z).</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3313" ->23.3. DNIX</A -></H2 -><P ->DNIX has a problem with seteuid() and setegid(). These routines are -needed for Samba to work correctly, but they were left out of the DNIX -C library for some reason.</P -><P ->For this reason Samba by default defines the macro NO_EID in the DNIX -section of includes.h. This works around the problem in a limited way, -but it is far from ideal, some things still won't work right.</P -><P -> -To fix the problem properly you need to assemble the following two -functions and then either add them to your C library or link them into -Samba.</P -><P -> -put this in the file <TT -CLASS="FILENAME" ->setegid.s</TT ->:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> .globl _setegid -_setegid: - moveq #47,d0 - movl #100,a0 - moveq #1,d1 - movl 4(sp),a1 - trap #9 - bccs 1$ - jmp cerror -1$: - clrl d0 - rts</PRE -></P -><P ->put this in the file <TT -CLASS="FILENAME" ->seteuid.s</TT ->:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> .globl _seteuid -_seteuid: - moveq #47,d0 - movl #100,a0 - moveq #0,d1 - movl 4(sp),a1 - trap #9 - bccs 1$ - jmp cerror -1$: - clrl d0 - rts</PRE -></P -><P ->after creating the above files you then assemble them using</P -><P -><B -CLASS="COMMAND" ->as seteuid.s</B -></P -><P -><B -CLASS="COMMAND" ->as setegid.s</B -></P -><P ->that should produce the files <TT -CLASS="FILENAME" ->seteuid.o</TT -> and -<TT -CLASS="FILENAME" ->setegid.o</TT -></P -><P ->then you need to add these to the LIBSM line in the DNIX section of -the Samba Makefile. Your LIBSM line will then look something like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->LIBSM = setegid.o seteuid.o -ln</PRE -></P -><P -> -You should then remove the line:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->#define NO_EID</PRE -></P -><P ->from the DNIX section of <TT -CLASS="FILENAME" ->includes.h</TT -></P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3342" ->23.4. RedHat Linux Rembrandt-II</A -></H2 -><P ->By default RedHat Rembrandt-II during installation adds an -entry to /etc/hosts as follows: -<PRE -CLASS="PROGRAMLISTING" -> 127.0.0.1 loopback "hostname"."domainname"</PRE -></P -><P ->This causes Samba to loop back onto the loopback interface. -The result is that Samba fails to communicate correctly with -the world and therefor may fail to correctly negotiate who -is the master browse list holder and who is the master browser.</P -><P ->Corrective Action: Delete the entry after the word loopback - in the line starting 127.0.0.1</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3348" ->23.5. AIX</A -></H2 -><DIV -CLASS="SECT2" -><H3 -CLASS="SECT2" -><A -NAME="AEN3350" ->23.5.1. Sequential Read Ahead</A -></H3 -><P ->Disabling Sequential Read Ahead using "vmtune -r 0" improves -samba performance significally.</P -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="OTHER-CLIENTS" -></A ->Chapter 24. Samba and other CIFS clients</H1 -><P ->This chapter contains client-specific information.</P -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3368" ->24.1. Macintosh clients?</A -></H2 -><P ->Yes. <A -HREF="http://www.thursby.com/" -TARGET="_top" ->Thursby</A -> now have a CIFS Client / Server called DAVE - see</P -><P ->They test it against Windows 95, Windows NT and samba for -compatibility issues. At the time of writing, DAVE was at version -1.0.1. The 1.0.0 to 1.0.1 update is available as a free download from -the Thursby web site (the speed of finder copies has been greatly -enhanced, and there are bug-fixes included).</P -><P -> -Alternatives - There are two free implementations of AppleTalk for -several kinds of UNIX machnes, and several more commercial ones. -These products allow you to run file services and print services -natively to Macintosh users, with no additional support required on -the Macintosh. The two free omplementations are -<A -HREF="http://www.umich.edu/~rsug/netatalk/" -TARGET="_top" ->Netatalk</A ->, and -<A -HREF="http://www.cs.mu.oz.au/appletalk/atalk.html" -TARGET="_top" ->CAP</A ->. -What Samba offers MS -Windows users, these packages offer to Macs. For more info on these -packages, Samba, and Linux (and other UNIX-based systems) see -<A -HREF="http://www.eats.com/linux_mac_win.html" -TARGET="_top" ->http://www.eats.com/linux_mac_win.html</A -></P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3377" ->24.2. OS2 Client</A -></H2 -><DIV -CLASS="SECT2" -><H3 -CLASS="SECT2" -><A -NAME="AEN3379" ->24.2.1. How can I configure OS/2 Warp Connect or - OS/2 Warp 4 as a client for Samba?</A -></H3 -><P ->A more complete answer to this question can be - found on <A -HREF="http://carol.wins.uva.nl/~leeuw/samba/warp.html" -TARGET="_top" -> http://carol.wins.uva.nl/~leeuw/samba/warp.html</A ->.</P -><P ->Basically, you need three components:</P -><P -></P -><UL -><LI -><P ->The File and Print Client ('IBM Peer') - </P -></LI -><LI -><P ->TCP/IP ('Internet support') - </P -></LI -><LI -><P ->The "NetBIOS over TCP/IP" driver ('TCPBEUI') - </P -></LI -></UL -><P ->Installing the first two together with the base operating - system on a blank system is explained in the Warp manual. If Warp - has already been installed, but you now want to install the - networking support, use the "Selective Install for Networking" - object in the "System Setup" folder.</P -><P ->Adding the "NetBIOS over TCP/IP" driver is not described - in the manual and just barely in the online documentation. Start - MPTS.EXE, click on OK, click on "Configure LAPS" and click - on "IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line - is then moved to 'Current Configuration'. Select that line, - click on "Change number" and increase it from 0 to 1. Save this - configuration.