diff options
Diffstat (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html')
-rw-r--r-- | docs/htmldocs/Samba-HOWTO-Collection.html | 8584 |
1 files changed, 3829 insertions, 4755 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index 8c470203e7..5dd720ddb2 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -52,10 +52,10 @@ CLASS="EDITEDBY" >Edited by</H4 ><H3 CLASS="EDITOR" ->John H Terpstra</H3 +>Jelmer R. Vernooij</H3 ><H3 CLASS="EDITOR" ->Jelmer Vernooij</H3 +>John H. Terpstra</H3 ><H3 CLASS="EDITOR" >Gerald (Jerry) Carter</H3 @@ -65,7 +65,7 @@ CLASS="ABSTRACT" ><P ></P ><A -NAME="AEN32" +NAME="AEN34" ></A ><P >This book is a collection of HOWTOs added to Samba documentation over the years. @@ -95,7 +95,7 @@ CLASS="LEGALNOTICE" ><P ></P ><A -NAME="AEN37" +NAME="AEN39" ></A ><P >This documentation is distributed under the GNU General Public License (GPL) @@ -125,141 +125,185 @@ HREF="#INTRODUCTION" ><DL ><DT >1. <A +HREF="#INTROSMB" +>Introduction to Samba</A +></DT +><DD +><DL +><DT +>1.1. <A +HREF="#AEN61" +>Background</A +></DT +><DT +>1.2. <A +HREF="#AEN67" +>Terminology</A +></DT +><DT +>1.3. <A +HREF="#AEN91" +>Related Projects</A +></DT +><DT +>1.4. <A +HREF="#AEN100" +>SMB Methodology</A +></DT +><DT +>1.5. <A +HREF="#AEN115" +>Additional Resources</A +></DT +><DT +>1.6. <A +HREF="#AEN151" +>Epilogue</A +></DT +><DT +>1.7. <A +HREF="#AEN162" +>Miscellaneous</A +></DT +></DL +></DD +><DT +>2. <A HREF="#INSTALL" >How to Install and Test SAMBA</A ></DT ><DD ><DL ><DT ->1.1. <A -HREF="#AEN65" +>2.1. <A +HREF="#AEN188" >Obtaining and installing samba</A ></DT ><DT ->1.2. <A -HREF="#AEN71" +>2.2. <A +HREF="#AEN194" >Configuring samba</A ></DT ><DT ->1.3. <A -HREF="#AEN107" +>2.3. <A +HREF="#AEN230" >Try listing the shares available on your server</A ></DT ><DT ->1.4. <A -HREF="#AEN116" +>2.4. <A +HREF="#AEN239" >Try connecting with the unix client</A ></DT ><DT ->1.5. <A -HREF="#AEN137" +>2.5. <A +HREF="#AEN260" >Try connecting from a DOS, WfWg, Win9x, WinNT, Win2k, OS/2, etc... client</A ></DT ><DT ->1.6. <A -HREF="#AEN150" +>2.6. <A +HREF="#AEN273" >What If Things Don't Work?</A ></DT ></DL ></DD ><DT ->2. <A +>3. <A HREF="#BROWSING-QUICK" >Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</A ></DT ><DD ><DL ><DT ->2.1. <A -HREF="#AEN183" +>3.1. <A +HREF="#AEN306" >Discussion</A ></DT ><DT ->2.2. <A -HREF="#AEN204" +>3.2. <A +HREF="#AEN327" >How browsing functions and how to deploy stable and dependable browsing using Samba</A ></DT ><DT ->2.3. <A -HREF="#AEN218" +>3.3. <A +HREF="#AEN341" >Use of the <B CLASS="COMMAND" >Remote Announce</B > parameter</A ></DT ><DT ->2.4. <A -HREF="#AEN241" +>3.4. <A +HREF="#AEN364" >Use of the <B CLASS="COMMAND" >Remote Browse Sync</B > parameter</A ></DT ><DT ->2.5. <A -HREF="#AEN252" +>3.5. <A +HREF="#AEN375" >Use of WINS</A ></DT ><DT ->2.6. <A -HREF="#AEN269" +>3.6. <A +HREF="#AEN401" >Do NOT use more than one (1) protocol on MS Windows machines</A ></DT ><DT ->2.7. <A -HREF="#AEN277" +>3.7. <A +HREF="#AEN409" >Name Resolution Order</A ></DT ></DL ></DD ><DT ->3. <A +>4. <A HREF="#PASSDB" >User information database</A ></DT ><DD ><DL ><DT ->3.1. <A -HREF="#AEN335" +>4.1. <A +HREF="#AEN469" >Introduction</A ></DT ><DT ->3.2. <A -HREF="#AEN342" +>4.2. <A +HREF="#AEN476" >Important Notes About Security</A ></DT ><DT ->3.3. <A -HREF="#AEN380" +>4.3. <A +HREF="#AEN514" >The smbpasswd Command</A ></DT ><DT ->3.4. <A -HREF="#AEN411" +>4.4. <A +HREF="#AEN545" >Plain text</A ></DT ><DT ->3.5. <A -HREF="#AEN416" +>4.5. <A +HREF="#AEN550" >TDB</A ></DT ><DT ->3.6. <A -HREF="#AEN419" +>4.6. <A +HREF="#AEN553" >LDAP</A ></DT ><DT ->3.7. <A -HREF="#AEN637" +>4.7. <A +HREF="#AEN766" >MySQL</A ></DT ><DT ->3.8. <A -HREF="#AEN679" +>4.8. <A +HREF="#AEN808" >XML</A ></DT ></DL @@ -274,156 +318,151 @@ HREF="#TYPE" ><DD ><DL ><DT ->4. <A +>5. <A HREF="#SERVERTYPE" >Nomenclature of Server Types</A ></DT ><DD ><DL ><DT ->4.1. <A -HREF="#AEN717" +>5.1. <A +HREF="#AEN847" >Stand Alone Server</A ></DT ><DT ->4.2. <A -HREF="#AEN724" +>5.2. <A +HREF="#AEN854" >Domain Member Server</A ></DT ><DT ->4.3. <A -HREF="#AEN730" +>5.3. <A +HREF="#AEN860" >Domain Controller</A ></DT ></DL ></DD ><DT ->5. <A +>6. <A HREF="#SECURITYLEVELS" >Samba as Stand-Alone Server</A ></DT ><DD ><DL ><DT ->5.1. <A -HREF="#AEN766" +>6.1. <A +HREF="#AEN897" >User and Share security level</A ></DT ></DL ></DD ><DT ->6. <A +>7. <A HREF="#SAMBA-PDC" >Samba as an NT4 or Win2k Primary Domain Controller</A ></DT ><DD ><DL ><DT ->6.1. <A -HREF="#AEN878" +>7.1. <A +HREF="#AEN1010" >Prerequisite Reading</A ></DT ><DT ->6.2. <A -HREF="#AEN883" +>7.2. <A +HREF="#AEN1014" >Background</A ></DT ><DT ->6.3. <A -HREF="#AEN923" +>7.3. <A +HREF="#AEN1054" >Configuring the Samba Domain Controller</A ></DT ><DT ->6.4. <A -HREF="#AEN965" +>7.4. <A +HREF="#AEN1096" >Creating Machine Trust Accounts and Joining Clients to the Domain</A ></DT ><DT ->6.5. <A -HREF="#AEN1073" +>7.5. <A +HREF="#AEN1212" >Common Problems and Errors</A ></DT ><DT ->6.6. <A -HREF="#AEN1119" ->What other help can I get?</A -></DT -><DT ->6.7. <A -HREF="#AEN1233" +>7.6. <A +HREF="#AEN1241" >Domain Control for Windows 9x/ME</A ></DT ></DL ></DD ><DT ->7. <A +>8. <A HREF="#SAMBA-BDC" >Samba Backup Domain Controller to Samba Domain Control</A ></DT ><DD ><DL ><DT ->7.1. <A -HREF="#AEN1286" +>8.1. <A +HREF="#AEN1294" >Prerequisite Reading</A ></DT ><DT ->7.2. <A -HREF="#AEN1290" +>8.2. <A +HREF="#AEN1298" >Background</A ></DT ><DT ->7.3. <A -HREF="#AEN1298" +>8.3. <A +HREF="#AEN1306" >What qualifies a Domain Controller on the network?</A ></DT ><DT ->7.4. <A -HREF="#AEN1307" +>8.4. <A +HREF="#AEN1315" >Can Samba be a Backup Domain Controller to an NT PDC?</A ></DT ><DT ->7.5. <A -HREF="#AEN1312" +>8.5. <A +HREF="#AEN1320" >How do I set up a Samba BDC?</A ></DT ></DL ></DD ><DT ->8. <A +>9. <A HREF="#ADS" >Samba as a ADS domain member</A ></DT ><DD ><DL ><DT ->8.1. <A -HREF="#AEN1355" +>9.1. <A +HREF="#AEN1364" >Setup your <TT CLASS="FILENAME" >smb.conf</TT ></A ></DT ><DT ->8.2. <A -HREF="#AEN1368" +>9.2. <A +HREF="#AEN1377" >Setup your <TT CLASS="FILENAME" >/etc/krb5.conf</TT ></A ></DT ><DT ->8.3. <A +>9.3. <A HREF="#ADS-CREATE-MACHINE-ACCOUNT" >Create the computer account</A ></DT ><DT ->8.4. <A +>9.4. <A HREF="#ADS-TEST-SERVER" >Test your server setup</A ></DT ><DT ->8.5. <A +>9.5. <A HREF="#ADS-TEST-SMBCLIENT" >Testing with <SPAN CLASS="APPLICATION" @@ -431,27 +470,27 @@ CLASS="APPLICATION" ></A ></DT ><DT ->8.6. <A -HREF="#AEN1416" +>9.6. <A +HREF="#AEN1425" >Notes</A ></DT ></DL ></DD ><DT ->9. <A -HREF="#DOMAIN-SECURITY" +>10. <A +HREF="#DOMAIN-MEMBER" >Samba as a NT4 or Win2k domain member</A ></DT ><DD ><DL ><DT ->9.1. <A -HREF="#AEN1439" +>10.1. <A +HREF="#AEN1448" >Joining an NT Domain with Samba 3.0</A ></DT ><DT ->9.2. <A -HREF="#AEN1493" +>10.2. <A +HREF="#AEN1502" >Why is this better than security = server?</A ></DT ></DL @@ -466,500 +505,510 @@ HREF="#OPTIONAL" ><DD ><DL ><DT ->10. <A +>11. <A HREF="#UNIX-PERMISSIONS" >UNIX Permission Bits and Windows NT Access Control Lists</A ></DT ><DD ><DL ><DT ->10.1. <A -HREF="#AEN1525" +>11.1. <A +HREF="#AEN1534" >Viewing and changing UNIX permissions using the NT security dialogs</A ></DT ><DT ->10.2. <A -HREF="#AEN1531" +>11.2. <A +HREF="#AEN1540" >How to view file security on a Samba share</A ></DT ><DT ->10.3. <A -HREF="#AEN1542" +>11.3. <A +HREF="#AEN1551" >Viewing file ownership</A ></DT ><DT ->10.4. <A -HREF="#AEN1562" +>11.4. <A +HREF="#AEN1571" >Viewing file or directory permissions</A ></DT ><DT ->10.5. <A -HREF="#AEN1598" +>11.5. <A +HREF="#AEN1607" >Modifying file or directory permissions</A ></DT ><DT ->10.6. <A -HREF="#AEN1620" +>11.6. <A +HREF="#AEN1629" >Interaction with the standard Samba create mask parameters</A ></DT ><DT ->10.7. <A -HREF="#AEN1673" +>11.7. <A +HREF="#AEN1682" >Interaction with the standard Samba file attribute mapping</A ></DT ></DL ></DD ><DT ->11. <A +>12. <A HREF="#GROUPMAPPING" >Configuring Group Mapping</A ></DT ><DT ->12. <A +>13. <A HREF="#PRINTING" >Printing Support</A ></DT ><DD ><DL ><DT ->12.1. <A -HREF="#AEN1736" +>13.1. <A +HREF="#AEN1745" >Introduction</A ></DT ><DT ->12.2. <A -HREF="#AEN1758" +>13.2. <A +HREF="#AEN1767" >Configuration</A ></DT ><DT ->12.3. <A -HREF="#AEN1870" +>13.3. <A +HREF="#AEN1879" >The Imprints Toolset</A ></DT ><DT ->12.4. <A -HREF="#AEN1913" +>13.4. <A +HREF="#AEN1922" >Diagnosis</A ></DT ></DL ></DD ><DT ->13. <A +>14. <A HREF="#CUPS-PRINTING" >CUPS Printing Support</A ></DT ><DD ><DL ><DT ->13.1. <A -HREF="#AEN2025" +>14.1. <A +HREF="#AEN2035" >Introduction</A ></DT ><DT ->13.2. <A -HREF="#AEN2032" +>14.2. <A +HREF="#AEN2042" >Configuring <TT CLASS="FILENAME" >smb.conf</TT > for CUPS</A ></DT ><DT ->13.3. <A -HREF="#AEN2052" +>14.3. <A +HREF="#AEN2062" >CUPS - RAW Print Through Mode</A ></DT ><DT ->13.4. <A -HREF="#AEN2111" +>14.4. <A +HREF="#AEN2119" >CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe PostScript driver with CUPS-PPDs downloaded to clients</A ></DT ><DT ->13.5. <A -HREF="#AEN2132" +>14.5. <A +HREF="#AEN2140" >Windows Terminal Servers (WTS) as CUPS clients</A ></DT ><DT ->13.6. <A -HREF="#AEN2136" +>14.6. <A +HREF="#AEN2144" >Setting up CUPS for driver download</A ></DT ><DT ->13.7. <A -HREF="#AEN2149" +>14.7. <A +HREF="#AEN2157" >Sources of CUPS drivers / PPDs</A ></DT ><DT ->13.8. <A -HREF="#AEN2205" +>14.8. <A +HREF="#AEN2213" >The CUPS Filter Chains</A ></DT ><DT ->13.9. <A -HREF="#AEN2244" +>14.9. <A +HREF="#AEN2252" >CUPS Print Drivers and Devices</A ></DT ><DT ->13.10. <A -HREF="#AEN2321" +>14.10. <A +HREF="#AEN2329" >Limiting the number of pages users can print</A ></DT ><DT ->13.11. <A -HREF="#AEN2417" +>14.11. <A +HREF="#AEN2425" >Advanced Postscript Printing from MS Windows</A ></DT ><DT ->13.12. <A -HREF="#AEN2432" +>14.12. <A +HREF="#AEN2440" >Auto-Deletion of CUPS spool files</A ></DT ></DL ></DD ><DT ->14. <A +>15. <A HREF="#WINBIND" >Unified Logons between Windows NT and UNIX using Winbind</A ></DT ><DD ><DL ><DT ->14.1. <A -HREF="#AEN2506" +>15.1. <A +HREF="#AEN2516" >Abstract</A ></DT ><DT ->14.2. <A -HREF="#AEN2510" +>15.2. <A +HREF="#AEN2520" >Introduction</A ></DT ><DT ->14.3. <A -HREF="#AEN2523" +>15.3. <A +HREF="#AEN2533" >What Winbind Provides</A ></DT ><DT ->14.4. <A -HREF="#AEN2534" +>15.4. <A +HREF="#AEN2544" >How Winbind Works</A ></DT ><DT ->14.5. <A -HREF="#AEN2577" +>15.5. <A +HREF="#AEN2587" >Installation and Configuration</A ></DT ><DT ->14.6. <A -HREF="#AEN2834" +>15.6. <A +HREF="#AEN2844" >Limitations</A ></DT ><DT ->14.7. <A -HREF="#AEN2844" +>15.7. <A +HREF="#AEN2854" >Conclusion</A ></DT ></DL ></DD ><DT ->15. <A +>16. <A HREF="#ADVANCEDNETWORKMANAGEMENT" >Advanced Network Manangement</A ></DT ><DD ><DL ><DT ->15.1. <A -HREF="#AEN2859" +>16.1. <A +HREF="#AEN2870" >Configuring Samba Share Access Controls</A ></DT ><DT ->15.2. <A -HREF="#AEN2897" +>16.2. <A +HREF="#AEN2908" >Remote Server Administration</A ></DT ><DT ->15.3. <A -HREF="#AEN2914" +>16.3. <A +HREF="#AEN2925" >Network Logon Script Magic</A ></DT ></DL ></DD ><DT ->16. <A +>17. <A HREF="#POLICYMGMT" >System and Account Policies</A ></DT ><DD ><DL ><DT ->16.1. <A -HREF="#AEN2929" +>17.1. <A +HREF="#AEN2959" >Creating and Managing System Policies</A ></DT ><DT ->16.2. <A -HREF="#AEN3002" +>17.2. <A +HREF="#AEN3031" >Managing Account/User Policies</A ></DT +><DT +>17.3. <A +HREF="#AEN3053" +>System Startup and Logon Processing Overview</A +></DT ></DL ></DD ><DT ->17. <A +>18. <A HREF="#PROFILEMGMT" >Desktop Profile Management</A ></DT ><DD ><DL ><DT ->17.1. <A -HREF="#AEN3035" +>18.1. <A +HREF="#AEN3096" >Roaming Profiles</A ></DT ><DT ->17.2. <A -HREF="#AEN3242" +>18.2. <A +HREF="#AEN3303" >Mandatory profiles</A ></DT ><DT ->17.3. <A -HREF="#AEN3249" +>18.3. <A +HREF="#AEN3310" >Creating/Managing Group Profiles</A ></DT ><DT ->17.4. <A -HREF="#AEN3255" +>18.4. <A +HREF="#AEN3316" >Default Profile for Windows Users</A ></DT ></DL ></DD ><DT ->18. <A +>19. <A HREF="#INTERDOMAINTRUSTS" >Interdomain Trust Relationships</A ></DT ><DD ><DL ><DT ->18.1. <A -HREF="#AEN3386" +>19.1. <A +HREF="#AEN3447" >Trust Relationship Background</A ></DT ><DT ->18.2. <A -HREF="#AEN3395" ->MS Windows NT4 Trust Configuration</A +>19.2. <A +HREF="#AEN3456" +>Native MS Windows NT4 Trusts Configuration</A ></DT ><DT ->18.3. <A -HREF="#AEN3405" ->Configuring Samba Domain Trusts</A +>19.3. <A +HREF="#AEN3465" +>Configuring Samba NT-style Domain Trusts</A ></DT ></DL ></DD ><DT ->19. <A +>20. <A HREF="#PAM" >PAM Configuration for Centrally Managed Authentication</A ></DT ><DD ><DL ><DT ->19.1. <A -HREF="#AEN3440" +>20.1. <A +HREF="#AEN3508" >Samba and PAM</A ></DT ><DT ->19.2. <A -HREF="#AEN3491" +>20.2. <A +HREF="#AEN3559" >Distributed Authentication</A ></DT ><DT ->19.3. <A -HREF="#AEN3496" +>20.3. <A +HREF="#AEN3564" >PAM Configuration in smb.conf</A ></DT ></DL ></DD ><DT ->20. <A +>21. <A HREF="#VFS" >Stackable VFS modules</A ></DT ><DD ><DL ><DT ->20.1. <A -HREF="#AEN3531" +>21.1. <A +HREF="#AEN3601" >Introduction and configuration</A ></DT ><DT ->20.2. <A -HREF="#AEN3540" +>21.2. <A +HREF="#AEN3610" >Included modules</A ></DT ><DT ->20.3. <A -HREF="#AEN3598" +>21.3. <A +HREF="#AEN3668" >VFS modules available elsewhere</A ></DT ></DL ></DD ><DT ->21. <A +>22. <A HREF="#MSDFS" >Hosting a Microsoft Distributed File System tree on Samba</A ></DT ><DD ><DL ><DT ->21.1. <A -HREF="#AEN3626" +>22.1. <A +HREF="#AEN3696" >Instructions</A ></DT ></DL ></DD ><DT ->22. <A +>23. <A HREF="#INTEGRATE-MS-NETWORKS" >Integrating MS Windows networks with Samba</A ></DT ><DD ><DL ><DT ->22.1. <A -HREF="#AEN3688" +>23.1. <A +HREF="#AEN3759" >Name Resolution in a pure Unix/Linux world</A ></DT ><DT ->22.2. <A -HREF="#AEN3751" +>23.2. <A +HREF="#AEN3822" >Name resolution as used within MS Windows networking</A ></DT ></DL ></DD ><DT ->23. <A +>24. <A HREF="#IMPROVED-BROWSING" >Improved browsing in samba</A ></DT ><DD ><DL ><DT ->23.1. <A -HREF="#AEN3804" +>24.1. <A +HREF="#AEN3875" >Overview of browsing</A ></DT ><DT ->23.2. <A -HREF="#AEN3810" +>24.2. <A +HREF="#AEN3881" >Browsing support in samba</A ></DT ><DT ->23.3. <A -HREF="#AEN3825" +>24.3. <A +HREF="#AEN3896" >Problem resolution</A ></DT ><DT ->23.4. <A -HREF="#AEN3837" +>24.4. <A +HREF="#AEN3908" >Browsing across subnets</A ></DT ><DT ->23.5. <A -HREF="#AEN3878" +>24.5. <A +HREF="#AEN3949" >Setting up a WINS server</A ></DT ><DT ->23.6. <A -HREF="#AEN3901" +>24.6. <A +HREF="#AEN3972" >Setting up Browsing in a WORKGROUP</A ></DT ><DT ->23.7. <A -HREF="#AEN3927" +>24.7. <A +HREF="#AEN3998" >Setting up Browsing in a DOMAIN</A ></DT ><DT ->23.8. <A +>24.8. <A HREF="#BROWSE-FORCE-MASTER" >Forcing samba to be the master</A ></DT ><DT ->23.9. <A -HREF="#AEN3962" +>24.9. <A +HREF="#AEN4033" >Making samba the domain master</A ></DT ><DT ->23.10. <A -HREF="#AEN3984" +>24.10. <A +HREF="#AEN4055" >Note about broadcast addresses</A ></DT ><DT ->23.11. <A -HREF="#AEN3987" +>24.11. <A +HREF="#AEN4058" >Multiple interfaces</A ></DT ></DL ></DD ><DT ->24. <A +>25. <A HREF="#SECURING-SAMBA" >Securing Samba</A ></DT ><DD ><DL ><DT ->24.1. <A -HREF="#AEN4003" +>25.1. <A +HREF="#AEN4074" >Introduction</A ></DT ><DT ->24.2. <A -HREF="#AEN4006" +>25.2. <A +HREF="#AEN4077" >Using host based protection</A ></DT ><DT ->24.3. <A -HREF="#AEN4016" +>25.3. <A +HREF="#AEN4087" >Using interface protection</A ></DT ><DT ->24.4. <A -HREF="#AEN4025" +>25.4. <A +HREF="#AEN4095" >Using a firewall</A ></DT ><DT ->24.5. <A -HREF="#AEN4032" +>25.5. <A +HREF="#AEN4102" >Using a IPC$ share deny</A ></DT ><DT ->24.6. <A -HREF="#AEN4041" +>25.6. <A +HREF="#AEN4111" >Upgrading Samba</A ></DT ></DL ></DD ><DT ->25. <A +>26. <A HREF="#UNICODE" >Unicode/Charsets</A ></DT ><DD ><DL ><DT ->25.1. <A -HREF="#AEN4056" +>26.1. <A +HREF="#AEN4127" >What are charsets and unicode?</A ></DT ><DT ->25.2. <A -HREF="#AEN4065" +>26.2. <A +HREF="#AEN4136" >Samba and charsets</A ></DT +><DT +>26.3. <A +HREF="#AEN4155" +>Conversion from old names</A +></DT ></DL ></DD ></DL @@ -972,94 +1021,55 @@ HREF="#APPENDIXES" ><DD ><DL ><DT ->26. <A -HREF="#SWAT" ->SWAT - The Samba Web Admininistration Tool</A +>27. <A +HREF="#COMPILING" +>How to compile SAMBA</A ></DT ><DD ><DL ><DT ->26.1. <A -HREF="#AEN4098" ->SWAT Features and Benefits</A +>27.1. <A +HREF="#AEN4183" +>Access Samba source code via CVS</A ></DT -></DL -></DD ><DT ->27. <A -HREF="#NT4MIGRATION" ->Migration from NT4 PDC to Samba-3 PDC</A +>27.2. <A +HREF="#AEN4226" +>Accessing the samba sources via rsync and ftp</A ></DT -><DD -><DL ><DT ->27.1. <A -HREF="#AEN4134" ->Planning and Getting Started</A +>27.3. <A +HREF="#AEN4232" +>Verifying Samba's PGP signature</A ></DT ><DT ->27.2. <A -HREF="#AEN4143" ->Managing Samba-3 Domain Control</A +>27.4. <A +HREF="#AEN4244" +>Building the Binaries</A +></DT +><DT +>27.5. <A +HREF="#AEN4301" +>Starting the smbd and nmbd</A ></DT ></DL ></DD ><DT >28. <A -HREF="#SPEED" ->Samba performance issues</A +HREF="#NT4MIGRATION" +>Migration from NT4 PDC to Samba-3 PDC</A ></DT ><DD ><DL ><DT >28.1. <A -HREF="#AEN4163" ->Comparisons</A +HREF="#AEN4375" +>Planning and Getting Started</A ></DT ><DT >28.2. <A -HREF="#AEN4169" ->Socket options</A -></DT -><DT ->28.3. <A -HREF="#AEN4176" ->Read size</A -></DT -><DT ->28.4. <A -HREF="#AEN4181" ->Max xmit</A -></DT -><DT ->28.5. <A -HREF="#AEN4186" ->Log level</A -></DT -><DT ->28.6. <A -HREF="#AEN4189" ->Read raw</A -></DT -><DT ->28.7. <A -HREF="#AEN4194" ->Write raw</A -></DT -><DT ->28.8. <A -HREF="#AEN4198" ->Slow Clients</A -></DT -><DT ->28.9. <A -HREF="#AEN4202" ->Slow Logins</A -></DT -><DT ->28.10. <A -HREF="#AEN4205" ->Client tuning</A +HREF="#AEN4408" +>Managing Samba-3 Domain Control</A ></DT ></DL ></DD @@ -1072,29 +1082,34 @@ HREF="#PORTABILITY" ><DL ><DT >29.1. <A -HREF="#AEN4249" +HREF="#AEN4423" >HPUX</A ></DT ><DT >29.2. <A -HREF="#AEN4255" +HREF="#AEN4429" >SCO Unix</A ></DT ><DT >29.3. <A -HREF="#AEN4259" +HREF="#AEN4433" >DNIX</A ></DT ><DT >29.4. <A -HREF="#AEN4288" +HREF="#AEN4462" >RedHat Linux Rembrandt-II</A ></DT ><DT >29.5. <A -HREF="#AEN4294" +HREF="#AEN4468" >AIX</A ></DT +><DT +>29.6. <A +HREF="#AEN4474" +>Solaris</A +></DT ></DL ></DD ><DT @@ -1106,101 +1121,106 @@ HREF="#OTHER-CLIENTS" ><DL ><DT >30.1. <A -HREF="#AEN4319" +HREF="#AEN4501" >Macintosh clients?