</P -><P ->If the Samba server(s) is not on your local subnet, you - can optionally add IP names and addresses of these servers - to the "Names List", or specify a WINS server ('NetBIOS - Nameserver' in IBM and RFC terminology). For Warp Connect you - may need to download an update for 'IBM Peer' to bring it on - the same level as Warp 4. See the webpage mentioned above.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3394" ->24.2.2. How can I configure OS/2 Warp 3 (not Connect), - OS/2 1.2, 1.3 or 2.x for Samba?</A -></H3 -><P ->You can use the free Microsoft LAN Manager 2.2c Client - for OS/2 from - <A -HREF="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/" -TARGET="_top" -> ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</A ->. - See <A -HREF="http://carol.wins.uva.nl/~leeuw/lanman.html" -TARGET="_top" -> http://carol.wins.uva.nl/~leeuw/lanman.html</A -> for - more information on how to install and use this client. In - a nutshell, edit the file \OS2VER in the root directory of - the OS/2 boot partition and add the lines:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> 20=setup.exe - 20=netwksta.sys - 20=netvdd.sys - </PRE -></P -><P ->before you install the client. Also, don't use the - included NE2000 driver because it is buggy. Try the NE2000 - or NS2000 driver from - <A -HREF="ftp://ftp.cdrom.com/pub/os2/network/ndis/" -TARGET="_top" -> ftp://ftp.cdrom.com/pub/os2/network/ndis/</A -> instead. - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3403" ->24.2.3. Are there any other issues when OS/2 (any version) - is used as a client?</A -></H3 -><P ->When you do a NET VIEW or use the "File and Print - Client Resource Browser", no Samba servers show up. This can - be fixed by a patch from <A -HREF="http://carol.wins.uva.nl/~leeuw/samba/fix.html" -TARGET="_top" -> http://carol.wins.uva.nl/~leeuw/samba/fix.html</A ->. - The patch will be included in a later version of Samba. It also - fixes a couple of other problems, such as preserving long - filenames when objects are dragged from the Workplace Shell - to the Samba server. </P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3407" ->24.2.4. How do I get printer driver download working - for OS/2 clients?</A -></H3 -><P ->First, create a share called [PRINTDRV] that is - world-readable. Copy your OS/2 driver files there. Note - that the .EA_ files must still be separate, so you will need - to use the original install files, and not copy an installed - driver from an OS/2 system.</P -><P ->Install the NT driver first for that printer. Then, - add to your smb.conf a parameter, os2 driver map = - <VAR -CLASS="REPLACEABLE" ->filename</VAR ->". Then, in the file - specified by <VAR -CLASS="REPLACEABLE" ->filename</VAR ->, map the - name of the NT driver name to the OS/2 driver name as - follows:</P -><P -><B -CLASS="COMMAND" ->nt driver name = os2 "driver - name"."device name"</B ->, e.g.: - HP LaserJet 5L = LASERJET.HP LaserJet 5L</P -><P ->You can have multiple drivers mapped in this file.</P -><P ->If you only specify the OS/2 driver name, and not the - device name, the first attempt to download the driver will - actually download the files, but the OS/2 client will tell - you the driver is not available. On the second attempt, it - will work. This is fixed simply by adding the device name - to the mapping, after which it will work on the first attempt. - </P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3417" ->24.3. Windows for Workgroups</A -></H2 -><DIV -CLASS="SECT2" -><H3 -CLASS="SECT2" -><A -NAME="AEN3419" ->24.3.1. Use latest TCP/IP stack from Microsoft</A -></H3 -><P ->Use the latest TCP/IP stack from microsoft if you use Windows -for workgroups.</P -><P ->The early TCP/IP stacks had lots of bugs.</P -><P -> -Microsoft has released an incremental upgrade to their TCP/IP 32-Bit -VxD drivers. The latest release can be found on their ftp site at -ftp.microsoft.com, located in /peropsys/windows/public/tcpip/wfwt32.exe. -There is an update.txt file there that describes the problems that were -fixed. New files include WINSOCK.DLL, TELNET.EXE, WSOCK.386, VNBT.386, -WSTCP.386, TRACERT.EXE, NETSTAT.EXE, and NBTSTAT.EXE.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3424" ->24.3.2. Delete .pwl files after password change</A -></H3 -><P ->WfWg does a lousy job with passwords. I find that if I change my -password on either the unix box or the PC the safest thing to do is to -delete the .pwl files in the windows directory. The PC will complain about not finding the files, but will soon get over it, allowing you to enter the new password.</P -><P -> -If you don't do this you may find that WfWg remembers and uses the old -password, even if you told it a new one.</P -><P -> -Often WfWg will totally ignore a password you give it in a dialog box.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3429" ->24.3.3. Configure WfW password handling</A -></H3 -><P ->There is a program call admincfg.exe -on the last disk (disk 8) of the WFW 3.11 disk set. To install it -type EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE Then add an icon -for it via the "Progam Manager" "New" Menu. This program allows you -to control how WFW handles passwords. ie disable Password Caching etc -for use with <B -CLASS="COMMAND" ->security = user</B -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3433" ->24.3.4. Case handling of passwords</A -></H3 -><P ->Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <A -HREF="smb.conf.5.html" -TARGET="_top" ->smb.conf(5)</A -> information on <B -CLASS="COMMAND" ->password level</B -> to specify what characters samba should try to uppercase when checking.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3438" ->24.3.5. Use TCP/IP as default protocol</A -></H3 -><P ->To support print queue reporting you may find -that you have to use TCP/IP as the default protocol under -WfWg. For some reason if you leave Netbeui as the default -it may break the print queue reporting on some systems. -It is presumably a WfWg bug.