</A ></DT ><DT >30.2. <A -HREF="#AEN4328" +HREF="#AEN4510" >OS2 Client</A ></DT ><DT >30.3. <A -HREF="#AEN4368" +HREF="#AEN4550" >Windows for Workgroups</A ></DT ><DT >30.4. <A -HREF="#AEN4392" +HREF="#AEN4574" >Windows '95/'98</A ></DT ><DT >30.5. <A -HREF="#AEN4408" +HREF="#AEN4590" >Windows 2000 Service Pack 2</A ></DT ><DT >30.6. <A -HREF="#AEN4425" +HREF="#AEN4607" >Windows NT 3.1</A ></DT ></DL ></DD ><DT >31. <A -HREF="#COMPILING" ->How to compile SAMBA</A +HREF="#SWAT" +>SWAT - The Samba Web Admininistration Tool</A ></DT ><DD ><DL ><DT >31.1. <A -HREF="#AEN4446" ->Access Samba source code via CVS</A -></DT -><DT ->31.2. <A -HREF="#AEN4489" ->Accessing the samba sources via rsync and ftp</A -></DT -><DT ->31.3. <A -HREF="#AEN4495" ->Building the Binaries</A -></DT -><DT ->31.4. <A -HREF="#AEN4552" ->Starting the smbd and nmbd</A +HREF="#AEN4624" +>SWAT Features and Benefits</A ></DT ></DL ></DD ><DT >32. <A -HREF="#BUGREPORT" ->Reporting Bugs</A +HREF="#SPEED" +>Samba performance issues</A ></DT ><DD ><DL ><DT >32.1. <A -HREF="#AEN4627" ->Introduction</A +HREF="#AEN4666" +>Comparisons</A ></DT ><DT >32.2. <A -HREF="#AEN4637" ->General info</A +HREF="#AEN4672" +>Socket options</A ></DT ><DT >32.3. <A -HREF="#AEN4643" ->Debug levels</A +HREF="#AEN4679" +>Read size</A ></DT ><DT >32.4. <A -HREF="#AEN4664" ->Internal errors</A +HREF="#AEN4684" +>Max xmit</A ></DT ><DT >32.5. <A -HREF="#AEN4678" ->Attaching to a running process</A +HREF="#AEN4689" +>Log level</A ></DT ><DT >32.6. <A -HREF="#AEN4686" ->Patches</A +HREF="#AEN4692" +>Read raw</A +></DT +><DT +>32.7. <A +HREF="#AEN4697" +>Write raw</A +></DT +><DT +>32.8. <A +HREF="#AEN4701" +>Slow Clients</A +></DT +><DT +>32.9. <A +HREF="#AEN4705" +>Slow Logins</A +></DT +><DT +>32.10. <A +HREF="#AEN4708" +>Client tuning</A ></DT ></DL ></DD @@ -1213,320 +1233,605 @@ HREF="#DIAGNOSIS" ><DL ><DT >33.1. <A -HREF="#AEN4709" +HREF="#AEN4760" >Introduction</A ></DT ><DT >33.2. <A -HREF="#AEN4714" +HREF="#AEN4765" >Assumptions</A ></DT ><DT >33.3. <A -HREF="#AEN4733" +HREF="#AEN4784" >The tests</A ></DT ><DT >33.4. <A -HREF="#AEN4900" +HREF="#AEN4951" >Still having troubles?</A ></DT ></DL ></DD -></DL -></DD -></DL -></DIV -><DIV -CLASS="PART" -><A -NAME="INTRODUCTION" -></A -><DIV -CLASS="TITLEPAGE" -><H1 -CLASS="TITLE" ->I. General installation</H1 -><DIV -CLASS="PARTINTRO" -><A -NAME="AEN42" -></A -><H1 ->Introduction</H1 -><P ->This part contains general info on how to install samba -and how to configure the parts of samba you will most likely need. -PLEASE read this.</P -></DIV -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->1. <A -HREF="#INSTALL" ->How to Install and Test SAMBA</A -></DT -><DD -><DL -><DT ->1.1. <A -HREF="#AEN65" ->Obtaining and installing samba</A -></DT -><DT ->1.2. <A -HREF="#AEN71" ->Configuring samba</A -></DT -><DD -><DL -><DT ->1.2.1. <A -HREF="#AEN76" ->Editing the <TT -CLASS="FILENAME" ->smb.conf</TT -> file</A -></DT -><DT ->1.2.2. <A -HREF="#AEN101" ->SWAT</A -></DT -></DL -></DD -><DT ->1.3. <A -HREF="#AEN107" ->Try listing the shares available on your - server</A -></DT -><DT ->1.4. <A -HREF="#AEN116" ->Try connecting with the unix client</A -></DT -><DT ->1.5. <A -HREF="#AEN137" ->Try connecting from a DOS, WfWg, Win9x, WinNT, - Win2k, OS/2, etc... client</A -></DT -><DT ->1.6. <A -HREF="#AEN150" ->What If Things Don't Work?</A -></DT -><DD -><DL -><DT ->1.6.1. <A -HREF="#AEN156" ->Scope IDs</A -></DT -><DT ->1.6.2. <A -HREF="#AEN159" ->Locking</A -></DT -></DL -></DD -></DL -></DD ><DT ->2. <A -HREF="#BROWSING-QUICK" ->Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</A +>34. <A +HREF="#PROBLEMS" +>Analysing and solving samba problems</A ></DT ><DD ><DL ><DT ->2.1. <A -HREF="#AEN183" ->Discussion</A -></DT -><DT ->2.2. <A -HREF="#AEN204" ->How browsing functions and how to deploy stable and -dependable browsing using Samba</A -></DT -><DT ->2.3. <A -HREF="#AEN218" ->Use of the <B -CLASS="COMMAND" ->Remote Announce</B -> parameter</A -></DT -><DT ->2.4. <A -HREF="#AEN241" ->Use of the <B -CLASS="COMMAND" ->Remote Browse Sync</B -> parameter</A -></DT -><DT ->2.5. <A -HREF="#AEN252" ->Use of WINS</A -></DT -><DT ->2.6. <A -HREF="#AEN269" ->Do NOT use more than one (1) protocol on MS Windows machines</A +>34.1. <A +HREF="#AEN4983" +>Diagnostics tools</A ></DT ><DT ->2.7. <A -HREF="#AEN277" ->Name Resolution Order</A +>34.2. <A +HREF="#AEN4998" +>Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</A ></DT -></DL -></DD ><DT ->3. <A -HREF="#PASSDB" ->User information database</A +>34.3. <A +HREF="#AEN5027" +>Useful URL's</A ></DT -><DD -><DL -><DT ->3.1. <A -HREF="#AEN335" ->Introduction</A -></DT -><DT ->3.2. <A -HREF="#AEN342" ->Important Notes About Security</A -></DT -><DD -><DL ><DT ->3.2.1. <A -HREF="#AEN368" ->Advantages of SMB Encryption</A +>34.4. <A +HREF="#AEN5051" +>Getting help from the mailing lists</A ></DT ><DT ->3.2.2. <A -HREF="#AEN374" ->Advantages of non-encrypted passwords</A +>34.5. <A +HREF="#AEN5081" +>How to get off the mailinglists</A ></DT ></DL ></DD ><DT ->3.3. <A -HREF="#AEN380" ->The smbpasswd Command</A -></DT -><DT ->3.4. <A -HREF="#AEN411" ->Plain text</A -></DT -><DT ->3.5. <A -HREF="#AEN416" ->TDB</A -></DT -><DT ->3.6. <A -HREF="#AEN419" ->LDAP</A +>35. <A +HREF="#BUGREPORT" +>Reporting Bugs</A ></DT ><DD ><DL ><DT ->3.6.1. <A -HREF="#AEN421" +>35.1. <A +HREF="#AEN5104" >Introduction</A ></DT ><DT ->3.6.2. <A -HREF="#AEN441" ->Introduction</A -></DT -><DT ->3.6.3. <A -HREF="#AEN470" ->Supported LDAP Servers</A -></DT -><DT ->3.6.4. <A -HREF="#AEN475" ->Schema and Relationship to the RFC 2307 posixAccount</A -></DT -><DT ->3.6.5. <A -HREF="#AEN487" ->Configuring Samba with LDAP</A -></DT -><DT ->3.6.6. <A -HREF="#AEN534" ->Accounts and Groups management</A -></DT -><DT ->3.6.7. <A -HREF="#AEN539" ->Security and sambaAccount</A -></DT -><DT ->3.6.8. <A -HREF="#AEN559" ->LDAP specials attributes for sambaAccounts</A -></DT -><DT ->3.6.9. <A -HREF="#AEN629" ->Example LDIF Entries for a sambaAccount</A -></DT -></DL -></DD -><DT ->3.7. <A -HREF="#AEN637" ->MySQL</A +>35.2. <A +HREF="#AEN5114" +>General info</A ></DT -><DD -><DL ><DT ->3.7.1. <A -HREF="#AEN639" ->Creating the database</A +>35.3. <A +HREF="#AEN5120" +>Debug levels</A ></DT ><DT ->3.7.2. <A -HREF="#AEN649" ->Configuring</A +>35.4. <A +HREF="#AEN5141" +>Internal errors</A ></DT ><DT ->3.7.3. <A -HREF="#AEN666" ->Using plaintext passwords or encrypted password</A +>35.5. <A +HREF="#AEN5155" +>Attaching to a running process</A ></DT ><DT ->3.7.4. <A -HREF="#AEN671" ->Getting non-column data from the table</A +>35.6. <A +HREF="#AEN5163" +>Patches</A ></DT ></DL ></DD -><DT ->3.8. <A -HREF="#AEN679" ->XML</A -></DT ></DL ></DD ></DL ></DIV +><DIV +CLASS="PART" +><A +NAME="INTRODUCTION" +></A +><DIV +CLASS="TITLEPAGE" +><H1 +CLASS="TITLE" +>I. General installation</H1 +></DIV +><DIV +CLASS="PARTINTRO" +><A +NAME="AEN44" +></A +><H1 +>Introduction</H1 +><P +>This part contains general info on how to install samba +and how to configure the parts of samba you will most likely need. +PLEASE read this.</P +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A +NAME="INTROSMB" +></A +>Chapter 1. Introduction to Samba</H1 +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>"If you understand what you're doing, you're not learning anything." +-- Anonymous</I +></SPAN +></P +><P +>Samba is a file and print server for Windows-based clients using TCP/IP as the underlying +transport protocol. In fact, it can support any SMB/CIFS-enabled client. One of Samba's big +strengths is that you can use it to blend your mix of Windows and Linux machines together +without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed +by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.</P +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN61" +>1.1. Background</A +></H2 +><P +>Once long ago, there was a buzzword referred to as DCE/RPC. This stood for Distributed +Computing Environment/Remote Procedure Calls and conceptually was a good idea. It was +originally developed by Apollo/HP as NCA 1.0 (Network Computing Architecture) and only +ran over UDP. When there was a need to run it over TCP so that it would be compatible +with DECnet 3.0, it was redesigned, submitted to The Open Group, and officially became +known as DCE/RPC. Microsoft came along and decided, rather than pay $20 per seat to +license this technology, to reimplement DCE/RPC themselves as MSRPC. From this, the +concept continued in the form of SMB (Server Message Block, or the "what") using the +NetBIOS (Network Basic Input/Output System, or the "how") compatibility layer. You can +run SMB (i.e., transport) over several different protocols; many different implementations +arose as a result, including NBIPX (NetBIOS over IPX, NwLnkNb, or NWNBLink) and NBT +(NetBIOS over TCP/IP, or NetBT). As the years passed, NBT became the most common form +of implementation until the advance of "Direct-Hosted TCP" -- the Microsoft marketing +term for eliminating NetBIOS entirely and running SMB by itself across TCP port 445 +only. As of yet, direct-hosted TCP has yet to catch on.</P +><P +>Perhaps the best summary of the origins of SMB are voiced in the 1997 article titled, CIFS: +Common Insecurities Fail Scrutiny:</P +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Several megabytes of NT-security archives, random whitepapers, RFCs, the CIFS spec, the Samba +stuff, a few MS knowledge-base articles, strings extracted from binaries, and packet dumps have +been dutifully waded through during the information-gathering stages of this project, and there +are *still* many missing pieces... While often tedious, at least the way has been generously +littered with occurrences of clapping hand to forehead and muttering 'crikey, what are they +thinking?</I +></SPAN +></P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN67" +>1.2. Terminology</A +></H2 +><P +></P +><UL +><LI +><P +> SMB: Acronym for "Server Message Block". This is Microsoft's file and printer sharing protocol. + </P +></LI +><LI +><P +> CIFS: Acronym for "Common Internet File System". Around 1996, Microsoft apparently + decided that SMB needed the word "Internet" in it, so they changed it to CIFS. + </P +></LI +><LI +><P +> Direct-Hosted: A method of providing file/printer sharing services over port 445/tcp + only using DNS for name resolution instead of WINS. + </P +></LI +><LI +><P +> IPC: Acronym for "Inter-Process Communication". A method to communicate specific + information between programs. + </P +></LI +><LI +><P +> Marshalling: - A method of serializing (i.e., sequential ordering of) variable data + suitable for transmission via a network connection or storing in a file. The source + data can be re-created using a similar process called unmarshalling. + </P +></LI +><LI +><P +> NetBIOS: Acronym for "Network Basic Input/Output System". This is not a protocol; + it is a method of communication across an existing protocol. This is a standard which + was originally developed for IBM by Sytek in 1983. To exaggerate the analogy a bit, + it can help to think of this in comparison your computer's BIOS -- it controls the + essential functions of your input/output hardware -- whereas NetBIOS controls the + essential functions of your input/output traffic via the network. Again, this is a bit + of an exaggeration but it should help that paradigm shift. What is important to realize + is that NetBIOS is a transport standard, not a protocol. Unfortunately, even technically + brilliant people tend to interchange NetBIOS with terms like NetBEUI without a second + thought; this will cause no end (and no doubt) of confusion. + </P +></LI +><LI +><P +> NetBEUI: Acronym for the "NetBIOS Extended User Interface". Unlike NetBIOS, NetBEUI + is a protocol, not a standard. It is also not routable, so traffic on one side of a + router will be unable to communicate with the other side. Understanding NetBEUI is + not essential to deciphering SMB; however it helps to point out that it is not the + same as NetBIOS and to improve your score in trivia at parties. NetBEUI was originally + referred to by Microsoft as "NBF", or "The Windows NT NetBEUI Frame protocol driver". + It is not often heard from these days. + </P +></LI +><LI +><P +> NBT: Acronym for "NetBIOS over TCP"; also known as "NetBT". Allows the continued use + of NetBIOS traffic proxied over TCP/IP. As a result, NetBIOS names are made + to IP addresses and NetBIOS name types are conceptually equivalent to TCP/IP ports. + This is how file and printer sharing are accomplished in Windows 95/98/ME. They + traditionally rely on three ports: NetBIOS Name Service (nbname) via UDP port 137, + NetBIOS Datagram Service (nbdatagram) via UDP port 138, and NetBIOS Session Service + (nbsession) via TCP port 139. All name resolution is done via WINS, NetBIOS broadcasts, + and DNS. NetBIOS over TCP is documented in RFC 1001 (Concepts and methods) and RFC 1002 + (Detailed specifications). + </P +></LI +><LI +><P +> W2K: Acronym for Windows 2000 Professional or Server + </P +></LI +><LI +><P +> W3K: Acronym for Windows 2003 Server + </P +></LI +></UL +><P +>If you plan on getting help, make sure to subscribe to the Samba Mailing List (available at +http://www.samba.org). Optionally, you could just search mailing.unix.samba at http://groups.google.com</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN91" +>1.3. Related Projects</A +></H2 +><P +>Currently, there are two projects that are directly related to Samba: SMBFS and CIFS network +client file systems for Linux, both available in the Linux kernel itself.</P +><P +></P +><UL +><LI +><P +> SMBFS (Server Message Block File System) allows you to mount SMB shares (the protocol + that Microsoft Windows and OS/2 Lan Manager use to share files and printers + over local networks) and access them just like any other Unix directory. This is useful + if you just want to mount such filesystems without being a SMBFS server. + </P +></LI +><LI +><P +> CIFS (Common Internet File System) is the successor to SMB, and is actively being worked + on in the upcoming version of the Linux kernel. The intent of this module is to + provide advanced network file system functionality including support for dfs (heirarchical + name space), secure per-user session establishment, safe distributed caching (oplock), + optional packet signing, Unicode and other internationalization improvements, and optional + Winbind (nsswitch) integration. + </P +></LI +></UL +><P +>Again, it's important to note that these are implementations for client filesystems, and have +nothing to do with acting as a file and print server for SMB/CIFS clients.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN100" +>1.4. SMB Methodology</A +></H2 +><P +>Traditionally, SMB uses UDP port 137 (NetBIOS name service, or netbios-ns), +UDP port 138 (NetBIOS datagram service, or netbios-dgm), and TCP port 139 (NetBIOS +session service, or netbios-ssn). Anyone looking at their network with a good +packet sniffer will be amazed at the amount of traffic generated by just opening +up a single file. In general, SMB sessions are established in the following order:</P +><P +></P +><UL +><LI +><P +> "TCP Connection" - establish 3-way handshake (connection) to port 139/tcp + or 445/tcp. + </P +></LI +><LI +><P +> "NetBIOS Session Request" - using the following "Calling Names": The local + machine's NetBIOS name plus the 16th character 0x00; The server's NetBIOS + name plus the 16th character 0x20 + </P +></LI +><LI +><P +> "SMB Negotiate Protocol" - determine the protocol dialect to use, which will + be one of the following: PC Network Program 1.0 (Core) - share level security + mode only; Microsoft Networks 1.03 (Core Plus) - share level security + mode only; Lanman1.0 (LAN Manager 1.0) - uses Challenge/Response + Authentication; Lanman2.1 (LAN Manager 2.1) - uses Challenge/Response + Authentication; NT LM 0.12 (NT LM 0.12) - uses Challenge/Response + Authentication + </P +></LI +><LI +><P +> SMB Session Startup. Passwords are encrypted (or not) according to one of + the following methods: Null (no encryption); Cleartext (no encryption); LM + and NTLM; NTLM; NTLMv2 + </P +></LI +><LI +><P +> SMB Tree Connect: Connect to a share name (e.g., \\servername\share); Connect + to a service type (e.g., IPC$ named pipe) + </P +></LI +></UL +><P +>A good way to examine this process in depth is to try out SecurityFriday's SWB program +at http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html. It allows you to +walk through the establishment of a SMB/CIFS session step by step.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN115" +>1.5. Additional Resources</A +></H2 +><P +></P +><UL +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>CIFS: Common Insecurities Fail Scrutiny</I +></SPAN +> by "Hobbit", + http://hr.uoregon.edu/davidrl/cifs.txt + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Doing the Samba on Windows</I +></SPAN +> by Financial Review, + http://afr.com/it/2002/10/01/FFXDF43AP6D.html + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Implementing CIFS</I +></SPAN +> by Christopher R. Hertel, + http://ubiqx.org/cifs/ + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Just What Is SMB?</I +></SPAN +> by Richard Sharpe, + http://samba.anu.edu.au/cifs/docs/what-is-smb.html + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Opening Windows Everywhere</I +></SPAN +> by Mike Warfield, + http://www.linux-mag.com/1999-05/samba_01.html + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>SMB HOWTO</I +></SPAN +> by David Wood, + http://www.tldp.org/HOWTO/SMB-HOWTO.html + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>SMB/CIFS by The Root</I +></SPAN +> by "ledin", + http://www.phrack.org/phrack/60/p60-0x0b.txt + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>The Story of Samba</I +></SPAN +> by Christopher R. Hertel, + http://www.linux-mag.com/1999-09/samba_01.html + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>The Unofficial Samba HOWTO</I +></SPAN +> by David Lechnyr, + http://hr.uoregon.edu/davidrl/samba/ + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Understanding the Network Neighborhood</I +></SPAN +> by Christopher R. Hertel, + http://www.linux-mag.com/2001-05/smb_01.html + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Using Samba as a PDC</I +></SPAN +> by Andrew Bartlett, + http://www.linux-mag.com/2002-02/samba_01.html + </P +></LI +></UL +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN151" +>1.6. Epilogue</A +></H2 +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>"What's fundamentally wrong is that nobody ever had any taste when they +did it. Microsoft has been very much into making the user interface look good, +but internally it's just a complete mess. And even people who program for Microsoft +and who have had years of experience, just don't know how it works internally. +Worse, nobody dares change it. Nobody dares to fix bugs because it's such a +mess that fixing one bug might just break a hundred programs that depend on +that bug. And Microsoft isn't interested in anyone fixing bugs -- they're interested +in making money. They don't have anybody who takes pride in Windows 95 as an +operating system.</I +></SPAN +></P +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>People inside Microsoft know it's a bad operating system and they still +continue obviously working on it because they want to get the next version out +because they want to have all these new features to sell more copies of the +system.</I +></SPAN +></P +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>The problem with that is that over time, when you have this kind of approach, +and because nobody understands it, because nobody REALLY fixes bugs (other than +when they're really obvious), the end result is really messy. You can't trust +it because under certain circumstances it just spontaneously reboots or just +halts in the middle of something that shouldn't be strange. Normally it works +fine and then once in a blue moon for some completely unknown reason, it's dead, +and nobody knows why. Not Microsoft, not the experienced user and certainly +not the completely clueless user who probably sits there shivering thinking +"What did I do wrong?" when they didn't do anything wrong at all.</I +></SPAN +></P +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>That's what's really irritating to me."</I +></SPAN +></P +><P +>-- Linus Torvalds, from an interview with BOOT Magazine, Sept 1998 +(http://hr.uoregon.edu/davidrl/boot.txt)</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN162" +>1.7. Miscellaneous</A +></H2 +><P +>This chapter was lovingly handcrafted on a Dell Latitude C400 laptop running Slackware Linux 9.0, +in case anyone asks.</P +><P +>This chapter is Copyright © 2003 David Lechnyr (david at lechnyr dot com). +Permission is granted to copy, distribute and/or modify this document under the terms +of the GNU Free Documentation License, Version 1.2 or any later version published by the Free +Software Foundation. A copy of the license is available at http://www.gnu.org/licenses/fdl.txt.</P +></DIV ></DIV ><DIV CLASS="CHAPTER" @@ -1534,14 +1839,14 @@ CLASS="CHAPTER" ><A NAME="INSTALL" ></A ->Chapter 1. How to Install and Test SAMBA</H1 +>Chapter 2. How to Install and Test SAMBA</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN65" ->1.1. Obtaining and installing samba</A +NAME="AEN188" +>2.1. Obtaining and installing samba</A ></H2 ><P >Binary packages of samba are included in almost any Linux or @@ -1564,8 +1869,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN71" ->1.2. Configuring samba</A +NAME="AEN194" +>2.2. Configuring samba</A ></H2 ><P >Samba's configuration is stored in the smb.conf file, @@ -1585,8 +1890,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN76" ->1.2.1. Editing the <TT +NAME="AEN199" +>2.2.1. Editing the <TT CLASS="FILENAME" >smb.conf</TT > file</A @@ -1646,8 +1951,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN92" ->1.2.1.1. Test your config file with +NAME="AEN215" +>2.2.1.1. Test your config file with <B CLASS="COMMAND" >testparm</B @@ -1680,8 +1985,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN101" ->1.2.2. SWAT</A +NAME="AEN224" +>2.2.2. SWAT</A ></H3 ><P > SWAT is a web-based interface that helps you configure samba. @@ -1708,8 +2013,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN107" ->1.3. Try listing the shares available on your +NAME="AEN230" +>2.3. Try listing the shares available on your server</A ></H2 ><P @@ -1745,8 +2050,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN116" ->1.4. Try connecting with the unix client</A +NAME="AEN239" +>2.4. Try connecting with the unix client</A ></H2 ><P ><SAMP @@ -1815,8 +2120,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN137" ->1.5. Try connecting from a DOS, WfWg, Win9x, WinNT, +NAME="AEN260" +>2.5. Try connecting from a DOS, WfWg, Win9x, WinNT, Win2k, OS/2, etc... client</A ></H2 ><P @@ -1856,8 +2161,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN150" ->1.6. What If Things Don't Work?</A +NAME="AEN273" +>2.6. What If Things Don't Work?</A ></H2 ><P >Then you might read the file chapter @@ -1865,29 +2170,20 @@ NAME="AEN150" HREF="#DIAGNOSIS" >Diagnosis</A > and the - FAQ. If you are still stuck then try the mailing list or - newsgroup (look in the README for details). Samba has been - successfully installed at thousands of sites worldwide, so maybe - someone else has hit your problem and has overcome it. You could - also use the WWW site to scan back issues of the samba-digest.</P -><P ->When you fix the problem <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->please</I -></SPAN -> send some - updates of the documentation (or source code) to one of - the documentation maintainers or the list. - </P + FAQ. If you are still stuck then try to follow + the <A +HREF="#PROBLEMS" +>Analysing and Solving Problems chapter</A +> + Samba has been successfully installed at thousands of sites worldwide, + so maybe someone else has hit your problem and has overcome it. </P ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN156" ->1.6.1. Scope IDs</A +NAME="AEN278" +>2.6.1. Scope IDs</A ></H3 ><P >By default Samba uses a blank scope ID. This means @@ -1902,8 +2198,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN159" ->1.6.2. Locking</A +NAME="AEN281" +>2.6.2. Locking</A ></H3 ><P >One area which sometimes causes trouble is locking.</P @@ -1965,7 +2261,7 @@ CLASS="CHAPTER" ><A NAME="BROWSING-QUICK" ></A ->Chapter 2. Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</H1 +>Chapter 3. Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</H1 ><P >This document should be read in conjunction with Browsing and may be taken as the fast track guide to implementing browsing across subnets @@ -2004,8 +2300,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN183" ->2.1. Discussion</A +NAME="AEN306" +>3.1. Discussion</A ></H2 ><P >Firstly, all MS Windows networking is based on SMB (Server Message @@ -2095,8 +2391,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN204" ->2.2. How browsing functions and how to deploy stable and +NAME="AEN327" +>3.2. How browsing functions and how to deploy stable and dependable browsing using Samba</A ></H2 ><P @@ -2175,8 +2471,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN218" ->2.3. Use of the <B +NAME="AEN341" +>3.3. Use of the <B CLASS="COMMAND" >Remote Announce</B > parameter</A @@ -2262,8 +2558,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN241" ->2.4. Use of the <B +NAME="AEN364" +>3.4. Use of the <B CLASS="COMMAND" >Remote Browse Sync</B > parameter</A @@ -2304,8 +2600,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN252" ->2.5. Use of WINS</A +NAME="AEN375" +>3.5. Use of WINS</A ></H2 ><P >Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly @@ -2400,14 +2696,50 @@ CLASS="APPLICATION" ></TR ></TABLE ></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN392" +>3.5.1. WINS Replication</A +></H3 +><P +>Samba-3 permits WINS replication through the use of the <TT +CLASS="FILENAME" +>wrepld</TT +> utility. +This tool is not currently capable of being used as it is still in active development. +As soon as this tool becomes moderately functional we will prepare man pages and enhance this +section of the documentation to provide usage and technical details.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN396" +>3.5.2. Static WINS Entries</A +></H3 +><P +>New to Samba-3 is a tool called <TT +CLASS="FILENAME" +>winsedit</TT +> that may be used to add +static WINS entries to the WINS database. This tool can be used also to modify entries +existing in the WINS database.</P +><P +>The development of the winsedit tool was made necessary due to the migration +of the older style wins.dat file into a new tdb binary backend data store.</P +></DIV ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN269" ->2.6. Do NOT use more than one (1) protocol on MS Windows machines</A +NAME="AEN401" +>3.6. Do NOT use more than one (1) protocol on MS Windows machines</A ></H2 ><P >A very common cause of browsing problems results from installing more than @@ -2449,8 +2781,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN277" ->2.7. Name Resolution Order</A +NAME="AEN409" +>3.7. Name Resolution Order</A ></H2 ><P >Resolution of NetBIOS names to IP addresses can take place using a number @@ -2534,14 +2866,14 @@ CLASS="CHAPTER" ><A NAME="PASSDB" ></A ->Chapter 3. User information database</H1 +>Chapter 4. User information database</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN335" ->3.1. Introduction</A +NAME="AEN469" +>4.1. Introduction</A ></H2 ><P >Old windows clients send plain text passwords over the wire. @@ -2581,8 +2913,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN342" ->3.2. Important Notes About Security</A +NAME="AEN476" +>4.2. Important Notes About Security</A ></H2 ><P >The unix and SMB password encryption techniques seem similar @@ -2708,44 +3040,62 @@ BORDER="0" ></TABLE ><P ></P +></TD +></TR +></TABLE +></DIV +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" ><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Note :</I -></SPAN >All current release of - Microsoft SMB/CIFS clients support authentication via the - SMB Challenge/Response mechanism described here. Enabling - clear text authentication does not disable the ability - of the client to participate in encrypted authentication.</P + Microsoft SMB/CIFS clients support authentication via the + SMB Challenge/Response mechanism described here. Enabling + clear text authentication does not disable the ability + of the client to participate in encrypted authentication.</P +></TD +></TR +></TABLE +></DIV ><P >MS Windows clients will cache the encrypted password alone. - Even when plain text passwords are re-enabled, through the appropriate - registry change, the plain text password is NEVER cached. This means that - in the event that a network connections should become disconnected (broken) - only the cached (encrypted) password will be sent to the resource server - to affect a auto-reconnect. If the resource server does not support encrypted - passwords the auto-reconnect will fail. <SPAN + Even when plain text passwords are re-enabled, through the appropriate + registry change, the plain text password is NEVER cached. This means that + in the event that a network connections should become disconnected (broken) + only the cached (encrypted) password will be sent to the resource server + to affect a auto-reconnect. If the resource server does not support encrypted + passwords the auto-reconnect will fail. <SPAN CLASS="emphasis" ><I CLASS="EMPHASIS" >USE OF ENCRYPTED PASSWORDS - IS STRONGLY ADVISED.</I + IS STRONGLY ADVISED.</I ></SPAN ></P -></TD -></TR -></TABLE -></DIV ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN368" ->3.2.1. Advantages of SMB Encryption</A +NAME="AEN502" +>4.2.1. Advantages of SMB Encryption</A ></H3 ><P ></P @@ -2783,8 +3133,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN374" ->3.2.2. Advantages of non-encrypted passwords</A +NAME="AEN508" +>4.2.2. Advantages of non-encrypted passwords</A ></H3 ><P ></P @@ -2818,8 +3168,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN380" ->3.3. The smbpasswd Command</A +NAME="AEN514" +>4.3. The smbpasswd Command</A ></H2 ><P >The smbpasswd utility is a utility similar to the @@ -2921,8 +3271,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN411" ->3.4. Plain text</A +NAME="AEN545" +>4.4. Plain text</A ></H2 ><P >Older versions of samba retrieved user information from the unix user database @@ -2941,8 +3291,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN416" ->3.5. TDB</A +NAME="AEN550" +>4.5. TDB</A ></H2 ><P >Samba can also store the user data in a "TDB" (Trivial Database). Using this backend @@ -2954,16 +3304,16 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN419" ->3.6. LDAP</A +NAME="AEN553" +>4.6. LDAP</A ></H2 ><DIV CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN421" ->3.6.1. Introduction</A +NAME="AEN555" +>4.6.1. Introduction</A ></H3 ><P >This document describes how to use an LDAP directory for storing Samba user @@ -3030,8 +3380,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN441" ->3.6.2. Introduction</A +NAME="AEN575" +>4.6.2. Introduction</A ></H3 ><P >Traditionally, when configuring <A @@ -3086,29 +3436,9 @@ Identified (RID).</P >As a result of these defeciencies, a more robust means of storing user attributes used by smbd was developed. The API which defines access to user accounts is commonly referred to as the samdb interface (previously this was called the passdb -API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support -for a samdb backend (e.g. <VAR -CLASS="PARAMETER" ->--with-ldapsam</VAR -> or -<VAR -CLASS="PARAMETER" ->--with-tdbsam</VAR ->) requires compile time support.</P +API, and is still so named in the CVS trees). </P ><P ->When compiling Samba to include the <VAR -CLASS="PARAMETER" ->--with-ldapsam</VAR -> autoconf -option, smbd (and associated tools) will store and lookup user accounts in -an LDAP directory. In reality, this is very easy to understand. If you are -comfortable with using an smbpasswd file, simply replace "smbpasswd" with -"LDAP directory" in all the documentation.</P -><P ->There are a few points to stress about what the <VAR -CLASS="PARAMETER" ->--with-ldapsam</VAR -> +>There are a few points to stress about what the ldapsam does not provide. The LDAP support referred to in the this documentation does not include:</P ><P @@ -3139,8 +3469,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN470" ->3.6.3. Supported LDAP Servers</A +NAME="AEN599" +>4.6.3. Supported LDAP Servers</A ></H3 ><P >The LDAP samdb code in 2.2.3 (and later) has been developed and tested @@ -3165,8 +3495,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN475" ->3.6.4. Schema and Relationship to the RFC 2307 posixAccount</A +NAME="AEN604" +>4.6.4. Schema and Relationship to the RFC 2307 posixAccount</A ></H3 ><P >Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in @@ -3222,16 +3552,16 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN487" ->3.6.5. Configuring Samba with LDAP</A +NAME="AEN616" +>4.6.5. Configuring Samba with LDAP</A ></H3 ><DIV CLASS="SECT3" ><H4 CLASS="SECT3" ><A -NAME="AEN489" ->3.6.5.1. OpenLDAP configuration</A +NAME="AEN618" +>4.6.5.1. OpenLDAP configuration</A ></H4 ><P >To include support for the sambaAccount object in an OpenLDAP directory @@ -3277,9 +3607,7 @@ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema - -## uncomment this line if you want to support the RFC2307 (NIS) schema -## include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/nis.schema ....</PRE ></P @@ -3312,8 +3640,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN506" ->3.6.5.2. Configuring Samba</A +NAME="AEN635" +>4.6.5.2. Configuring Samba</A ></H4 ><P >The following parameters are available in smb.conf only with <VAR @@ -3428,8 +3756,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN534" ->3.6.6. Accounts and Groups management</A +NAME="AEN663" +>4.6.6. Accounts and Groups management</A ></H3 ><P >As users accounts are managed thru the sambaAccount objectclass, you should @@ -3453,8 +3781,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN539" ->3.6.7. Security and sambaAccount</A +NAME="AEN668" +>4.6.7. Security and sambaAccount</A ></H3 ><P >There are two important points to remember when discussing the security @@ -3489,9 +3817,8 @@ CLASS="EMPHASIS" >These password hashes are clear text equivalents and can be used to impersonate the user without deriving the original clear text strings. For more information on the details of LM/NT password hashes, refer to the <A -HREF="ENCRYPTION.html" -TARGET="_top" ->ENCRYPTION chapter</A +HREF="#PASSDB" +>User Database</A > of the Samba-HOWTO-Collection.