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3441" ->24.4. Windows '95/'98</A -></H2 -><P ->When using Windows 95 OEM SR2 the following updates are recommended where Samba -is being used. Please NOTE that the above change will affect you once these -updates have been installed.</P -><P -> -There are more updates than the ones mentioned here. You are referred to the -Microsoft Web site for all currently available updates to your specific version -of Windows 95.</P -><P -></P -><OL -TYPE="1" -><LI -><P ->Kernel Update: KRNLUPD.EXE</P -></LI -><LI -><P ->Ping Fix: PINGUPD.EXE</P -></LI -><LI -><P ->RPC Update: RPCRTUPD.EXE</P -></LI -><LI -><P ->TCP/IP Update: VIPUPD.EXE</P -></LI -><LI -><P ->Redirector Update: VRDRUPD.EXE</P -></LI -></OL -><P ->Also, if using MS OutLook it is desirable to install the OLEUPD.EXE fix. This -fix may stop your machine from hanging for an extended period when exiting -OutLook and you may also notice a significant speedup when accessing network -neighborhood services.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3457" ->24.5. Windows 2000 Service Pack 2</A -></H2 -><P -> -There are several annoyances with Windows 2000 SP2. One of which -only appears when using a Samba server to host user profiles -to Windows 2000 SP2 clients in a Windows domain. This assumes -that Samba is a member of the domain, but the problem will -likely occur if it is not.</P -><P -> -In order to server profiles successfully to Windows 2000 SP2 -clients (when not operating as a PDC), Samba must have -<B -CLASS="COMMAND" ->nt acl support = no</B -> -added to the file share which houses the roaming profiles. -If this is not done, then the Windows 2000 SP2 client will -complain about not being able to access the profile (Access -Denied) and create multiple copies of it on disk (DOMAIN.user.001, -DOMAIN.user.002, etc...). See the -<A -HREF="smb.conf.5.html" -TARGET="_top" ->smb.conf(5)</A -> man page -for more details on this option. Also note that the -<B -CLASS="COMMAND" ->nt acl support</B -> parameter was formally a global parameter in -releases prior to Samba 2.2.2.</P -><P -> -The following is a minimal profile share:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> [profile] - path = /export/profile - create mask = 0600 - directory mask = 0700 - nt acl support = no - read only = no</PRE -></P -><P ->The reason for this bug is that the Win2k SP2 client copies -the security descriptor for the profile which contains -the Samba server's SID, and not the domain SID. The client -compares the SID for SAMBA\user and realizes it is -different that the one assigned to DOMAIN\user. Hence the reason -for the "access denied" message.</P -><P ->By disabling the <B -CLASS="COMMAND" ->nt acl support</B -> parameter, Samba will send -the Win2k client a response to the QuerySecurityDescriptor -trans2 call which causes the client to set a default ACL -for the profile. This default ACL includes </P -><P -><B -CLASS="COMMAND" ->DOMAIN\user "Full Control"</B -></P -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->NOTE : This bug does not occur when using winbind to -create accounts on the Samba host for Domain users.</I -></SPAN -></P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="COMPILING" -></A ->Chapter 25. How to compile SAMBA</H1 -><P ->You can obtain the samba source from the <A -HREF="http://samba.org/" -TARGET="_top" ->samba website</A ->. To obtain a development version, -you can download samba from CVS or using rsync. </P -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3484" ->25.1. Access Samba source code via CVS</A -></H2 -><DIV -CLASS="SECT2" -><H3 -CLASS="SECT2" -><A -NAME="AEN3486" ->25.1.1. Introduction</A -></H3 -><P ->Samba is developed in an open environment. Developers use CVS -(Concurrent Versioning System) to "checkin" (also known as -"commit") new source code. Samba's various CVS branches can -be accessed via anonymous CVS using the instructions -detailed in this chapter.</P -><P ->This chapter is a modified version of the instructions found at -<A -HREF="http://samba.org/samba/cvs.html" -TARGET="_top" ->http://samba.org/samba/cvs.html</A -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3491" ->25.1.2. CVS Access to samba.org</A -></H3 -><P ->The machine samba.org runs a publicly accessible CVS -repository for access to the source code of several packages, -including samba, rsync and jitterbug. There are two main ways of -accessing the CVS server on this host.</P -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN3494" ->25.1.2.1. Access via CVSweb</A -></H4 -><P ->You can access the source code via your -favourite WWW browser. This allows you to access the contents of -individual files in the repository and also to look at the revision -history and commit logs of individual files. You can also ask for a diff -listing between any two versions on the repository.</P -><P ->Use the URL : <A -HREF="http://samba.org/cgi-bin/cvsweb" -TARGET="_top" ->http://samba.org/cgi-bin/cvsweb</A -></P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN3499" ->25.1.2.2. Access via cvs</A -></H4 -><P ->You can also access the source code via a -normal cvs client. This gives you much more control over you can -do with the repository and allows you to checkout whole source trees -and keep them up to date via normal cvs commands. This is the -preferred method of access if you are a developer and not -just a casual browser.</P -><P ->To download the latest cvs source code, point your -browser at the URL : <A -HREF="http://www.cyclic.com/" -TARGET="_top" ->http://www.cyclic.com/</A ->. -and click on the 'How to get cvs' link. CVS is free software under -the GNU GPL (as is Samba). Note that there are several graphical CVS clients -which provide a graphical interface to the sometimes mundane CVS commands. -Links to theses clients are also available from http://www.cyclic.com.