</P ><P >To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults @@ -3532,8 +3859,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN559" ->3.6.8. LDAP specials attributes for sambaAccounts</A +NAME="AEN688" +>4.6.8. LDAP specials attributes for sambaAccounts</A ></H3 ><P >The sambaAccount objectclass is composed of the following attributes:</P @@ -3739,8 +4066,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN629" ->3.6.9. Example LDIF Entries for a sambaAccount</A +NAME="AEN758" +>4.6.9. Example LDIF Entries for a sambaAccount</A ></H3 ><P >The following is a working LDIF with the inclusion of the posixAccount objectclass:</P @@ -3798,16 +4125,16 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN637" ->3.7. MySQL</A +NAME="AEN766" +>4.7. MySQL</A ></H2 ><DIV CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN639" ->3.7.1. Creating the database</A +NAME="AEN768" +>4.7.1. Creating the database</A ></H3 ><P >You either can set up your own table and specify the field names to pdb_mysql (see below @@ -3842,8 +4169,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN649" ->3.7.2. Configuring</A +NAME="AEN778" +>4.7.2. Configuring</A ></H3 ><P >This plugin lacks some good documentation, but here is some short info:</P @@ -3953,8 +4280,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN666" ->3.7.3. Using plaintext passwords or encrypted password</A +NAME="AEN795" +>4.7.3. Using plaintext passwords or encrypted password</A ></H3 ><P >I strongly discourage the use of plaintext passwords, however, you can use them:</P @@ -3968,8 +4295,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN671" ->3.7.4. Getting non-column data from the table</A +NAME="AEN800" +>4.7.4. Getting non-column data from the table</A ></H3 ><P >It is possible to have not all data in the database and making some 'constant'.</P @@ -3994,8 +4321,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN679" ->3.8. XML</A +NAME="AEN808" +>4.8. XML</A ></H2 ><P >This module requires libxml2 to be installed.</P @@ -4029,10 +4356,11 @@ CLASS="TITLEPAGE" ><H1 CLASS="TITLE" >II. Type of installation</H1 +></DIV ><DIV CLASS="PARTINTRO" ><A -NAME="AEN688" +NAME="AEN817" ></A ><H1 >Introduction</H1 @@ -4041,308 +4369,12 @@ NAME="AEN688" for various environments.</P ></DIV ><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->4. <A -HREF="#SERVERTYPE" ->Nomenclature of Server Types</A -></DT -><DD -><DL -><DT ->4.1. <A -HREF="#AEN717" ->Stand Alone Server</A -></DT -><DT ->4.2. <A -HREF="#AEN724" ->Domain Member Server</A -></DT -><DT ->4.3. <A -HREF="#AEN730" ->Domain Controller</A -></DT -><DD -><DL -><DT ->4.3.1. <A -HREF="#AEN733" ->Domain Controller Types</A -></DT -></DL -></DD -></DL -></DD -><DT ->5. <A -HREF="#SECURITYLEVELS" ->Samba as Stand-Alone Server</A -></DT -><DD -><DL -><DT ->5.1. <A -HREF="#AEN766" ->User and Share security level</A -></DT -><DD -><DL -><DT ->5.1.1. <A -HREF="#AEN769" ->User Level Security</A -></DT -><DT ->5.1.2. <A -HREF="#AEN779" ->Share Level Security</A -></DT -><DT ->5.1.3. <A -HREF="#AEN785" ->Server Level Security</A -></DT -><DT ->5.1.4. <A -HREF="#AEN825" ->Domain Level Security</A -></DT -><DT ->5.1.5. <A -HREF="#AEN848" ->ADS Level Security</A -></DT -></DL -></DD -></DL -></DD -><DT ->6. <A -HREF="#SAMBA-PDC" ->Samba as an NT4 or Win2k Primary Domain Controller</A -></DT -><DD -><DL -><DT ->6.1. <A -HREF="#AEN878" ->Prerequisite Reading</A -></DT -><DT ->6.2. <A -HREF="#AEN883" ->Background</A -></DT -><DT ->6.3. <A -HREF="#AEN923" ->Configuring the Samba Domain Controller</A -></DT -><DT ->6.4. <A -HREF="#AEN965" ->Creating Machine Trust Accounts and Joining Clients to the Domain</A -></DT -><DD -><DL -><DT ->6.4.1. <A -HREF="#AEN1008" ->Manual Creation of Machine Trust Accounts</A -></DT -><DT ->6.4.2. <A -HREF="#AEN1049" ->"On-the-Fly" Creation of Machine Trust Accounts</A -></DT -><DT ->6.4.3. <A -HREF="#AEN1058" ->Joining the Client to the Domain</A -></DT -></DL -></DD -><DT ->6.5. <A -HREF="#AEN1073" ->Common Problems and Errors</A -></DT -><DT ->6.6. <A -HREF="#AEN1119" ->What other help can I get?</A -></DT -><DT ->6.7. <A -HREF="#AEN1233" ->Domain Control for Windows 9x/ME</A -></DT -><DD -><DL -><DT ->6.7.1. <A -HREF="#AEN1256" ->Configuration Instructions: Network Logons</A -></DT -></DL -></DD -></DL -></DD -><DT ->7. <A -HREF="#SAMBA-BDC" ->Samba Backup Domain Controller to Samba Domain Control</A -></DT -><DD -><DL -><DT ->7.1. <A -HREF="#AEN1286" ->Prerequisite Reading</A -></DT -><DT ->7.2. <A -HREF="#AEN1290" ->Background</A -></DT -><DT ->7.3. <A -HREF="#AEN1298" ->What qualifies a Domain Controller on the network?</A -></DT -><DD -><DL -><DT ->7.3.1. <A -HREF="#AEN1301" ->How does a Workstation find its domain controller?</A -></DT -><DT ->7.3.2. <A -HREF="#AEN1304" ->When is the PDC needed?</A -></DT -></DL -></DD -><DT ->7.4. <A -HREF="#AEN1307" ->Can Samba be a Backup Domain Controller to an NT PDC?</A -></DT -><DT ->7.5. <A -HREF="#AEN1312" ->How do I set up a Samba BDC?</A -></DT -><DD -><DL -><DT ->7.5.1. <A -HREF="#AEN1329" ->How do I replicate the smbpasswd file?</A -></DT -><DT ->7.5.2. <A -HREF="#AEN1333" ->Can I do this all with LDAP?</A -></DT -></DL -></DD -></DL -></DD -><DT ->8. <A -HREF="#ADS" ->Samba as a ADS domain member</A -></DT -><DD -><DL -><DT ->8.1. <A -HREF="#AEN1355" ->Setup your <TT -CLASS="FILENAME" ->smb.conf</TT -></A -></DT -><DT ->8.2. <A -HREF="#AEN1368" ->Setup your <TT -CLASS="FILENAME" ->/etc/krb5.conf</TT -></A -></DT -><DT ->8.3. <A -HREF="#ADS-CREATE-MACHINE-ACCOUNT" ->Create the computer account</A -></DT -><DD -><DL -><DT ->8.3.1. <A -HREF="#AEN1396" ->Possible errors</A -></DT -></DL -></DD -><DT ->8.4. <A -HREF="#ADS-TEST-SERVER" ->Test your server setup</A -></DT -><DT ->8.5. <A -HREF="#ADS-TEST-SMBCLIENT" ->Testing with <SPAN -CLASS="APPLICATION" ->smbclient</SPAN -></A -></DT -><DT ->8.6. <A -HREF="#AEN1416" ->Notes</A -></DT -></DL -></DD -><DT ->9. <A -HREF="#DOMAIN-SECURITY" ->Samba as a NT4 or Win2k domain member</A -></DT -><DD -><DL -><DT ->9.1. <A -HREF="#AEN1439" ->Joining an NT Domain with Samba 3.0</A -></DT -><DT ->9.2. <A -HREF="#AEN1493" ->Why is this better than security = server?</A -></DT -></DL -></DD -></DL -></DIV -></DIV -><DIV CLASS="CHAPTER" ><HR><H1 ><A NAME="SERVERTYPE" ></A ->Chapter 4. Nomenclature of Server Types</H1 +>Chapter 5. Nomenclature of Server Types</H1 ><P >Adminstrators of Microsoft networks often refer to there being three different type of servers:</P @@ -4387,8 +4419,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN717" ->4.1. Stand Alone Server</A +NAME="AEN847" +>5.1. Stand Alone Server</A ></H2 ><P >The term <SPAN @@ -4430,8 +4462,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN724" ->4.2. Domain Member Server</A +NAME="AEN854" +>5.2. Domain Member Server</A ></H2 ><P >This mode of server operation involves the samba machine being made a member @@ -4460,8 +4492,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN730" ->4.3. Domain Controller</A +NAME="AEN860" +>5.3. Domain Controller</A ></H2 ><P >Over the years public perceptions of what Domain Control really is has taken on an @@ -4472,8 +4504,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN733" ->4.3.1. Domain Controller Types</A +NAME="AEN863" +>5.3.1. Domain Controller Types</A ></H3 ><P ></P @@ -4541,7 +4573,7 @@ CLASS="emphasis" CLASS="EMPHASIS" >ADS Domain Controller</I ></SPAN ->. </P +>.</P ></DIV ></DIV ></DIV @@ -4551,7 +4583,7 @@ CLASS="CHAPTER" ><A NAME="SECURITYLEVELS" ></A ->Chapter 5. Samba as Stand-Alone Server</H1 +>Chapter 6. Samba as Stand-Alone Server</H1 ><P >In this section the function and purpose of Samba's <SPAN CLASS="emphasis" @@ -4566,8 +4598,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN766" ->5.1. User and Share security level</A +NAME="AEN897" +>6.1. User and Share security level</A ></H2 ><P >A SMB server tells the client at startup what "security level" it is @@ -4584,8 +4616,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN769" ->5.1.1. User Level Security</A +NAME="AEN900" +>6.1.1. User Level Security</A ></H3 ><P >I'll describe user level security first, as its simpler. In user level @@ -4625,8 +4657,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN779" ->5.1.2. Share Level Security</A +NAME="AEN910" +>6.1.2. Share Level Security</A ></H3 ><P >Ok, now for share level security. In share level security the client @@ -4662,8 +4694,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN785" ->5.1.3. Server Level Security</A +NAME="AEN916" +>6.1.3. Server Level Security</A ></H3 ><P >Finally "server level" security. In server level security the samba @@ -4698,8 +4730,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN790" ->5.1.3.1. Configuring Samba for Seemless Windows Network Integration</A +NAME="AEN921" +>6.1.3.1. Configuring Samba for Seemless Windows Network Integration</A ></H4 ><P >MS Windows clients may use encrypted passwords as part of a challenege/response @@ -4810,8 +4842,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN816" ->5.1.3.2. Use MS Windows NT as an authentication server</A +NAME="AEN947" +>6.1.3.2. Use MS Windows NT as an authentication server</A ></H4 ><P >This method involves the additions of the following parameters in the <TT @@ -4849,8 +4881,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN825" ->5.1.4. Domain Level Security</A +NAME="AEN956" +>6.1.4. Domain Level Security</A ></H3 ><P >When samba is operating in <SPAN @@ -4867,8 +4899,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN829" ->5.1.4.1. Samba as a member of an MS Windows NT security domain</A +NAME="AEN960" +>6.1.4.1. Samba as a member of an MS Windows NT security domain</A ></H4 ><P >This method involves additon of the following paramters in the <TT @@ -4936,8 +4968,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN848" ->5.1.5. ADS Level Security</A +NAME="AEN979" +>6.1.5. ADS Level Security</A ></H3 ><P >For information about the configuration option please refer to the entire section entitled @@ -4957,37 +4989,32 @@ CLASS="CHAPTER" ><A NAME="SAMBA-PDC" ></A ->Chapter 6. Samba as an NT4 or Win2k Primary Domain Controller</H1 +>Chapter 7. Samba as an NT4 or Win2k Primary Domain Controller</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN878" ->6.1. Prerequisite Reading</A +NAME="AEN1010" +>7.1. Prerequisite Reading</A ></H2 ><P >Before you continue reading in this chapter, please make sure that you are comfortable with configuring basic files services in smb.conf and how to enable and administer password encryption in Samba. Theses two topics are covered in the -<A -HREF="smb.conf.5.html" -TARGET="_top" -><TT +<TT CLASS="FILENAME" ->smb.conf(5)</TT -></A -> -manpage.</P +>smb.conf</TT +> manpage.</P ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN883" ->6.2. Background</A +NAME="AEN1014" +>7.2. Background</A ></H2 ><P >This article outlines the steps necessary for configuring Samba as a PDC. @@ -5133,19 +5160,17 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN923" ->6.3. Configuring the Samba Domain Controller</A +NAME="AEN1054" +>7.3. Configuring the Samba Domain Controller</A ></H2 ><P >The first step in creating a working Samba PDC is to understand the parameters necessary in smb.conf. Here we attempt to explain the parameters that are covered in -<A -HREF="smb.conf.5.html" -TARGET="_top" -> the smb.conf -man page</A ->.</P +the <TT +CLASS="FILENAME" +>smb.conf</TT +> man page.</P ><P >Here is an example <TT CLASS="FILENAME" @@ -5297,7 +5322,7 @@ TARGET="_top" > Encrypted passwords must be enabled. For more details on how to do this, refer to <A HREF="#PASSDB" ->ENCRYPTION.html</A +>the User Database chapter</A >. </P ></LI @@ -5329,8 +5354,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN965" ->6.4. Creating Machine Trust Accounts and Joining Clients to the Domain</A +NAME="AEN1096" +>7.4. Creating Machine Trust Accounts and Joining Clients to the Domain</A ></H2 ><P >A machine trust account is a Samba account that is used to @@ -5432,7 +5457,10 @@ CLASS="EMPHASIS" file allows the creation of arbitrary user and machine accounts without requiring that account to be added to the system (/etc/passwd) file. It too requires the specification of the "non unix account range" option - in the [globals] section of the smb.conf file. + in the [globals] section of the <TT +CLASS="FILENAME" +>smb.conf</TT +> file. </P ></LI ><LI @@ -5461,6 +5489,12 @@ CLASS="EMPHASIS" ></LI ></UL ><P +>Read the chapter about the <A +HREF="#PASSDB" +>User Database</A +> +for details.</P +><P >A Samba PDC, however, stores each machine trust account in two parts, as follows: @@ -5515,8 +5549,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1008" ->6.4.1. Manual Creation of Machine Trust Accounts</A +NAME="AEN1142" +>7.4.1. Manual Creation of Machine Trust Accounts</A ></H3 ><P >The first step in manually creating a machine trust account is to @@ -5621,12 +5655,12 @@ as shown here:</P ><SAMP CLASS="PROMPT" >root# </SAMP -><B -CLASS="COMMAND" +><KBD +CLASS="USERINPUT" >smbpasswd -a -m <VAR CLASS="REPLACEABLE" >machine_name</VAR -></B +></KBD ></P ><P >where <VAR @@ -5685,8 +5719,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1049" ->6.4.2. "On-the-Fly" Creation of Machine Trust Accounts</A +NAME="AEN1183" +>7.4.2. "On-the-Fly" Creation of Machine Trust Accounts</A ></H3 ><P >The second (and recommended) way of creating machine trust accounts is @@ -5722,8 +5756,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1058" ->6.4.3. Joining the Client to the Domain</A +NAME="AEN1192" +>7.4.3. Joining the Client to the Domain</A ></H3 ><P >The procedure for joining a client to the domain varies with the @@ -5782,6 +5816,22 @@ CLASS="EMPHASIS" (i.e., you must supply a Samba administrative account when prompted).</P ></LI +><LI +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Samba</I +></SPAN +></P +><P +>Joining a samba client to a domain is documented in + the <A +HREF="#DOMAIN-MEMBER" +>Domain Member</A +> chapter.</P +></LI ></UL ></DIV ></DIV @@ -5790,627 +5840,141 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1073" ->6.5. Common Problems and Errors</A +NAME="AEN1212" +>7.5. Common Problems and Errors</A ></H2 +><DIV +CLASS="SECT2" +><H3 +CLASS="SECT2" +><A +NAME="AEN1214" +>7.5.1. I cannot include a '$' in a machine name</A +></H3 ><P -></P -><P -></P -><UL -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->I cannot include a '$' in a machine name.</I -></SPAN -> - </P -><P -> A 'machine name' in (typically) <TT +>A 'machine name' in (typically) <TT CLASS="FILENAME" >/etc/passwd</TT > - of the machine name with a '$' appended. FreeBSD (and other BSD - systems?) won't create a user with a '$' in their name. - </P +of the machine name with a '$' appended. FreeBSD (and other BSD +systems?) won't create a user with a '$' in their name.</P ><P -> The problem is only in the program used to make the entry, once - made, it works perfectly. So create a user without the '$' and - use <B +>The problem is only in the program used to make the entry, once +made, it works perfectly. So create a user without the '$' and +use <B CLASS="COMMAND" >vipw</B > to edit the entry, adding the '$'. Or create - the whole entry with vipw if you like, make sure you use a - unique User ID ! - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->I get told "You already have a connection to the Domain...." - or "Cannot join domain, the credentials supplied conflict with an - existing set.." when creating a machine trust account.</I -></SPAN -> - </P +the whole entry with vipw if you like, make sure you use a +unique User ID !</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN1220" +>7.5.2. I get told "You already have a connection to the Domain...." +or "Cannot join domain, the credentials supplied conflict with an +existing set.." when creating a machine trust account.</A +></H3 ><P -> This happens if you try to create a machine trust account from the - machine itself and already have a connection (e.g. mapped drive) - to a share (or IPC$) on the Samba PDC. The following command - will remove all network drive connections: - </P +>This happens if you try to create a machine trust account from the +machine itself and already have a connection (e.g. mapped drive) +to a share (or IPC$) on the Samba PDC. The following command +will remove all network drive connections:</P ><P -> <SAMP +><SAMP CLASS="PROMPT" >C:\WINNT\></SAMP > <B CLASS="COMMAND" >net use * /d</B -> - </P -><P -> Further, if the machine is a already a 'member of a workgroup' that - is the same name as the domain you are joining (bad idea) you will - get this message. Change the workgroup name to something else, it - does not matter what, reboot, and try again. - </P -></LI -><LI +></P ><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->The system can not log you on (C000019B)....</I -></SPAN -> - </P +>Further, if the machine is a already a 'member of a workgroup' that +is the same name as the domain you are joining (bad idea) you will +get this message. Change the workgroup name to something else, it +does not matter what, reboot, and try again.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN1227" +>7.5.3. The system can not log you on (C000019B)....