</P -><P ->To gain access via anonymous cvs use the following steps. -For this example it is assumed that you want a copy of the -samba source code. For the other source code repositories -on this system just substitute the correct package name</P -><P -></P -><OL -TYPE="1" -><LI -><P -> Install a recent copy of cvs. All you really need is a - copy of the cvs client binary. - </P -></LI -><LI -><P -> Run the command - </P -><P -> <B -CLASS="COMMAND" ->cvs -d :pserver:cvs@samba.org:/cvsroot login</B -> - </P -><P -> When it asks you for a password type <KBD -CLASS="USERINPUT" ->cvs</KBD ->. - </P -></LI -><LI -><P -> Run the command - </P -><P -> <B -CLASS="COMMAND" ->cvs -d :pserver:cvs@samba.org:/cvsroot co samba</B -> - </P -><P -> This will create a directory called samba containing the - latest samba source code (i.e. the HEAD tagged cvs branch). This - currently corresponds to the 3.0 development tree. - </P -><P -> CVS branches other HEAD can be obtained by using the <VAR -CLASS="PARAMETER" ->-r</VAR -> - and defining a tag name. A list of branch tag names can be found on the - "Development" page of the samba web site. A common request is to obtain the - latest 2.2 release code. This could be done by using the following command. - </P -><P -> <B -CLASS="COMMAND" ->cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</B -> - </P -></LI -><LI -><P -> Whenever you want to merge in the latest code changes use - the following command from within the samba directory: - </P -><P -> <B -CLASS="COMMAND" ->cvs update -d -P</B -> - </P -></LI -></OL -></DIV -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3527" ->25.2. Accessing the samba sources via rsync and ftp</A -></H2 -><P -> pserver.samba.org also exports unpacked copies of most parts of the CVS tree at <A -HREF="ftp://pserver.samba.org/pub/unpacked" -TARGET="_top" ->ftp://pserver.samba.org/pub/unpacked</A -> and also via anonymous rsync at rsync://pserver.samba.org/ftp/unpacked/. I recommend using rsync rather than ftp. - See <A -HREF="http://rsync.samba.org/" -TARGET="_top" ->the rsync homepage</A -> for more info on rsync. - </P -><P -> The disadvantage of the unpacked trees - is that they do not support automatic - merging of local changes like CVS does. - rsync access is most convenient for an - initial install. - </P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3533" ->25.3. Building the Binaries</A -></H2 -><P ->To do this, first run the program <B -CLASS="COMMAND" ->./configure - </B -> in the source directory. This should automatically - configure Samba for your operating system. If you have unusual - needs then you may wish to run</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->./configure --help - </KBD -></P -><P ->first to see what special options you can enable. - Then executing</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->make</KBD -></P -><P ->will create the binaries. Once it's successfully - compiled you can use </P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->make install</KBD -></P -><P ->to install the binaries and manual pages. You can - separately install the binaries and/or man pages using</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->make installbin - </KBD -></P -><P ->and</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->make installman - </KBD -></P -><P ->Note that if you are upgrading for a previous version - of Samba you might like to know that the old versions of - the binaries will be renamed with a ".old" extension. You - can go back to the previous version with</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->make revert - </KBD -></P -><P ->if you find this version a disaster!</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3561" ->25.4. Starting the smbd and nmbd</A -></H2 -><P ->You must choose to start smbd and nmbd either - as daemons or from <B -CLASS="COMMAND" ->inetd</B ->. Don't try - to do both! Either you can put them in <TT -CLASS="FILENAME" -> inetd.conf</TT -> and have them started on demand - by <B -CLASS="COMMAND" ->inetd</B ->, or you can start them as - daemons either from the command line or in <TT -CLASS="FILENAME" -> /etc/rc.local</TT ->. See the man pages for details - on the command line options. Take particular care to read - the bit about what user you need to be in order to start - Samba. In many cases you must be root.</P -><P ->The main advantage of starting <B -CLASS="COMMAND" ->smbd</B -> - and <B -CLASS="COMMAND" ->nmbd</B -> using the recommended daemon method - is that they will respond slightly more quickly to an initial connection - request.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3571" ->25.4.1. Starting from inetd.conf</A -></H3 -><P ->NOTE; The following will be different if - you use NIS, NIS+ or LDAP to distribute services maps.</P -><P ->Look at your <TT -CLASS="FILENAME" ->/etc/services</TT ->. - What is defined at port 139/tcp. If nothing is defined - then add a line like this:</P -><P -><KBD -CLASS="USERINPUT" ->netbios-ssn 139/tcp</KBD -></P -><P ->similarly for 137/udp you should have an entry like:</P -><P -><KBD -CLASS="USERINPUT" ->netbios-ns 137/udp</KBD -></P -><P ->Next edit your <TT -CLASS="FILENAME" ->/etc/inetd.conf</TT -> - and add two lines something like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd - netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd - </PRE -></P -><P ->The exact syntax of <TT -CLASS="FILENAME" ->/etc/inetd.conf</TT -> - varies between unixes. Look at the other entries in inetd.conf - for a guide.</P -><P ->NOTE: Some unixes already have entries like netbios_ns - (note the underscore) in <TT -CLASS="FILENAME" ->/etc/services</TT ->. - You must either edit <TT -CLASS="FILENAME" ->/etc/services</TT -> or - <TT -CLASS="FILENAME" ->/etc/inetd.conf</TT -> to make them consistent.