</A +></H3 ><P >I joined the domain successfully but after upgrading - to a newer version of the Samba code I get the message, "The system - can not log you on (C000019B), Please try again or consult your - system administrator" when attempting to logon. - </P -><P -> This occurs when the domain SID stored in the secrets.tdb database - is changed. The most common cause of a change in domain SID is when - the domain name and/or the server name (netbios name) is changed. - The only way to correct the problem is to restore the original domain - SID or remove the domain client from the domain and rejoin. The domain - SID may be reset using either the smbpasswd or rpcclient utilities. - </P -></LI -><LI +to a newer version of the Samba code I get the message, "The system +can not log you on (C000019B), Please try again or consult your +system administrator" when attempting to logon.</P ><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->The machine trust account for this computer either does not - exist or is not accessible.</I -></SPAN -> - </P +>This occurs when the domain SID stored in the secrets.tdb database +is changed. The most common cause of a change in domain SID is when +the domain name and/or the server name (netbios name) is changed. +The only way to correct the problem is to restore the original domain +SID or remove the domain client from the domain and rejoin. The domain +SID may be reset using either the smbpasswd or rpcclient utilities.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN1231" +>7.5.4. The machine trust account for this computer either does not +exist or is not accessible.</A +></H3 ><P -> When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessible". What's - wrong? - </P +>When I try to join the domain I get the message "The machine account +for this computer either does not exist or is not accessible". What's +wrong?</P ><P -> This problem is caused by the PDC not having a suitable machine trust account. - If you are using the <VAR +>This problem is caused by the PDC not having a suitable machine trust account. +If you are using the <VAR CLASS="PARAMETER" >add user script</VAR > method to create - accounts then this would indicate that it has not worked. Ensure the domain - admin user system is working. - </P -><P -> Alternatively if you are creating account entries manually then they - have not been created correctly. Make sure that you have the entry - correct for the machine trust account in smbpasswd file on the Samba PDC. - If you added the account using an editor rather than using the smbpasswd - utility, make sure that the account name is the machine NetBIOS name - with a '$' appended to it ( i.e. computer_name$ ). There must be an entry - in both /etc/passwd and the smbpasswd file. Some people have reported - that inconsistent subnet masks between the Samba server and the NT - client have caused this problem. Make sure that these are consistent - for both client and server. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->When I attempt to login to a Samba Domain from a NT4/W2K workstation, - I get a message about my account being disabled.</I -></SPAN -> - </P -><P -> This problem is caused by a PAM related bug in Samba 2.2.0. This bug is - fixed in 2.2.1. Other symptoms could be unaccessible shares on - NT/W2K member servers in the domain or the following error in your smbd.log: - passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user% - </P -><P -> At first be ensure to enable the useraccounts with <B -CLASS="COMMAND" ->smbpasswd -e - %user%</B ->, this is normally done, when you create an account. - </P -><P -> In order to work around this problem in 2.2.0, configure the - <VAR -CLASS="PARAMETER" ->account</VAR -> control flag in - <TT -CLASS="FILENAME" ->/etc/pam.d/samba</TT -> file as follows: - </P -><P -><PRE -CLASS="PROGRAMLISTING" -> account required pam_permit.so - </PRE -></P +accounts then this would indicate that it has not worked. Ensure the domain +admin user system is working.</P ><P -> If you want to remain backward compatibility to samba 2.0.x use - <TT -CLASS="FILENAME" ->pam_permit.so</TT ->, it's also possible to use - <TT -CLASS="FILENAME" ->pam_pwdb.so</TT ->. There are some bugs if you try to - use <TT -CLASS="FILENAME" ->pam_unix.so</TT ->, if you need this, be ensure to use - the most recent version of this file. - </P -></LI -></UL +>Alternatively if you are creating account entries manually then they +have not been created correctly. Make sure that you have the entry +correct for the machine trust account in smbpasswd file on the Samba PDC. +If you added the account using an editor rather than using the smbpasswd +utility, make sure that the account name is the machine NetBIOS name +with a '$' appended to it ( i.e. computer_name$ ). There must be an entry +in both /etc/passwd and the smbpasswd file. Some people have reported +that inconsistent subnet masks between the Samba server and the NT +client have caused this problem. Make sure that these are consistent +for both client and server.</P ></DIV ><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" ><A -NAME="AEN1119" ->6.6. What other help can I get?</A -></H2 -><P ->There are many sources of information available in the form -of mailing lists, RFC's and documentation. The docs that come -with the samba distribution contain very good explanations of -general SMB topics such as browsing.</P -><P -></P -><UL -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->What are some diagnostics tools I can use to debug the domain logon - process and where can I find them?</I -></SPAN -> - </P -><P -> One of the best diagnostic tools for debugging problems is Samba itself. - You can use the -d option for both smbd and nmbd to specify what - 'debug level' at which to run. See the man pages on smbd, nmbd and - smb.conf for more information on debugging options. The debug - level can range from 1 (the default) to 10 (100 for debugging passwords). - </P -><P -> Another helpful method of debugging is to compile samba using the - <B -CLASS="COMMAND" ->gcc -g </B -> flag. This will include debug - information in the binaries and allow you to attach gdb to the - running smbd / nmbd process. In order to attach gdb to an smbd - process for an NT workstation, first get the workstation to make the - connection. Pressing ctrl-alt-delete and going down to the domain box - is sufficient (at least, on the first time you join the domain) to - generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation - maintains an open connection, and therefore there will be an smbd - process running (assuming that you haven't set a really short smbd - idle timeout) So, in between pressing ctrl alt delete, and actually - typing in your password, you can gdb attach and continue. - </P -><P -> Some useful samba commands worth investigating: - </P -><P -></P -><UL -><LI -><P ->testparam | more</P -></LI -><LI -><P ->smbclient -L //{netbios name of server}</P -></LI -></UL -><P -> An SMB enabled version of tcpdump is available from - <A -HREF="http://www.tcpdump.org/" -TARGET="_top" ->http://www.tcpdup.org/</A ->. - Ethereal, another good packet sniffer for Unix and Win32 - hosts, can be downloaded from <A -HREF="http://www.ethereal.com/" -TARGET="_top" ->http://www.ethereal.com</A ->. - </P -><P -> For tracing things on the Microsoft Windows NT, Network Monitor - (aka. netmon) is available on the Microsoft Developer Network CD's, - the Windows NT Server install CD and the SMS CD's. The version of - netmon that ships with SMS allows for dumping packets between any two - computers (i.e. placing the network interface in promiscuous mode). - The version on the NT Server install CD will only allow monitoring - of network traffic directed to the local NT box and broadcasts on the - local subnet. Be aware that Ethereal can read and write netmon - formatted files. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->How do I install 'Network Monitor' on an NT Workstation - or a Windows 9x box?</I -></SPAN -> - </P -><P -> Installing netmon on an NT workstation requires a couple - of steps. The following are for installing Netmon V4.00.349, which comes - with Microsoft Windows NT Server 4.0, on Microsoft Windows NT - Workstation 4.0. The process should be similar for other version of - Windows NT / Netmon. You will need both the Microsoft Windows - NT Server 4.0 Install CD and the Workstation 4.0 Install CD. - </P -><P -> Initially you will need to install 'Network Monitor Tools and Agent' - on the NT Server. To do this - </P -><P -></P -><UL -><LI -><P ->Goto Start - Settings - Control Panel - - Network - Services - Add </P -></LI -><LI -><P ->Select the 'Network Monitor Tools and Agent' and - click on 'OK'.</P -></LI -><LI -><P ->Click 'OK' on the Network Control Panel. - </P -></LI -><LI -><P ->Insert the Windows NT Server 4.0 install CD - when prompted.</P -></LI -></UL -><P -> At this point the Netmon files should exist in - <TT -CLASS="FILENAME" ->%SYSTEMROOT%\System32\netmon\*.*</TT ->. - Two subdirectories exist as well, <TT -CLASS="FILENAME" ->parsers\</TT -> - which contains the necessary DLL's for parsing the netmon packet - dump, and <TT -CLASS="FILENAME" ->captures\</TT ->. - </P -><P -> In order to install the Netmon tools on an NT Workstation, you will - first need to install the 'Network Monitor Agent' from the Workstation - install CD. - </P -><P -></P -><UL -><LI -><P ->Goto Start - Settings - Control Panel - - Network - Services - Add</P -></LI -><LI -><P ->Select the 'Network Monitor Agent' and click - on 'OK'.</P -></LI -><LI -><P ->Click 'OK' on the Network Control Panel. - </P -></LI -><LI -><P ->Insert the Windows NT Workstation 4.0 install - CD when prompted.</P -></LI -></UL -><P -> Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* - to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set - permissions as you deem appropriate for your site. You will need - administrative rights on the NT box to run netmon. - </P -><P -> To install Netmon on a Windows 9x box install the network monitor agent - from the Windows 9x CD (\admin\nettools\netmon). There is a readme - file located with the netmon driver files on the CD if you need - information on how to do this. Copy the files from a working - Netmon installation. - </P -></LI -><LI -><P -> The following is a list if helpful URLs and other links: - </P -><P -></P -><UL -><LI -><P ->Home of Samba site <A -HREF="http://samba.org" -TARGET="_top" -> http://samba.org</A ->. We have a mirror near you !</P -></LI -><LI -><P -> The <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Development</I -></SPAN -> document - on the Samba mirrors might mention your problem. If so, - it might mean that the developers are working on it.</P -></LI -><LI -><P ->See how Scott Merrill simulates a BDC behavior at - <A -HREF="http://www.skippy.net/linux/smb-howto.html" -TARGET="_top" -> http://www.skippy.net/linux/smb-howto.html</A ->. </P -></LI -><LI -><P ->Although 2.0.7 has almost had its day as a PDC, David Bannon will - keep the 2.0.7 PDC pages at <A -HREF="http://bioserve.latrobe.edu.au/samba" -TARGET="_top" -> http://bioserve.latrobe.edu.au/samba</A -> going for a while yet.</P -></LI -><LI -><P ->Misc links to CIFS information - <A -HREF="http://samba.org/cifs/" -TARGET="_top" ->http://samba.org/cifs/</A -></P -></LI -><LI -><P ->NT Domains for Unix <A -HREF="http://mailhost.cb1.com/~lkcl/ntdom/" -TARGET="_top" -> http://mailhost.cb1.com/~lkcl/ntdom/</A -></P -></LI -><LI -><P ->FTP site for older SMB specs: - <A -HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/" -TARGET="_top" -> ftp://ftp.microsoft.com/developr/drg/CIFS/</A -></P -></LI -></UL -></LI -></UL -><P -></P -><UL -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->How do I get help from the mailing lists?</I -></SPAN -> - </P -><P -> There are a number of Samba related mailing lists. Go to <A -HREF="http://samba.org" -TARGET="_top" ->http://samba.org</A ->, click on your nearest mirror - and then click on <B -CLASS="COMMAND" ->Support</B -> and then click on <B -CLASS="COMMAND" -> Samba related mailing lists</B ->. - </P -><P -> For questions relating to Samba TNG go to - <A -HREF="http://www.samba-tng.org/" -TARGET="_top" ->http://www.samba-tng.org/</A -> - It has been requested that you don't post questions about Samba-TNG to the - main stream Samba lists.</P -><P -> If you post a message to one of the lists please observe the following guide lines : - </P -><P -></P -><UL -><LI -><P -> Always remember that the developers are volunteers, they are - not paid and they never guarantee to produce a particular feature at - a particular time. Any time lines are 'best guess' and nothing more. - </P -></LI -><LI -><P -> Always mention what version of samba you are using and what - operating system its running under. You should probably list the - relevant sections of your smb.conf file, at least the options - in [global] that affect PDC support.</P -></LI -><LI -><P ->In addition to the version, if you obtained Samba via - CVS mention the date when you last checked it out.</P -></LI -><LI -><P -> Try and make your question clear and brief, lots of long, - convoluted questions get deleted before they are completely read ! - Don't post html encoded messages (if you can select colour or font - size its html).</P -></LI -><LI -><P -> If you run one of those nifty 'I'm on holidays' things when - you are away, make sure its configured to not answer mailing lists. - </P -></LI -><LI -><P -> Don't cross post. Work out which is the best list to post to - and see what happens, i.e. don't post to both samba-ntdom and samba-technical. - Many people active on the lists subscribe to more - than one list and get annoyed to see the same message two or more times. - Often someone will see a message and thinking it would be better dealt - with on another, will forward it on for you.</P -></LI -><LI -><P ->You might include <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->partial</I -></SPAN -> - log files written at a debug level set to as much as 20. - Please don't send the entire log but enough to give the context of the - error messages.</P -></LI -><LI -><P ->(Possibly) If you have a complete netmon trace ( from the opening of - the pipe to the error ) you can send the *.CAP file as well.</P -></LI -><LI -><P ->Please think carefully before attaching a document to an email. - Consider pasting the relevant parts into the body of the message. The samba - mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory?</P -></LI -></UL -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->How do I get off the mailing lists?</I -></SPAN -> - </P +NAME="AEN1237" +>7.5.5. When I attempt to login to a Samba Domain from a NT4/W2K workstation, +I get a message about my account being disabled.</A +></H3 ><P ->To have your name removed from a samba mailing list, go to the - same place you went to to get on it. Go to <A -HREF="http://lists.samba.org/" -TARGET="_top" ->http://lists.samba.org</A ->, - click on your nearest mirror and then click on <B -CLASS="COMMAND" ->Support</B -> and - then click on <B +>At first be ensure to enable the useraccounts with <B CLASS="COMMAND" -> Samba related mailing lists</B ->. Or perhaps see - <A -HREF="http://lists.samba.org/mailman/roster/samba-ntdom" -TARGET="_top" ->here</A -> - </P -><P -> Please don't post messages to the list asking to be removed, you will just - be referred to the above address (unless that process failed in some way...) - </P -></LI -></UL +>smbpasswd -e +%user%</B +>, this is normally done, when you create an account.</P +></DIV ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1233" ->6.7. Domain Control for Windows 9x/ME</A +NAME="AEN1241" +>7.6. Domain Control for Windows 9x/ME</A ></H2 ><P >A domain and a workgroup are exactly the same thing in terms of network @@ -6508,8 +6072,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1256" ->6.7.1. Configuration Instructions: Network Logons</A +NAME="AEN1264" +>7.6.1. Configuration Instructions: Network Logons</A ></H3 ><P >The main difference between a PDC and a Windows 9x logon @@ -6617,14 +6181,14 @@ CLASS="CHAPTER" ><A NAME="SAMBA-BDC" ></A ->Chapter 7. Samba Backup Domain Controller to Samba Domain Control</H1 +>Chapter 8. Samba Backup Domain Controller to Samba Domain Control</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN1286" ->7.1. Prerequisite Reading</A +NAME="AEN1294" +>8.1. Prerequisite Reading</A ></H2 ><P >Before you continue reading in this chapter, please make sure @@ -6640,8 +6204,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1290" ->7.2. Background</A +NAME="AEN1298" +>8.2. Background</A ></H2 ><P >What is a Domain Controller? It is a machine that is able to answer @@ -6685,8 +6249,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1298" ->7.3. What qualifies a Domain Controller on the network?</A +NAME="AEN1306" +>8.3. What qualifies a Domain Controller on the network?</A ></H2 ><P >Every machine that is a Domain Controller for the domain SAMBA has to @@ -6702,8 +6266,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1301" ->7.3.1. How does a Workstation find its domain controller?</A +NAME="AEN1309" +>8.3.1. How does a Workstation find its domain controller?</A ></H3 ><P >A NT workstation in the domain SAMBA that wants a local user to be @@ -6721,8 +6285,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1304" ->7.3.2. When is the PDC needed?</A +NAME="AEN1312" +>8.3.2. When is the PDC needed?</A ></H3 ><P >Whenever a user wants to change his password, this has to be done on @@ -6737,8 +6301,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1307" ->7.4. Can Samba be a Backup Domain Controller to an NT PDC?</A +NAME="AEN1315" +>8.4. Can Samba be a Backup Domain Controller to an NT PDC?