</P -><P ->NOTE: On many systems you may need to use the - "interfaces" option in smb.conf to specify the IP address - and netmask of your interfaces. Run <B -CLASS="COMMAND" ->ifconfig</B -> - as root if you don't know what the broadcast is for your - net. <B -CLASS="COMMAND" ->nmbd</B -> tries to determine it at run - time, but fails on some unixes. See the section on "testing nmbd" - for a method of finding if you need to do this.</P -><P ->!!!WARNING!!! Many unixes only accept around 5 - parameters on the command line in <TT -CLASS="FILENAME" ->inetd.conf</TT ->. - This means you shouldn't use spaces between the options and - arguments, or you should use a script, and start the script - from <B -CLASS="COMMAND" ->inetd</B ->.</P -><P ->Restart <B -CLASS="COMMAND" ->inetd</B ->, perhaps just send - it a HUP. If you have installed an earlier version of <B -CLASS="COMMAND" -> nmbd</B -> then you may need to kill nmbd as well.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3600" ->25.4.2. Alternative: starting it as a daemon</A -></H3 -><P ->To start the server as a daemon you should create - a script something like this one, perhaps calling - it <TT -CLASS="FILENAME" ->startsmb</TT ->.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> #!/bin/sh - /usr/local/samba/bin/smbd -D - /usr/local/samba/bin/nmbd -D - </PRE -></P -><P ->then make it executable with <B -CLASS="COMMAND" ->chmod - +x startsmb</B -></P -><P ->You can then run <B -CLASS="COMMAND" ->startsmb</B -> by - hand or execute it from <TT -CLASS="FILENAME" ->/etc/rc.local</TT -> - </P -><P ->To kill it send a kill signal to the processes - <B -CLASS="COMMAND" ->nmbd</B -> and <B -CLASS="COMMAND" ->smbd</B ->.</P -><P ->NOTE: If you use the SVR4 style init system then - you may like to look at the <TT -CLASS="FILENAME" ->examples/svr4-startup</TT -> - script to make Samba fit into that system.</P -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="BUGREPORT" -></A ->Chapter 26. Reporting Bugs</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN3623" ->26.1. Introduction</A -></H2 -><P ->The email address for bug reports for stable releases is <A -HREF="samba@samba.org" -TARGET="_top" ->samba@samba.org</A ->. -Bug reports for alpha releases should go to <A -HREF="mailto:samba-technical@samba.org" -TARGET="_top" ->samba-technical@samba.org</A ->.</P -><P ->Please take the time to read this file before you submit a bug -report. Also, please see if it has changed between releases, as we -may be changing the bug reporting mechanism at some time.</P -><P ->Please also do as much as you can yourself to help track down the -bug. Samba is maintained by a dedicated group of people who volunteer -their time, skills and efforts. We receive far more mail about it than -we can possibly answer, so you have a much higher chance of an answer -and a fix if you send us a "developer friendly" bug report that lets -us fix it fast. </P -><P ->Do not assume that if you post the bug to the comp.protocols.smb -newsgroup or the mailing list that we will read it. If you suspect that your -problem is not a bug but a configuration problem then it is better to send -it to the Samba mailing list, as there are (at last count) 5000 other users on -that list that may be able to help you.</P -><P ->You may also like to look though the recent mailing list archives, -which are conveniently accessible on the Samba web pages -at <A -HREF="http://samba.org/samba/" -TARGET="_top" ->http://samba.org/samba/</A ->.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3633" ->26.2. General info</A -></H2 -><P ->Before submitting a bug report check your config for silly -errors. Look in your log files for obvious messages that tell you that -you've misconfigured something and run testparm to test your config -file for correct syntax.</P -><P ->Have you run through the <A -HREF="Diagnosis.html" -TARGET="_top" ->diagnosis</A ->? -This is very important.</P -><P ->If you include part of a log file with your bug report then be sure to -annotate it with exactly what you were doing on the client at the -time, and exactly what the results were.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3639" ->26.3. Debug levels</A -></H2 -><P ->If the bug has anything to do with Samba behaving incorrectly as a -server (like refusing to open a file) then the log files will probably -be very useful. Depending on the problem a log level of between 3 and -10 showing the problem may be appropriate. A higher level givesmore -detail, but may use too much disk space.</P -><P ->To set the debug level use <B -CLASS="COMMAND" ->log level =</B -> in your -<TT -CLASS="FILENAME" ->smb.conf</TT ->. You may also find it useful to set the log -level higher for just one machine and keep separate logs for each machine. -To do this use:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->log level = 10 -log file = /usr/local/samba/lib/log.%m -include = /usr/local/samba/lib/smb.conf.%m</PRE -></P -><P ->then create a file -<TT -CLASS="FILENAME" ->/usr/local/samba/lib/smb.conf.machine</TT -> where -"machine" is the name of the client you wish to debug. In that file -put any smb.conf commands you want, for example -<B -CLASS="COMMAND" ->log level=</B -> may be useful. This also allows you to -experiment with different security systems, protocol levels etc on just -one machine.</P -><P ->The <TT -CLASS="FILENAME" ->smb.conf</TT -> entry <B -CLASS="COMMAND" ->log level =</B -> -is synonymous with the entry <B -CLASS="COMMAND" ->debuglevel =</B -> that has been -used in older versions of Samba and is being retained for backwards -compatibility of smb.conf files.</P -><P ->As the <B -CLASS="COMMAND" ->log level =</B -> value is increased you will record -a significantly increasing level of debugging information. For most -debugging operations you may not need a setting higher than 3. Nearly -all bugs can be tracked at a setting of 10, but be prepared for a VERY -large volume of log data.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3656" ->26.4. Internal errors</A -></H2 -><P ->If you get a "INTERNAL ERROR" message in your log files it means that -Samba got an unexpected signal while running. It is probably a -segmentation fault and almost certainly means a bug in Samba (unless -you have faulty hardware or system software)</P -><P ->If the message came from smbd then it will probably be accompanied by -a message which details the last SMB message received by smbd. This -info is often very useful in tracking down the problem so please -include it in your bug report.</P -><P ->You should also detail how to reproduce the problem, if -possible. Please make this reasonably detailed.</P -><P ->You may also find that a core file appeared in a "corefiles" -subdirectory of the directory where you keep your samba log -files. This file is the most useful tool for tracking down the bug. To -use it you do this:</P -><P -><B -CLASS="COMMAND" ->gdb smbd core</B -></P -><P ->adding appropriate paths to smbd and core so gdb can find them. If you -don't have gdb then try "dbx". Then within the debugger use the -command "where" to give a stack trace of where the problem -occurred. Include this in your mail.</P -><P ->If you known any assembly language then do a "disass" of the routine -where the problem occurred (if its in a library routine then -disassemble the routine that called it) and try to work out exactly -where the problem is by looking at the surrounding code. Even if you -don't know assembly then incuding this info in the bug report can be -useful. </P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3666" ->26.5. Attaching to a running process</A -></H2 -><P ->Unfortunately some unixes (in particular some recent linux kernels) -refuse to dump a core file if the task has changed uid (which smbd -does often). To debug with this sort of system you could try to attach -to the running process using "gdb smbd PID" where you get PID from -smbstatus. Then use "c" to continue and try to cause the core dump -using the client. The debugger should catch the fault and tell you -where it occurred.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3669" ->26.6. Patches</A -></H2 -><P ->The best sort of bug report is one that includes a fix! If you send us -patches please use <B -CLASS="COMMAND" ->diff -u</B -> format if your version of -diff supports it, otherwise use <B -CLASS="COMMAND" ->diff -c4</B ->. Make sure -your do the diff against a clean version of the source and let me know -exactly what version you used. </P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="DIAGNOSIS" -></A ->Chapter 27. The samba checklist</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN3692" ->27.1. Introduction</A -></H2 -><P ->This file contains a list of tests you can perform to validate your -Samba server. It also tells you what the likely cause of the problem -is if it fails any one of these steps. If it passes all these tests -then it is probably working fine.</P -><P ->You should do ALL the tests, in the order shown. We have tried to -carefully choose them so later tests only use capabilities verified in -the earlier tests.</P -><P ->If you send one of the samba mailing lists an email saying "it doesn't work" -and you have not followed this test procedure then you should not be surprised -your email is ignored.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3697" ->27.2. Assumptions</A -></H2 -><P ->In all of the tests it is assumed you have a Samba server called -BIGSERVER and a PC called ACLIENT both in workgroup TESTGROUP.</P -><P ->The procedure is similar for other types of clients.</P -><P ->It is also assumed you know the name of an available share in your -smb.conf. I will assume this share is called "tmp". You can add a -"tmp" share like by adding the following to smb.conf:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> [tmp] - comment = temporary files - path = /tmp - read only = yes </PRE -></P -><P ->THESE TESTS ASSUME VERSION 3.0.0 OR LATER OF THE SAMBA SUITE. SOME -COMMANDS SHOWN DID NOT EXIST IN EARLIER VERSIONS</P -><P ->Please pay attention to the error messages you receive. If any error message -reports that your server is being unfriendly you should first check that you -IP name resolution is correctly set up. eg: Make sure your /etc/resolv.conf -file points to name servers that really do exist.</P -><P ->Also, if you do not have DNS server access for name resolution please check -that the settings for your smb.conf file results in "dns proxy = no". The -best way to check this is with "testparm smb.conf"</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3707" ->27.3. Tests</A -></H2 -><DIV -CLASS="SECT2" -><H3 -CLASS="SECT2" -><A -NAME="AEN3709" ->27.3.1. Test 1</A -></H3 -><P ->In the directory in which you store your smb.conf file, run the command -"testparm smb.conf". If it reports any errors then your smb.conf -configuration file is faulty.</P -><P ->Note: Your smb.conf file may be located in: <TT -CLASS="FILENAME" ->/etc/samba</TT -> - Or in: <TT -CLASS="FILENAME" ->/usr/local/samba/lib</TT -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3715" ->27.3.2. Test 2</A -></H3 -><P ->Run the command "ping BIGSERVER" from the PC and "ping ACLIENT" from -the unix box. If you don't get a valid response then your TCP/IP -software is not correctly installed. </P -><P ->Note that you will need to start a "dos prompt" window on the PC to -run ping.</P -><P ->If you get a message saying "host not found" or similar then your DNS -software or /etc/hosts file is not correctly setup. It is possible to -run samba without DNS entries for the server and client, but I assume -you do have correct entries for the remainder of these tests. </P -><P ->Another reason why ping might fail is if your host is running firewall -software. You will need to relax the rules to let in the workstation -in question, perhaps by allowing access from another subnet (on Linux -this is done via the ipfwadm program.)