</A ></H2 ><P >With version 2.2, no. The native NT SAM replication protocols have @@ -6760,8 +6324,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1312" ->7.5. How do I set up a Samba BDC?</A +NAME="AEN1320" +>8.5. How do I set up a Samba BDC?</A ></H2 ><P >Several things have to be done:</P @@ -6827,8 +6391,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1329" ->7.5.1. How do I replicate the smbpasswd file?</A +NAME="AEN1337" +>8.5.1. How do I replicate the smbpasswd file?</A ></H3 ><P >Replication of the smbpasswd file is sensitive. It has to be done @@ -6848,8 +6412,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1333" ->7.5.2. Can I do this all with LDAP?</A +NAME="AEN1341" +>8.5.2. Can I do this all with LDAP?</A ></H3 ><P >The simple answer is YES. Samba's pdb_ldap code supports @@ -6866,7 +6430,7 @@ CLASS="CHAPTER" ><A NAME="ADS" ></A ->Chapter 8. Samba as a ADS domain member</H1 +>Chapter 9. Samba as a ADS domain member</H1 ><P >This is a rough guide to setting up Samba 3.0 with kerberos authentication against a Windows2000 KDC. </P @@ -6875,8 +6439,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1355" ->8.1. Setup your <TT +NAME="AEN1364" +>9.1. Setup your <TT CLASS="FILENAME" >smb.conf</TT ></A @@ -6943,8 +6507,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1368" ->8.2. Setup your <TT +NAME="AEN1377" +>9.2. Setup your <TT CLASS="FILENAME" >/etc/krb5.conf</TT ></A @@ -7049,7 +6613,7 @@ CLASS="SECT1" CLASS="SECT1" ><A NAME="ADS-CREATE-MACHINE-ACCOUNT" ->8.3. Create the computer account</A +>9.3. Create the computer account</A ></H2 ><P >As a user that has write permission on the Samba private directory @@ -7063,8 +6627,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1396" ->8.3.1. Possible errors</A +NAME="AEN1405" +>9.3.1. Possible errors</A ></H3 ><P ><P @@ -7089,7 +6653,7 @@ CLASS="SECT1" CLASS="SECT1" ><A NAME="ADS-TEST-SERVER" ->8.4. Test your server setup</A +>9.4. Test your server setup</A ></H2 ><P >On a Windows 2000 client try <KBD @@ -7109,7 +6673,7 @@ CLASS="SECT1" CLASS="SECT1" ><A NAME="ADS-TEST-SMBCLIENT" ->8.5. Testing with <SPAN +>9.5. Testing with <SPAN CLASS="APPLICATION" >smbclient</SPAN ></A @@ -7133,8 +6697,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1416" ->8.6. Notes</A +NAME="AEN1425" +>9.6. Notes</A ></H2 ><P >You must change administrator password at least once after DC @@ -7148,16 +6712,16 @@ install, to create the right encoding types</P CLASS="CHAPTER" ><HR><H1 ><A -NAME="DOMAIN-SECURITY" +NAME="DOMAIN-MEMBER" ></A ->Chapter 9. Samba as a NT4 or Win2k domain member</H1 +>Chapter 10. Samba as a NT4 or Win2k domain member</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN1439" ->9.1. Joining an NT Domain with Samba 3.0</A +NAME="AEN1448" +>10.1. Joining an NT Domain with Samba 3.0</A ></H2 ><P >Assume you have a Samba 3.0 server with a NetBIOS name of @@ -7338,8 +6902,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1493" ->9.2. Why is this better than security = server?</A +NAME="AEN1502" +>10.2. Why is this better than security = server?</A ></H2 ><P >Currently, domain security in Samba doesn't free you from @@ -7447,10 +7011,11 @@ CLASS="TITLEPAGE" ><H1 CLASS="TITLE" >III. Advanced Configuration</H1 +></DIV ><DIV CLASS="PARTINTRO" ><A -NAME="AEN1511" +NAME="AEN1520" ></A ><H1 >Introduction</H1 @@ -7458,959 +7023,19 @@ NAME="AEN1511" >Samba has several features that you might want or might not want to use. The chapters in this part each cover one specific feature.</P ></DIV ><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->10. <A -HREF="#UNIX-PERMISSIONS" ->UNIX Permission Bits and Windows NT Access Control Lists</A -></DT -><DD -><DL -><DT ->10.1. <A -HREF="#AEN1525" ->Viewing and changing UNIX permissions using the NT - security dialogs</A -></DT -><DT ->10.2. <A -HREF="#AEN1531" ->How to view file security on a Samba share</A -></DT -><DT ->10.3. <A -HREF="#AEN1542" ->Viewing file ownership</A -></DT -><DT ->10.4. <A -HREF="#AEN1562" ->Viewing file or directory permissions</A -></DT -><DD -><DL -><DT ->10.4.1. <A -HREF="#AEN1577" ->File Permissions</A -></DT -><DT ->10.4.2. <A -HREF="#AEN1591" ->Directory Permissions</A -></DT -></DL -></DD -><DT ->10.5. <A -HREF="#AEN1598" ->Modifying file or directory permissions</A -></DT -><DT ->10.6. <A -HREF="#AEN1620" ->Interaction with the standard Samba create mask - parameters</A -></DT -><DT ->10.7. <A -HREF="#AEN1673" ->Interaction with the standard Samba file attribute - mapping</A -></DT -></DL -></DD -><DT ->11. <A -HREF="#GROUPMAPPING" ->Configuring Group Mapping</A -></DT -><DT ->12. <A -HREF="#PRINTING" ->Printing Support</A -></DT -><DD -><DL -><DT ->12.1. <A -HREF="#AEN1736" ->Introduction</A -></DT -><DT ->12.2. <A -HREF="#AEN1758" ->Configuration</A -></DT -><DD -><DL -><DT ->12.2.1. <A -HREF="#AEN1766" ->Creating [print$]</A -></DT -><DT ->12.2.2. <A -HREF="#AEN1801" ->Setting Drivers for Existing Printers</A -></DT -><DT ->12.2.3. <A -HREF="#AEN1817" ->Support a large number of printers</A -></DT -><DT ->12.2.4. <A -HREF="#AEN1832" ->Adding New Printers via the Windows NT APW</A -></DT -><DT ->12.2.5. <A -HREF="#AEN1862" ->Samba and Printer Ports</A -></DT -></DL -></DD -><DT ->12.3. <A -HREF="#AEN1870" ->The Imprints Toolset</A -></DT -><DD -><DL -><DT ->12.3.1. <A -HREF="#AEN1874" ->What is Imprints?</A -></DT -><DT ->12.3.2. <A -HREF="#AEN1884" ->Creating Printer Driver Packages</A -></DT -><DT ->12.3.3. <A -HREF="#AEN1887" ->The Imprints server</A -></DT -><DT ->12.3.4. <A -HREF="#AEN1891" ->The Installation Client</A -></DT -></DL -></DD -><DT ->12.4. <A -HREF="#AEN1913" ->Diagnosis</A -></DT -><DD -><DL -><DT ->12.4.1. <A -HREF="#AEN1915" ->Introduction</A -></DT -><DT ->12.4.2. <A -HREF="#AEN1931" ->Debugging printer problems</A -></DT -><DT ->12.4.3. <A -HREF="#AEN1940" ->What printers do I have?</A -></DT -><DT ->12.4.4. <A -HREF="#AEN1948" ->Setting up printcap and print servers</A -></DT -><DT ->12.4.5. <A -HREF="#AEN1976" ->Job sent, no output</A -></DT -><DT ->12.4.6. <A -HREF="#AEN1987" ->Job sent, strange output</A -></DT -><DT ->12.4.7. <A -HREF="#AEN1999" ->Raw PostScript printed</A -></DT -><DT ->12.4.8. <A -HREF="#AEN2002" ->Advanced Printing</A -></DT -><DT ->12.4.9. <A -HREF="#AEN2005" ->Real debugging</A -></DT -></DL -></DD -></DL -></DD -><DT ->13. <A -HREF="#CUPS-PRINTING" ->CUPS Printing Support</A -></DT -><DD -><DL -><DT ->13.1. <A -HREF="#AEN2025" ->Introduction</A -></DT -><DT ->13.2. <A -HREF="#AEN2032" ->Configuring <TT -CLASS="FILENAME" ->smb.conf</TT -> for CUPS</A -></DT -><DT ->13.3. <A -HREF="#AEN2052" ->CUPS - RAW Print Through Mode</A -></DT -><DT ->13.4. <A -HREF="#AEN2111" ->CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe -PostScript driver with CUPS-PPDs downloaded to clients</A -></DT -><DT ->13.5. <A -HREF="#AEN2132" ->Windows Terminal Servers (WTS) as CUPS clients</A -></DT -><DT ->13.6. <A -HREF="#AEN2136" ->Setting up CUPS for driver download</A -></DT -><DT ->13.7. <A -HREF="#AEN2149" ->Sources of CUPS drivers / PPDs</A -></DT -><DD -><DL -><DT ->13.7.1. <A -HREF="#AEN2176" -><B -CLASS="COMMAND" ->cupsaddsmb</B -></A -></DT -></DL -></DD -><DT ->13.8. <A -HREF="#AEN2205" ->The CUPS Filter Chains</A -></DT -><DT ->13.9. <A -HREF="#AEN2244" ->CUPS Print Drivers and Devices</A -></DT -><DD -><DL -><DT ->13.9.1. <A -HREF="#AEN2251" ->Further printing steps</A -></DT -></DL -></DD -><DT ->13.10. <A -HREF="#AEN2321" ->Limiting the number of pages users can print</A -></DT -><DT ->13.11. <A -HREF="#AEN2417" ->Advanced Postscript Printing from MS Windows</A -></DT -><DT ->13.12. <A -HREF="#AEN2432" ->Auto-Deletion of CUPS spool files</A -></DT -></DL -></DD -><DT ->14. <A -HREF="#WINBIND" ->Unified Logons between Windows NT and UNIX using Winbind</A -></DT -><DD -><DL -><DT ->14.1. <A -HREF="#AEN2506" ->Abstract</A -></DT -><DT ->14.2. <A -HREF="#AEN2510" ->Introduction</A -></DT -><DT ->14.3. <A -HREF="#AEN2523" ->What Winbind Provides</A -></DT -><DD -><DL -><DT ->14.3.1. <A -HREF="#AEN2530" ->Target Uses</A -></DT -></DL -></DD -><DT ->14.4. <A -HREF="#AEN2534" ->How Winbind Works</A -></DT -><DD -><DL -><DT ->14.4.1. <A -HREF="#AEN2539" ->Microsoft Remote Procedure Calls</A -></DT -><DT ->14.4.2. <A -HREF="#AEN2543" ->Microsoft Active Directory Services</A -></DT -><DT ->14.4.3. <A -HREF="#AEN2546" ->Name Service Switch</A -></DT -><DT ->14.4.4. <A -HREF="#AEN2562" ->Pluggable Authentication Modules</A -></DT -><DT ->14.4.5. <A -HREF="#AEN2570" ->User and Group ID Allocation</A -></DT -><DT ->14.4.6. <A -HREF="#AEN2574" ->Result Caching</A -></DT -></DL -></DD -><DT ->14.5. <A -HREF="#AEN2577" ->Installation and Configuration</A -></DT -><DD -><DL -><DT ->14.5.1. <A -HREF="#AEN2582" ->Introduction</A -></DT -><DT ->14.5.2. <A -HREF="#AEN2595" ->Requirements</A -></DT -><DT ->14.5.3. <A -HREF="#AEN2609" ->Testing Things Out</A -></DT -></DL -></DD -><DT ->14.6. <A -HREF="#AEN2834" ->Limitations</A -></DT -><DT ->14.7. <A -HREF="#AEN2844" ->Conclusion</A -></DT -></DL -></DD -><DT ->15. <A -HREF="#ADVANCEDNETWORKMANAGEMENT" ->Advanced Network Manangement</A -></DT -><DD -><DL -><DT ->15.1. <A -HREF="#AEN2859" ->Configuring Samba Share Access Controls</A -></DT -><DD -><DL -><DT ->15.1.1. <A -HREF="#AEN2869" ->Share Permissions Management</A -></DT -></DL -></DD -><DT ->15.2. <A -HREF="#AEN2897" ->Remote Server Administration</A -></DT -><DT ->15.3. <A -HREF="#AEN2914" ->Network Logon Script Magic</A -></DT -></DL -></DD -><DT ->16. <A -HREF="#POLICYMGMT" ->System and Account Policies</A -></DT -><DD -><DL -><DT ->16.1. <A -HREF="#AEN2929" ->Creating and Managing System Policies</A -></DT -><DD -><DL -><DT ->16.1.1. <A -HREF="#AEN2943" ->Windows 9x/Me Policies</A -></DT -><DT ->16.1.2. <A -HREF="#AEN2955" ->Windows NT4 Style Policy Files</A -></DT -><DT ->16.1.3. <A -HREF="#AEN2973" ->MS Windows 200x / XP Professional Policies</A -></DT -></DL -></DD -><DT ->16.2. <A -HREF="#AEN3002" ->Managing Account/User Policies</A -></DT -><DD -><DL -><DT ->16.2.1. <A -HREF="#AEN3017" ->With Windows NT4/200x</A -></DT -><DT ->16.2.2. <A -HREF="#AEN3020" ->With a Samba PDC</A -></DT -></DL -></DD -></DL -></DD -><DT ->17. <A -HREF="#PROFILEMGMT" ->Desktop Profile Management</A -></DT -><DD -><DL -><DT ->17.1. <A -HREF="#AEN3035" ->Roaming Profiles</A -></DT -><DD -><DL -><DT ->17.1.1. <A -HREF="#AEN3042" ->Samba Configuration for Profile Handling</A -></DT -><DT ->17.1.2. <A -HREF="#AEN3077" ->Windows Client Profile Configuration Information</A -></DT -><DT ->17.1.3. <A -HREF="#AEN3197" ->Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A -></DT -><DT ->17.1.4. <A -HREF="#AEN3204" ->Profile Migration from Windows NT4/200x Server to Samba</A -></DT -></DL -></DD -><DT ->17.2. <A -HREF="#AEN3242" ->Mandatory profiles</A -></DT -><DT ->17.3. <A -HREF="#AEN3249" ->Creating/Managing Group Profiles</A -></DT -><DT ->17.4. <A -HREF="#AEN3255" ->Default Profile for Windows Users</A -></DT -><DD -><DL -><DT ->17.4.1. <A -HREF="#AEN3259" ->MS Windows 9x/Me</A -></DT -><DT ->17.4.2. <A -HREF="#AEN3271" ->MS Windows NT4 Workstation</A -></DT -><DT ->17.4.3. <A -HREF="#AEN3325" ->MS Windows 200x/XP</A -></DT -></DL -></DD -></DL -></DD -><DT ->18. <A -HREF="#INTERDOMAINTRUSTS" ->Interdomain Trust Relationships</A -></DT -><DD -><DL -><DT ->18.1. <A -HREF="#AEN3386" ->Trust Relationship Background</A -></DT -><DT ->18.2. <A -HREF="#AEN3395" ->MS Windows NT4 Trust Configuration</A -></DT -><DD -><DL -><DT ->18.2.1. <A -HREF="#AEN3398" ->NT4 as the Trusting Domain</A -></DT -><DT ->18.2.2. <A -HREF="#AEN3401" ->NT4 as the Trusted Domain</A -></DT -></DL -></DD -><DT ->18.3. <A -HREF="#AEN3405" ->Configuring Samba Domain Trusts</A -></DT -><DD -><DL -><DT ->18.3.1. <A -HREF="#AEN3409" ->Samba3 as the Trusting Domain</A -></DT -><DT ->18.3.2. <A -HREF="#AEN3416" ->Samba3 as the Trusted Domain</A -></DT -></DL -></DD -></DL -></DD -><DT ->19. <A -HREF="#PAM" ->PAM Configuration for Centrally Managed Authentication</A -></DT -><DD -><DL -><DT ->19.1. <A -HREF="#AEN3440" ->Samba and PAM</A -></DT -><DT ->19.2. <A -HREF="#AEN3491" ->Distributed Authentication</A -></DT -><DT ->19.3. <A -HREF="#AEN3496" ->PAM Configuration in smb.conf</A -></DT -></DL -></DD -><DT ->20. <A -HREF="#VFS" ->Stackable VFS modules</A -></DT -><DD -><DL -><DT ->20.1. <A -HREF="#AEN3531" ->Introduction and configuration</A -></DT -><DT ->20.2. <A -HREF="#AEN3540" ->Included modules</A -></DT -><DD -><DL -><DT ->20.2.1. <A -HREF="#AEN3542" ->audit</A -></DT -><DT ->20.2.2. <A -HREF="#AEN3550" ->extd_audit</A -></DT -><DT ->20.2.3. <A -HREF="#AEN3554" ->recycle</A -></DT -><DT ->20.2.4. <A -HREF="#AEN3591" ->netatalk</A -></DT -></DL -></DD -><DT ->20.3. <A -HREF="#AEN3598" ->VFS modules available elsewhere</A -></DT -><DD -><DL -><DT ->20.3.1. <A -HREF="#AEN3602" ->DatabaseFS</A -></DT -><DT ->20.3.2. <A -HREF="#AEN3610" ->vscan</A -></DT -></DL -></DD -></DL -></DD -><DT ->21. <A -HREF="#MSDFS" ->Hosting a Microsoft Distributed File System tree on Samba</A -></DT -><DD -><DL -><DT ->21.1. <A -HREF="#AEN3626" ->Instructions</A -></DT -><DD -><DL -><DT ->21.1.1. <A -HREF="#AEN3661" ->Notes</A -></DT -></DL -></DD -></DL -></DD -><DT ->22. <A -HREF="#INTEGRATE-MS-NETWORKS" ->Integrating MS Windows networks with Samba</A -></DT -><DD -><DL -><DT ->22.1. <A -HREF="#AEN3688" ->Name Resolution in a pure Unix/Linux world</A -></DT -><DD -><DL -><DT ->22.1.1. <A -HREF="#AEN3704" -><TT -CLASS="FILENAME" ->/etc/hosts</TT -></A -></DT -><DT ->22.1.2. <A -HREF="#AEN3720" -><TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></A -></DT -><DT ->22.1.3. <A -HREF="#AEN3731" -><TT -CLASS="FILENAME" ->/etc/host.conf</TT -></A -></DT -><DT ->22.1.4. <A -HREF="#AEN3739" -><TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -></A -></DT -></DL -></DD -><DT ->22.2. <A -HREF="#AEN3751" ->Name resolution as used within MS Windows networking</A -></DT -><DD -><DL -><DT ->22.2.1. <A -HREF="#AEN3763" ->The NetBIOS Name Cache</A -></DT -><DT ->22.2.2. <A -HREF="#AEN3768" ->The LMHOSTS file</A -></DT -><DT ->22.2.3. <A -HREF="#AEN3776" ->HOSTS file</A -></DT -><DT ->22.2.4. <A -HREF="#AEN3781" ->DNS Lookup</A -></DT -><DT ->22.2.5. <A -HREF="#AEN3784" ->WINS Lookup</A -></DT -></DL -></DD -></DL -></DD -><DT ->23. <A -HREF="#IMPROVED-BROWSING" ->Improved browsing in samba</A -></DT -><DD -><DL -><DT ->23.1. <A -HREF="#AEN3804" ->Overview of browsing</A -></DT -><DT ->23.2. <A -HREF="#AEN3810" ->Browsing support in samba</A -></DT -><DT ->23.3. <A -HREF="#AEN3825" ->Problem resolution</A -></DT -><DT ->23.4. <A -HREF="#AEN3837" ->Browsing across subnets</A -></DT -><DD -><DL -><DT ->23.4.1. <A -HREF="#AEN3843" ->How does cross subnet browsing work ?</A -></DT -></DL -></DD -><DT ->23.5. <A -HREF="#AEN3878" ->Setting up a WINS server</A -></DT -><DT ->23.6. <A -HREF="#AEN3901" ->Setting up Browsing in a WORKGROUP</A -></DT -><DT ->23.7. <A -HREF="#AEN3927" ->Setting up Browsing in a DOMAIN</A -></DT -><DT ->23.8. <A -HREF="#BROWSE-FORCE-MASTER" ->Forcing samba to be the master</A -></DT -><DT ->23.9. <A -HREF="#AEN3962" ->Making samba the domain master</A -></DT -><DT ->23.10. <A -HREF="#AEN3984" ->Note about broadcast addresses</A -></DT -><DT ->23.11. <A -HREF="#AEN3987" ->Multiple interfaces</A -></DT -></DL -></DD -><DT ->24. <A -HREF="#SECURING-SAMBA" ->Securing Samba</A -></DT -><DD -><DL -><DT ->24.1. <A -HREF="#AEN4003" ->Introduction</A -></DT -><DT ->24.2. <A -HREF="#AEN4006" ->Using host based protection</A -></DT -><DT ->24.3. <A -HREF="#AEN4016" ->Using interface protection</A -></DT -><DT ->24.4. <A -HREF="#AEN4025" ->Using a firewall</A -></DT -><DT ->24.5. <A -HREF="#AEN4032" ->Using a IPC$ share deny</A -></DT -><DT ->24.6. <A -HREF="#AEN4041" ->Upgrading Samba</A -></DT -></DL -></DD -><DT ->25. <A -HREF="#UNICODE" ->Unicode/Charsets</A -></DT -><DD -><DL -><DT ->25.1. <A -HREF="#AEN4056" ->What are charsets and unicode?