</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3721" ->27.3.3. Test 3</A -></H3 -><P ->Run the command "smbclient -L BIGSERVER" on the unix box. You -should get a list of available shares back. </P -><P ->If you get a error message containing the string "Bad password" then -you probably have either an incorrect "hosts allow", "hosts deny" or -"valid users" line in your smb.conf, or your guest account is not -valid. Check what your guest account is using "testparm" and -temporarily remove any "hosts allow", "hosts deny", "valid users" or -"invalid users" lines.</P -><P ->If you get a "connection refused" response then the smbd server may -not be running. If you installed it in inetd.conf then you probably edited -that file incorrectly. If you installed it as a daemon then check that -it is running, and check that the netbios-ssn port is in a LISTEN -state using "netstat -a".</P -><P ->If you get a "session request failed" then the server refused the -connection. If it says "Your server software is being unfriendly" then -its probably because you have invalid command line parameters to smbd, -or a similar fatal problem with the initial startup of smbd. Also -check your config file (smb.conf) for syntax errors with "testparm" -and that the various directories where samba keeps its log and lock -files exist.</P -><P ->There are a number of reasons for which smbd may refuse or decline -a session request. The most common of these involve one or more of -the following smb.conf file entries:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> hosts deny = ALL - hosts allow = xxx.xxx.xxx.xxx/yy - bind interfaces only = Yes</PRE -></P -><P ->In the above, no allowance has been made for any session requests that -will automatically translate to the loopback adaptor address 127.0.0.1. -To solve this problem change these lines to:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> hosts deny = ALL - hosts allow = xxx.xxx.xxx.xxx/yy 127.</PRE -></P -><P ->Do NOT use the "bind interfaces only" parameter where you may wish to -use the samba password change facility, or where smbclient may need to -access local service for name resolution or for local resource -connections. (Note: the "bind interfaces only" parameter deficiency -where it will not allow connections to the loopback address will be -fixed soon).</P -><P ->Another common cause of these two errors is having something already running -on port 139, such as Samba (ie: smbd is running from inetd already) or -something like Digital's Pathworks. Check your inetd.conf file before trying -to start smbd as a daemon, it can avoid a lot of frustration!</P -><P ->And yet another possible cause for failure of TEST 3 is when the subnet mask -and / or broadcast address settings are incorrect. Please check that the -network interface IP Address / Broadcast Address / Subnet Mask settings are -correct and that Samba has correctly noted these in the log.nmb file.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3736" ->27.3.4. Test 4</A -></H3 -><P ->Run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the -IP address of your Samba server back.</P -><P ->If you don't then nmbd is incorrectly installed. Check your inetd.conf -if you run it from there, or that the daemon is running and listening -to udp port 137.</P -><P ->One common problem is that many inetd implementations can't take many -parameters on the command line. If this is the case then create a -one-line script that contains the right parameters and run that from -inetd.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3741" ->27.3.5. Test 5</A -></H3 -><P ->run the command <B -CLASS="COMMAND" ->nmblookup -B ACLIENT '*'</B -></P -><P ->You should get the PCs IP address back. If you don't then the client -software on the PC isn't installed correctly, or isn't started, or you -got the name of the PC wrong. </P -><P ->If ACLIENT doesn't resolve via DNS then use the IP address of the -client in the above test.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3747" ->27.3.6. Test 6</A -></H3 -><P ->Run the command <B -CLASS="COMMAND" ->nmblookup -d 2 '*'</B -></P -><P ->This time we are trying the same as the previous test but are trying -it via a broadcast to the default broadcast address. A number of -Netbios/TCPIP hosts on the network should respond, although Samba may -not catch all of the responses in the short time it listens. You -should see "got a positive name query response" messages from several -hosts.</P -><P ->If this doesn't give a similar result to the previous test then -nmblookup isn't correctly getting your broadcast address through its -automatic mechanism. In this case you should experiment use the -"interfaces" option in smb.conf to manually configure your IP -address, broadcast and netmask. </P -><P ->If your PC and server aren't on the same subnet then you will need to -use the -B option to set the broadcast address to the that of the PCs -subnet.</P -><P ->This test will probably fail if your subnet mask and broadcast address are -not correct. (Refer to TEST 3 notes above).</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3755" ->27.3.7. Test 7</A -></H3 -><P ->Run the command <B -CLASS="COMMAND" ->smbclient //BIGSERVER/TMP</B ->. You should -then be prompted for a password. You should use the password of the account -you are logged into the unix box with. If you want to test with -another account then add the -U >accountname< option to the end of -the command line. eg: -<B -CLASS="COMMAND" ->smbclient //bigserver/tmp -Ujohndoe</B -></P -><P ->Note: It is possible to specify the password along with the username -as follows: -<B -CLASS="COMMAND" ->smbclient //bigserver/tmp -Ujohndoe%secret</B -></P -><P ->Once you enter the password you should get the "smb>" prompt. If you -don't then look at the error message. If it says "invalid network -name" then the service "tmp" is not correctly setup in your smb.conf.