</A -></DT -><DT ->25.2. <A -HREF="#AEN4065" ->Samba and charsets</A -></DT -></DL -></DD -></DL -></DIV -></DIV -><DIV CLASS="CHAPTER" ><HR><H1 ><A NAME="UNIX-PERMISSIONS" ></A ->Chapter 10. UNIX Permission Bits and Windows NT Access Control Lists</H1 +>Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN1525" ->10.1. Viewing and changing UNIX permissions using the NT +NAME="AEN1534" +>11.1. Viewing and changing UNIX permissions using the NT security dialogs</A ></H2 ><P @@ -8459,8 +7084,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1531" ->10.2. How to view file security on a Samba share</A +NAME="AEN1540" +>11.2. How to view file security on a Samba share</A ></H2 ><P >From an NT4/2000/XP client, single-click with the right @@ -8528,8 +7153,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1542" ->10.3. Viewing file ownership</A +NAME="AEN1551" +>11.3. Viewing file ownership</A ></H2 ><P >Clicking on the <B @@ -8614,8 +7239,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1562" ->10.4. Viewing file or directory permissions</A +NAME="AEN1571" +>11.4. Viewing file or directory permissions</A ></H2 ><P >The third button is the <B @@ -8668,8 +7293,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1577" ->10.4.1. File Permissions</A +NAME="AEN1586" +>11.4.1. File Permissions</A ></H3 ><P >The standard UNIX user/group/world triple and @@ -8730,8 +7355,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1591" ->10.4.2. Directory Permissions</A +NAME="AEN1600" +>11.4.2. Directory Permissions</A ></H3 ><P >Directories on an NT NTFS file system have two @@ -8762,8 +7387,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1598" ->10.5. Modifying file or directory permissions</A +NAME="AEN1607" +>11.5. Modifying file or directory permissions</A ></H2 ><P >Modifying file and directory permissions is as simple @@ -8858,8 +7483,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1620" ->10.6. Interaction with the standard Samba create mask +NAME="AEN1629" +>11.6. Interaction with the standard Samba create mask parameters</A ></H2 ><P @@ -9047,8 +7672,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1673" ->10.7. Interaction with the standard Samba file attribute +NAME="AEN1682" +>11.7. Interaction with the standard Samba file attribute mapping</A ></H2 ><P @@ -9096,7 +7721,7 @@ CLASS="CHAPTER" ><A NAME="GROUPMAPPING" ></A ->Chapter 11. Configuring Group Mapping</H1 +>Chapter 12. Configuring Group Mapping</H1 ><P > Starting with Samba 3.0 alpha 2, a new group mapping function is available. The @@ -9197,14 +7822,14 @@ CLASS="CHAPTER" ><A NAME="PRINTING" ></A ->Chapter 12. Printing Support</H1 +>Chapter 13. Printing Support</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN1736" ->12.1. Introduction</A +NAME="AEN1745" +>13.1. Introduction</A ></H2 ><P >Beginning with the 2.2.0 release, Samba supports @@ -9286,8 +7911,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1758" ->12.2. Configuration</A +NAME="AEN1767" +>13.2. Configuration</A ></H2 ><DIV CLASS="WARNING" @@ -9348,8 +7973,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1766" ->12.2.1. Creating [print$]</A +NAME="AEN1775" +>13.2.1. Creating [print$]</A ></H3 ><P >In order to support the uploading of printer driver @@ -9565,8 +8190,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1801" ->12.2.2. Setting Drivers for Existing Printers</A +NAME="AEN1810" +>13.2.2. Setting Drivers for Existing Printers</A ></H3 ><P >The initial listing of printers in the Samba host's @@ -9637,8 +8262,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1817" ->12.2.3. Support a large number of printers</A +NAME="AEN1826" +>13.2.3. Support a large number of printers</A ></H3 ><P >One issue that has arisen during the development @@ -9713,8 +8338,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1832" ->12.2.4. Adding New Printers via the Windows NT APW</A +NAME="AEN1841" +>13.2.4. Adding New Printers via the Windows NT APW</A ></H3 ><P >By default, Samba offers all printer shares defined in <TT @@ -9868,8 +8493,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1862" ->12.2.5. Samba and Printer Ports</A +NAME="AEN1871" +>13.2.5. Samba and Printer Ports</A ></H3 ><P >Windows NT/2000 print servers associate a port with each printer. These normally @@ -9903,8 +8528,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1870" ->12.3. The Imprints Toolset</A +NAME="AEN1879" +>13.3. The Imprints Toolset</A ></H2 ><P >The Imprints tool set provides a UNIX equivalent of the @@ -9921,8 +8546,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1874" ->12.3.1. What is Imprints?</A +NAME="AEN1883" +>13.3.1. What is Imprints?</A ></H3 ><P >Imprints is a collection of tools for supporting the goals @@ -9953,8 +8578,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1884" ->12.3.2. Creating Printer Driver Packages</A +NAME="AEN1893" +>13.3.2. Creating Printer Driver Packages</A ></H3 ><P >The process of creating printer driver packages is beyond @@ -9969,8 +8594,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1887" ->12.3.3. The Imprints server</A +NAME="AEN1896" +>13.3.3. The Imprints server</A ></H3 ><P >The Imprints server is really a database server that @@ -9993,8 +8618,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1891" ->12.3.4. The Installation Client</A +NAME="AEN1900" +>13.3.4. The Installation Client</A ></H3 ><P >More information regarding the Imprints installation client @@ -10087,16 +8712,16 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1913" ->12.4. Diagnosis</A +NAME="AEN1922" +>13.4. Diagnosis</A ></H2 ><DIV CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN1915" ->12.4.1. Introduction</A +NAME="AEN1924" +>13.4.1. Introduction</A ></H3 ><P >This is a short description of how to debug printing problems with @@ -10170,8 +8795,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1931" ->12.4.2. Debugging printer problems</A +NAME="AEN1940" +>13.4.2. Debugging printer problems</A ></H3 ><P >One way to debug printing problems is to start by replacing these @@ -10227,8 +8852,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1940" ->12.4.3. What printers do I have?</A +NAME="AEN1949" +>13.4.3. What printers do I have?</A ></H3 ><P >You can use the 'testprns' program to check to see if the printer @@ -10256,8 +8881,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1948" ->12.4.4. Setting up printcap and print servers</A +NAME="AEN1957" +>13.4.4. Setting up printcap and print servers</A ></H3 ><P >You may need to set up some printcaps for your Samba system to use. @@ -10340,8 +8965,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1976" ->12.4.5. Job sent, no output</A +NAME="AEN1985" +>13.4.5. Job sent, no output</A ></H3 ><P >This is the most frustrating part of printing. You may have sent the @@ -10385,8 +9010,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1987" ->12.4.6. Job sent, strange output</A +NAME="AEN1996" +>13.4.6. Job sent, strange output</A ></H3 ><P >Once you have the job printing, you can then start worrying about @@ -10431,8 +9056,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1999" ->12.4.7. Raw PostScript printed</A +NAME="AEN2008" +>13.4.7. Raw PostScript printed</A ></H3 ><P >This is a problem that is usually caused by either the print spooling @@ -10446,8 +9071,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2002" ->12.4.8. Advanced Printing</A +NAME="AEN2011" +>13.4.8. Advanced Printing</A ></H3 ><P >Note that you can do some pretty magic things by using your @@ -10462,8 +9087,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2005" ->12.4.9. Real debugging</A +NAME="AEN2014" +>13.4.9. Real debugging</A ></H3 ><P >If the above debug tips don't help, then maybe you need to bring in @@ -10477,22 +9102,21 @@ CLASS="CHAPTER" ><A NAME="CUPS-PRINTING" ></A ->Chapter 13. CUPS Printing Support</H1 +>Chapter 14. CUPS Printing Support</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN2025" ->13.1. Introduction</A +NAME="AEN2035" +>14.1. Introduction</A ></H2 ><P >The Common Unix Print System (CUPS) has become very popular, but to many it is a very mystical tool. There is a great deal of uncertainty regarding CUPS and how it works. The result is seen in a large number of posting on the samba mailing lists expressing frustration when MS Windows printers appear not to work with a CUPS -backr-end. -/para> </P +backr-end.</P ><P >This is a good time to point out how CUPS can be used and what it does. CUPS is more than just a print spooling system - it is a complete printer management system that @@ -10519,8 +9143,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2032" ->13.2. Configuring <TT +NAME="AEN2042" +>14.2. Configuring <TT CLASS="FILENAME" >smb.conf</TT > for CUPS</A @@ -10600,8 +9224,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2052" ->13.3. CUPS - RAW Print Through Mode</A +NAME="AEN2062" +>14.3. CUPS - RAW Print Through Mode</A ></H2 ><DIV CLASS="NOTE" @@ -10647,8 +9271,6 @@ do any print file format conversion work.</P CLASS="FILENAME" >/etc/cups/mime.types</TT ></P -><P -></P ></LI ><LI ><P @@ -10656,8 +9278,6 @@ CLASS="FILENAME" CLASS="FILENAME" >/etc/cups/mime.convs</TT ></P -><P -></P ></LI ></UL > @@ -10789,12 +9409,12 @@ the PPD and inserts user-provided options into the PostScript file. As a consequ the filtered file could possibly have an unwanted PJL header.</P ><P >"application/postscript" will be all files with a ".ps", ".ai", ".eps" suffix or which -have as their first character string one of "%!" or "<04>%".</P +have as their first character string one of "%!" or ">04<%".</P ><P >"application/vnd.cups-postscript" will files which contain the string "LANGUAGE=POSTSCRIPT" (or similar variations with different capitalization) in the first 512 bytes, and also contain the "PJL super escape code" in the first 128 bytes -("<1B>%-12345X"). Very likely, most PostScript files generated on Windows using a CUPS +(">1B<%-12345X"). Very likely, most PostScript files generated on Windows using a CUPS or other PPD, will have to be auto-typed as "vnd.cups-postscript". A file produced with a "Generic PostScript driver" will just be tagged "application/postscript".</P ><P @@ -10919,8 +9539,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2111" ->13.4. CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe +NAME="AEN2119" +>14.4. CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe PostScript driver with CUPS-PPDs downloaded to clients</A ></H2 ><P @@ -11015,8 +9635,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2132" ->13.5. Windows Terminal Servers (WTS) as CUPS clients</A +NAME="AEN2140" +>14.5. Windows Terminal Servers (WTS) as CUPS clients</A ></H2 ><P >This setup may be of special interest to people @@ -11046,8 +9666,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2136" ->13.6. Setting up CUPS for driver download</A +NAME="AEN2144" +>14.6. Setting up CUPS for driver download</A ></H2 ><P >The <B @@ -11121,8 +9741,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2149" ->13.7. Sources of CUPS drivers / PPDs</A +NAME="AEN2157" +>14.7. Sources of CUPS drivers / PPDs</A ></H2 ><P >On the internet you can find now many thousand CUPS-PPD @@ -11241,8 +9861,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2176" ->13.7.1. <B +NAME="AEN2184" +>14.7.1. <B CLASS="COMMAND" >cupsaddsmb</B ></A @@ -11420,8 +10040,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2205" ->13.8. The CUPS Filter Chains</A +NAME="AEN2213" +>14.8. The CUPS Filter Chains</A ></H2 ><P >The following diagrams reveal how CUPS handles print jobs.</P @@ -11868,8 +10488,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2244" ->13.9. CUPS Print Drivers and Devices</A +NAME="AEN2252" +>14.9. CUPS Print Drivers and Devices</A ></H2 ><P >CUPS ships with good support for HP LaserJet type printers. You can install @@ -11898,8 +10518,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2251" ->13.9.1. Further printing steps</A +NAME="AEN2259" +>14.9.1. Further printing steps</A ></H3 ><P >Always also consult the database on linuxprinting.org for all recommendations @@ -11935,7 +10555,7 @@ driver too:</P HREF="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4" TARGET="_top" >http://www.linuxprinting.org/show_driver.cgi?driver=ljet4</A -> </P +></P ><P >On the driver's page, you'll find important and detailed info about how to use that driver within the various available spoolers. You can generate a PPD for @@ -12082,7 +10702,7 @@ CLASS="FILENAME" ></TABLE ><P ></P -> </P +></P ><P >In the case of the "hpijs" driver, you need a Ghostscript version, which has "ijs" amongst its supported devices in "gs -h". In the case of @@ -12223,8 +10843,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2321" ->13.10. Limiting the number of pages users can print</A +NAME="AEN2329" +>14.10. Limiting the number of pages users can print</A ></H2 ><P >The feature you want is dependent on the real print subsystem you're using. @@ -12786,8 +11406,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2417" ->13.11. Advanced Postscript Printing from MS Windows</A +NAME="AEN2425" +>14.11. Advanced Postscript Printing from MS Windows</A ></H2 ><P >Let the Windows Clients use a PostScript driver to deliver poistscript to @@ -12877,8 +11497,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2432" ->13.12. Auto-Deletion of CUPS spool files</A +NAME="AEN2440" +>14.12. Auto-Deletion of CUPS spool files</A ></H2 ><P >Samba print files pass thru two "spool" directories. One the incoming directory @@ -13047,14 +11667,14 @@ CLASS="CHAPTER" ><A NAME="WINBIND" ></A ->Chapter 14. Unified Logons between Windows NT and UNIX using Winbind</H1 +>Chapter 15. Unified Logons between Windows NT and UNIX using Winbind</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN2506" ->14.1. Abstract</A +NAME="AEN2516" +>15.1. Abstract</A ></H2 ><P >Integration of UNIX and Microsoft Windows NT through @@ -13080,8 +11700,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2510" ->14.2. Introduction</A +NAME="AEN2520" +>15.2. Introduction</A ></H2 ><P >It is well known that UNIX and Microsoft Windows NT have @@ -13134,8 +11754,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2523" ->14.3. What Winbind Provides</A +NAME="AEN2533" +>15.3. What Winbind Provides</A ></H2 ><P >Winbind unifies UNIX and Windows NT account management by @@ -13176,8 +11796,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2530" ->14.3.1. Target Uses</A +NAME="AEN2540" +>15.3.1. Target Uses</A ></H3 ><P >Winbind is targeted at organizations that have an @@ -13200,8 +11820,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2534" ->14.4. How Winbind Works</A +NAME="AEN2544" +>15.4. How Winbind Works</A ></H2 ><P >The winbind system is designed around a client/server @@ -13220,8 +11840,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2539" ->14.4.1. Microsoft Remote Procedure Calls</A +NAME="AEN2549" +>15.4.1. Microsoft Remote Procedure Calls</A ></H3 ><P >Over the last few years, efforts have been underway @@ -13246,8 +11866,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2543" ->14.4.2. Microsoft Active Directory Services</A +NAME="AEN2553" +>15.4.2. Microsoft Active Directory Services</A ></H3 ><P > Since late 2001, Samba has gained the ability to @@ -13265,8 +11885,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2546" ->14.4.3. Name Service Switch</A +NAME="AEN2556" +>15.4.3. Name Service Switch</A ></H3 ><P >The Name Service Switch, or NSS, is a feature that is @@ -13345,8 +11965,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2562" ->14.4.4. Pluggable Authentication Modules</A +NAME="AEN2572" +>15.4.4. Pluggable Authentication Modules</A ></H3 ><P >Pluggable Authentication Modules, also known as PAM, @@ -13394,8 +12014,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2570" ->14.4.5. User and Group ID Allocation</A +NAME="AEN2580" +>15.4.5. User and Group ID Allocation</A ></H3 ><P >When a user or group is created under Windows NT @@ -13420,8 +12040,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2574" ->14.4.6. Result Caching</A +NAME="AEN2584" +>15.4.6. Result Caching</A ></H3 ><P >An active system can generate a lot of user and group @@ -13443,8 +12063,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2577" ->14.5. Installation and Configuration</A +NAME="AEN2587" +>15.5. Installation and Configuration</A ></H2 ><P >Many thanks to John Trostel <A @@ -13462,8 +12082,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2582" ->14.5.1. Introduction</A +NAME="AEN2592" +>15.5.1. Introduction</A ></H3 ><P >This HOWTO describes the procedures used to get winbind up and @@ -13521,8 +12141,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2595" ->14.5.2. Requirements</A +NAME="AEN2605" +>15.5.2. Requirements</A ></H3 ><P >If you have a samba configuration file that you are currently @@ -13591,8 +12211,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2609" ->14.5.3. Testing Things Out</A +NAME="AEN2619" +>15.5.3. Testing Things Out</A ></H3 ><P >Before starting, it is probably best to kill off all the SAMBA @@ -13636,8 +12256,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2620" ->14.5.3.1. Configure and compile SAMBA</A +NAME="AEN2630" +>15.5.3.1. Configure and compile SAMBA</A ></H4 ><P >The configuration and compilation of SAMBA is pretty straightforward. @@ -13702,8 +12322,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2639" ->14.5.3.2. Configure <TT +NAME="AEN2649" +>15.5.3.2. Configure <TT CLASS="FILENAME" >nsswitch.conf</TT > and the @@ -13807,8 +12427,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2672" ->14.5.3.3. Configure smb.conf</A +NAME="AEN2682" +>15.5.3.3. Configure smb.conf</A ></H4 ><P >Several parameters are needed in the smb.conf file to control @@ -13882,8 +12502,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2688" ->14.5.3.4. Join the SAMBA server to the PDC domain</A +NAME="AEN2698" +>15.5.3.4. Join the SAMBA server to the PDC domain</A ></H4 ><P >Enter the following command to make the SAMBA server join the @@ -13920,8 +12540,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2699" ->14.5.3.5. Start up the winbindd daemon and test it!</A +NAME="AEN2709" +>15.5.3.5. Start up the winbindd daemon and test it!