</P -><P ->If it says "bad password" then the likely causes are:</P -><P -></P -><OL -TYPE="1" -><LI -><P -> you have shadow passords (or some other password system) but didn't - compile in support for them in smbd - </P -></LI -><LI -><P -> your "valid users" configuration is incorrect - </P -></LI -><LI -><P -> you have a mixed case password and you haven't enabled the "password - level" option at a high enough level - </P -></LI -><LI -><P -> the "path =" line in smb.conf is incorrect. Check it with testparm - </P -></LI -><LI -><P -> you enabled password encryption but didn't create the SMB encrypted - password file - </P -></LI -></OL -><P ->Once connected you should be able to use the commands -<B -CLASS="COMMAND" ->dir</B -> <B -CLASS="COMMAND" ->get</B -> <B -CLASS="COMMAND" ->put</B -> etc. -Type <B -CLASS="COMMAND" ->help >command<</B -> for instructions. You should -especially check that the amount of free disk space shown is correct -when you type <B -CLASS="COMMAND" ->dir</B ->.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3781" ->27.3.8. Test 8</A -></H3 -><P ->On the PC type the command <B -CLASS="COMMAND" ->net view \\BIGSERVER</B ->. You will -need to do this from within a "dos prompt" window. You should get back a -list of available shares on the server.</P -><P ->If you get a "network name not found" or similar error then netbios -name resolution is not working. This is usually caused by a problem in -nmbd. To overcome it you could do one of the following (you only need -to choose one of them):</P -><P -></P -><OL -TYPE="1" -><LI -><P -> fixup the nmbd installation</P -></LI -><LI -><P -> add the IP address of BIGSERVER to the "wins server" box in the - advanced tcp/ip setup on the PC.</P -></LI -><LI -><P -> enable windows name resolution via DNS in the advanced section of - the tcp/ip setup</P -></LI -><LI -><P -> add BIGSERVER to your lmhosts file on the PC.</P -></LI -></OL -><P ->If you get a "invalid network name" or "bad password error" then the -same fixes apply as they did for the "smbclient -L" test above. In -particular, make sure your "hosts allow" line is correct (see the man -pages)</P -><P ->Also, do not overlook that fact that when the workstation requests the -connection to the samba server it will attempt to connect using the -name with which you logged onto your Windows machine. You need to make -sure that an account exists on your Samba server with that exact same -name and password.</P -><P ->If you get "specified computer is not receiving requests" or similar -it probably means that the host is not contactable via tcp services. -Check to see if the host is running tcp wrappers, and if so add an entry in -the hosts.allow file for your client (or subnet, etc.)</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3798" ->27.3.9. Test 9</A -></H3 -><P ->Run the command <B -CLASS="COMMAND" ->net use x: \\BIGSERVER\TMP</B ->. You should -be prompted for a password then you should get a "command completed -successfully" message. If not then your PC software is incorrectly -installed or your smb.conf is incorrect. make sure your "hosts allow" -and other config lines in smb.conf are correct.</P -><P ->It's also possible that the server can't work out what user name to -connect you as. To see if this is the problem add the line "user = -USERNAME" to the [tmp] section of smb.conf where "USERNAME" is the -username corresponding to the password you typed. If you find this -fixes things you may need the username mapping option. </P -><P ->It might also be the case that your client only sends encrypted passwords -and you have <B -CLASS="COMMAND" ->encrypt passwords = no</B -> in <TT -CLASS="FILENAME" ->smb.conf</TT ->. -Turn it back on to fix.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3806" ->27.3.10. Test 10</A -></H3 -><P ->Run the command <B -CLASS="COMMAND" ->nmblookup -M TESTGROUP</B -> where -TESTGROUP is the name of the workgroup that your Samba server and -Windows PCs belong to. You should get back the IP address of the -master browser for that workgroup.</P -><P ->If you don't then the election process has failed. Wait a minute to -see if it is just being slow then try again. If it still fails after -that then look at the browsing options you have set in smb.conf. Make -sure you have <B -CLASS="COMMAND" ->preferred master = yes</B -> to ensure that -an election is held at startup.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3812" ->27.3.11. Test 11</A -></H3 -><P ->From file manager try to browse the server. Your samba server should -appear in the browse list of your local workgroup (or the one you -specified in smb.conf). You should be able to double click on the name -of the server and get a list of shares. If you get a "invalid -password" error when you do then you are probably running WinNT and it -is refusing to browse a server that has no encrypted password -capability and is in user level security mode. In this case either set -<B -CLASS="COMMAND" ->security = server</B -> AND -<B -CLASS="COMMAND" ->password server = Windows_NT_Machine</B -> in your -smb.conf file, or enable encrypted passwords AFTER compiling in support -for encrypted passwords (refer to the Makefile).</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3817" ->27.4. Still having troubles?</A -></H2 -><P ->Try the mailing list or newsgroup, or use the ethereal utility to -sniff the problem. The official samba mailing list can be reached at -<A -HREF="mailto:samba@samba.org" -TARGET="_top" ->samba@samba.org</A ->. To find -out more about samba and how to subscribe to the mailing list check -out the samba web page at -<A -HREF="http://samba.org/samba" -TARGET="_top" ->http://samba.org/samba</A -></P -><P ->Also look at the other docs in the Samba package!</P -></DIV -></DIV -></DIV -></DIV -></BODY -></HTML ->
\ No newline at end of file |