</A ></H4 ><P >Eventually, you will want to modify your smb startup script to @@ -14056,16 +12676,16 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2739" ->14.5.3.6. Fix the init.d startup scripts</A +NAME="AEN2749" +>15.5.3.6. Fix the init.d startup scripts</A ></H4 ><DIV CLASS="SECT4" ><H5 CLASS="SECT4" ><A -NAME="AEN2741" ->14.5.3.6.1. Linux</A +NAME="AEN2751" +>15.5.3.6.1. Linux</A ></H5 ><P >The <B @@ -14174,8 +12794,8 @@ CLASS="SECT4" ><HR><H5 CLASS="SECT4" ><A -NAME="AEN2761" ->14.5.3.6.2. Solaris</A +NAME="AEN2771" +>15.5.3.6.2. Solaris</A ></H5 ><P >On solaris, you need to modify the @@ -14258,8 +12878,8 @@ CLASS="SECT4" ><HR><H5 CLASS="SECT4" ><A -NAME="AEN2771" ->14.5.3.6.3. Restarting</A +NAME="AEN2781" +>15.5.3.6.3. Restarting</A ></H5 ><P >If you restart the <B @@ -14282,8 +12902,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2777" ->14.5.3.7. Configure Winbind and PAM</A +NAME="AEN2787" +>15.5.3.7. Configure Winbind and PAM</A ></H4 ><P >If you have made it this far, you know that winbindd and samba are working @@ -14340,8 +12960,8 @@ CLASS="SECT4" ><HR><H5 CLASS="SECT4" ><A -NAME="AEN2794" ->14.5.3.7.1. Linux/FreeBSD-specific PAM configuration</A +NAME="AEN2804" +>15.5.3.7.1. Linux/FreeBSD-specific PAM configuration</A ></H5 ><P >The <TT @@ -14469,8 +13089,8 @@ CLASS="SECT4" ><HR><H5 CLASS="SECT4" ><A -NAME="AEN2827" ->14.5.3.7.2. Solaris-specific configuration</A +NAME="AEN2837" +>15.5.3.7.2. Solaris-specific configuration</A ></H5 ><P >The /etc/pam.conf needs to be changed. I changed this file so that my Domain @@ -14556,8 +13176,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2834" ->14.6. Limitations</A +NAME="AEN2844" +>15.6. Limitations</A ></H2 ><P >Winbind has a number of limitations in its current @@ -14598,8 +13218,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2844" ->14.7. Conclusion</A +NAME="AEN2854" +>15.7. Conclusion</A ></H2 ><P >The winbind system, through the use of the Name Service @@ -14616,7 +13236,7 @@ CLASS="CHAPTER" ><A NAME="ADVANCEDNETWORKMANAGEMENT" ></A ->Chapter 15. Advanced Network Manangement</H1 +>Chapter 16. Advanced Network Manangement</H1 ><P >This section attempts to document peripheral issues that are of great importance to network administrators who want to improve network resource access control, to automate the user @@ -14626,8 +13246,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2859" ->15.1. Configuring Samba Share Access Controls</A +NAME="AEN2870" +>16.1. Configuring Samba Share Access Controls</A ></H2 ><P >This section deals with how to configure Samba per share access control restrictions. @@ -14669,8 +13289,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2869" ->15.1.1. Share Permissions Management</A +NAME="AEN2880" +>16.1.1. Share Permissions Management</A ></H3 ><P >The best tool for the task is platform dependant. Choose the best tool for your environmemt.</P @@ -14679,8 +13299,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2872" ->15.1.1.1. Windows NT4 Workstation/Server</A +NAME="AEN2883" +>16.1.1.1. Windows NT4 Workstation/Server</A ></H4 ><P >The tool you need to use to manage share permissions on a Samba server is the NT Server Manager. @@ -14712,8 +13332,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2881" ->15.1.1.2. Windows 200x/XP</A +NAME="AEN2892" +>16.1.1.2. Windows 200x/XP</A ></H4 ><P >On MS Windows NT4/200x/XP system access control lists on the share itself are set using native @@ -14800,8 +13420,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2897" ->15.2. Remote Server Administration</A +NAME="AEN2908" +>16.2. Remote Server Administration</A ></H2 ><P ><SPAN @@ -14853,8 +13473,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2914" ->15.3. Network Logon Script Magic</A +NAME="AEN2925" +>16.3. Network Logon Script Magic</A ></H2 ><P >This section needs work. Volunteer contributions most welcome. Please send your patches or updates @@ -14863,6 +13483,147 @@ HREF="mailto:jht@samba.org" TARGET="_top" >John Terpstra</A >.</P +><P +>There are several opportunities for creating a custom network startup configuration environment.</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>No Logon Script</TD +></TR +><TR +><TD +>Simple universal Logon Script that applies to all users</TD +></TR +><TR +><TD +>Use of a conditional Logon Script that applies per user or per group attirbutes</TD +></TR +><TR +><TD +>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create + a custom Logon Script and then execute it.</TD +></TR +><TR +><TD +>User of a tool such as KixStart</TD +></TR +></TBODY +></TABLE +><P +></P +><P +>The Samba source code tree includes two logon script generation/execution tools. See <TT +CLASS="FILENAME" +>examples</TT +> directory <TT +CLASS="FILENAME" +>genlogon</TT +> and <TT +CLASS="FILENAME" +>ntlogon</TT +> subdirectories.</P +><P +>The following listings are from the genlogon directory.</P +><P +>This is the genlogon.pl file: + +<PRE +CLASS="PROGRAMLISTING" +> #!/usr/bin/perl + # + # genlogon.pl + # + # Perl script to generate user logon scripts on the fly, when users + # connect from a Windows client. This script should be called from smb.conf + # with the %U, %G and %L parameters. I.e: + # + # root preexec = genlogon.pl %U %G %L + # + # The script generated will perform + # the following: + # + # 1. Log the user connection to /var/log/samba/netlogon.log + # 2. Set the PC's time to the Linux server time (which is maintained + # daily to the National Institute of Standard's Atomic clock on the + # internet. + # 3. Connect the user's home drive to H: (H for Home). + # 4. Connect common drives that everyone uses. + # 5. Connect group-specific drives for certain user groups. + # 6. Connect user-specific drives for certain users. + # 7. Connect network printers. + + # Log client connection + #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); + ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); + open LOG, ">>/var/log/samba/netlogon.log"; + print LOG "$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n"; + close LOG; + + # Start generating logon script + open LOGON, ">/shared/netlogon/$ARGV[0].bat"; + print LOGON "\@ECHO OFF\r\n"; + + # Connect shares just use by Software Development group + if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev") + { + print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n"; + } + + # Connect shares just use by Technical Support staff + if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support") + { + print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n"; + } + + # Connect shares just used by Administration staff + If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin") + { + print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n"; + print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n"; + } + + # Now connect Printers. We handle just two or three users a little + # differently, because they are the exceptions that have desktop + # printers on LPT1: - all other user's go to the LaserJet on the + # server. + if ($ARGV[0] eq 'jim' + || $ARGV[0] eq 'yvonne') + { + print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n"; + print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; + } + else + { + print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n"; + print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; + } + + # All done! Close the output file. + close LOGON;</PRE +></P +><P +>Those wishing to use more elaborate or capable logon processing system should check out the following sites:</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>http://www.craigelachie.org/rhacer/ntlogon</TD +></TR +><TR +><TD +>http://www.kixtart.org</TD +></TR +></TBODY +></TABLE +><P +></P ></DIV ></DIV ><DIV @@ -14871,14 +13632,14 @@ CLASS="CHAPTER" ><A NAME="POLICYMGMT" ></A ->Chapter 16. System and Account Policies</H1 +>Chapter 17. System and Account Policies</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN2929" ->16.1. Creating and Managing System Policies</A +NAME="AEN2959" +>17.1. Creating and Managing System Policies</A ></H2 ><P >Under MS Windows platforms, particularly those following the release of MS Windows @@ -14934,15 +13695,15 @@ TARGET="_top" There are a large number of documents in addition to this old one that should also be read and understood. Try searching on the Microsoft web site for "Group Policies".</P ><P ->What follows is a very discussion with some helpful notes. The information provided +>What follows is a very brief discussion with some helpful notes. The information provided here is incomplete - you are warned.</P ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2943" ->16.1.1. Windows 9x/Me Policies</A +NAME="AEN2973" +>17.1.1. Windows 9x/Me Policies</A ></H3 ><P >You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me. @@ -14991,8 +13752,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2955" ->16.1.2. Windows NT4 Style Policy Files</A +NAME="AEN2985" +>17.1.2. Windows NT4 Style Policy Files</A ></H3 ><P >To create or edit <TT @@ -15056,8 +13817,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2970" ->16.1.2.1. Registry Tattoos</A +NAME="AEN3000" +>17.1.2.1. Registry Tattoos</A ></H4 ><P > With NT4 style registry based policy changes, a large number of settings are not @@ -15074,8 +13835,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2973" ->16.1.3. MS Windows 200x / XP Professional Policies</A +NAME="AEN3003" +>17.1.3. MS Windows 200x / XP Professional Policies</A ></H3 ><P >Windows NT4 System policies allows setting of registry parameters specific to @@ -15134,8 +13895,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2984" ->16.1.3.1. Administration of Win2K / XP Policies</A +NAME="AEN3014" +>17.1.3.1. Administration of Win2K / XP Policies</A ></H4 ><DIV CLASS="PROCEDURE" @@ -15156,8 +13917,6 @@ CLASS="FILENAME" >Start->Programs->Administrative Tools</TT > and select the MMC snap-in called "Active Directory Users and Computers"</P -><P -></P ></LI ><LI ><P @@ -15219,8 +13978,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3002" ->16.2. Managing Account/User Policies</A +NAME="AEN3031" +>17.2. Managing Account/User Policies</A ></H2 ><P >Policies can define a specific user's settings or the settings for a group of users. The resulting @@ -15289,8 +14048,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3017" ->16.2.1. With Windows NT4/200x</A +NAME="AEN3046" +>17.2.1. With Windows NT4/200x</A ></H3 ><P >The tools that may be used to configure these types of controls from the MS Windows environment are: @@ -15303,8 +14062,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3020" ->16.2.2. With a Samba PDC</A +NAME="AEN3049" +>17.2.2. With a Samba PDC</A ></H3 ><P >With a Samba Domain Controller, the new tools for managing of user account and policy information includes: @@ -15315,6 +14074,123 @@ CLASS="FILENAME" man pages for these tools and become familiar with their use.</P ></DIV ></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3053" +>17.3. System Startup and Logon Processing Overview</A +></H2 +><P +>The following attempts to document the order of processing of system and user policies following a system +reboot and as part of the user logon:</P +><P +></P +><OL +TYPE="1" +><LI +><P +> Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming + Convention Provider (MUP) start + </P +></LI +><LI +><P +> Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded + and applied. The list may include GPOs that: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Apply to the location of machines in a Directory</TD +></TR +><TR +><TD +>Apply only when settings have changed</TD +></TR +><TR +><TD +>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</TD +></TR +></TBODY +></TABLE +><P +></P +> + No desktop user interface is presented until the above have been processed. + </P +></LI +><LI +><P +> Execution of start-up scripts (hidden and synchronous by defaut). + </P +></LI +><LI +><P +> A keyboard action to affect start of logon (Ctrl-Alt-Del). + </P +></LI +><LI +><P +> User credentials are validated, User profile is loaded (depends on policy settings). + </P +></LI +><LI +><P +> An ordered list of User GPOs is obtained. The list contents depends on what is configured in respsect of: + +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Is user a domain member, thus subject to particular policies</TD +></TR +><TR +><TD +>Loopback enablement, and the state of the loopback policy (Merge or Replace)</TD +></TR +><TR +><TD +>Location of the Active Directory itself</TD +></TR +><TR +><TD +>Has the list of GPOs changed. No processing is needed if not changed.</TD +></TR +></TBODY +></TABLE +><P +></P +> + </P +></LI +><LI +><P +> User Policies are applied from Active Directory. Note: There are several types. + </P +></LI +><LI +><P +> Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group + Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal + window. + </P +></LI +><LI +><P +> The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4 + Domain) machine (system) policies are applied at start-up, User policies are applied at logon. + </P +></LI +></OL +></DIV ></DIV ><DIV CLASS="CHAPTER" @@ -15322,14 +14198,14 @@ CLASS="CHAPTER" ><A NAME="PROFILEMGMT" ></A ->Chapter 17. Desktop Profile Management</H1 +>Chapter 18. Desktop Profile Management</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3035" ->17.1. Roaming Profiles</A +NAME="AEN3096" +>18.1. Roaming Profiles</A ></H2 ><DIV CLASS="WARNING" @@ -15373,8 +14249,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3042" ->17.1.1. Samba Configuration for Profile Handling</A +NAME="AEN3103" +>18.1.1. Samba Configuration for Profile Handling</A ></H3 ><P >This section documents how to configure Samba for MS Windows client profile support.</P @@ -15383,8 +14259,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3045" ->17.1.1.1. NT4/200x User Profiles</A +NAME="AEN3106" +>18.1.1.1. NT4/200x User Profiles</A ></H4 ><P >To support Windowns NT4/200x clients, in the [global] section of smb.conf set the @@ -15445,8 +14321,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3055" ->17.1.1.2. Windows 9x / Me User Profiles</A +NAME="AEN3116" +>18.1.1.2. Windows 9x / Me User Profiles</A ></H4 ><P >To support Windows 9x / Me clients, you must use the "logon home" parameter. Samba has @@ -15457,7 +14333,7 @@ CLASS="USERINPUT" on the <B CLASS="COMMAND" >logon home</B ->< parameter.</P +> parameter.</P ><P >By using the logon home parameter, you are restricted to putting Win9x / Me profiles in the user's home directory. But wait! There is a trick you @@ -15496,8 +14372,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3070" ->17.1.1.3. Mixed Windows 9x / Me and Windows NT4/200x User Profiles</A +NAME="AEN3131" +>18.1.1.3. Mixed Windows 9x / Me and Windows NT4/200x User Profiles</A ></H4 ><P >You can support profiles for both Win9X and WinNT clients by setting both the @@ -15521,16 +14397,16 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3077" ->17.1.2. Windows Client Profile Configuration Information</A +NAME="AEN3138" +>18.1.2. Windows Client Profile Configuration Information</A ></H3 ><DIV CLASS="SECT3" ><H4 CLASS="SECT3" ><A -NAME="AEN3079" ->17.1.2.1. Windows 9x / Me Profile Setup</A +NAME="AEN3140" +>18.1.2.1. Windows 9x / Me Profile Setup</A ></H4 ><P >When a user first logs in on Windows 9X, the file user.DAT is created, @@ -15692,8 +14568,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3115" ->17.1.2.2. Windows NT4 Workstation</A +NAME="AEN3176" +>18.1.2.2. Windows NT4 Workstation</A ></H4 ><P >When a user first logs in to a Windows NT Workstation, the profile @@ -15733,8 +14609,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3124" ->17.1.2.3. Windows 2000/XP Professional</A +NAME="AEN3185" +>18.1.2.3. Windows 2000/XP Professional</A ></H4 ><P >You must first convert the profile from a local profile to a domain @@ -15983,8 +14859,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3197" ->17.1.3. Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A +NAME="AEN3258" +>18.1.3. Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A ></H3 ><P >Sharing of desktop profiles between Windows versions is NOT recommended. @@ -16021,8 +14897,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3204" ->17.1.4. Profile Migration from Windows NT4/200x Server to Samba</A +NAME="AEN3265" +>18.1.4. Profile Migration from Windows NT4/200x Server to Samba</A ></H3 ><P >There is nothing to stop you specifying any path that you like for the @@ -16034,8 +14910,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3207" ->17.1.4.1. Windows NT4 Profile Management Tools</A +NAME="AEN3268" +>18.1.4.1. Windows NT4 Profile Management Tools</A ></H4 ><P >Unfortunately, the Resource Kit information is specific to the version of MS Windows @@ -16117,8 +14993,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3230" ->17.1.4.2. Side bar Notes</A +NAME="AEN3291" +>18.1.4.2. Side bar Notes</A ></H4 ><P >You should obtain the SID of your NT4 domain. You can use smbpasswd to do @@ -16133,8 +15009,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3234" ->17.1.4.3. moveuser.exe</A +NAME="AEN3295" +>18.1.4.3. moveuser.exe</A ></H4 ><P >The W2K professional resource kit has moveuser.exe. moveuser.exe changes @@ -16146,8 +15022,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3237" ->17.1.4.4. Get SID</A +NAME="AEN3298" +>18.1.4.4. Get SID</A ></H4 ><P >You can identify the SID by using GetSID.exe from the Windows NT Server 4.0 @@ -16170,8 +15046,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3242" ->17.2. Mandatory profiles</A +NAME="AEN3303" +>18.2. Mandatory profiles</A ></H2 ><P >A Mandatory Profile is a profile that the user does NOT have the ability to overwrite. @@ -16219,8 +15095,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3249" ->17.3. Creating/Managing Group Profiles</A +NAME="AEN3310" +>18.3. Creating/Managing Group Profiles</A ></H2 ><P >Most organisations are arranged into departments. There is a nice benenfit in @@ -16268,8 +15144,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3255" ->17.4. Default Profile for Windows Users</A +NAME="AEN3316" +>18.4. Default Profile for Windows Users</A ></H2 ><P >MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom @@ -16278,15 +15154,13 @@ is located on the Windows workstation, and knowing which registry keys affect th from which the default profile is created, it is possible to modify the default profile to one that has been optimised for the site. This has significant administrative advantages.</P -><P -></P ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3259" ->17.4.1. MS Windows 9x/Me</A +NAME="AEN3319" +>18.4.1. MS Windows 9x/Me</A ></H3 ><P >To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System @@ -16307,8 +15181,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3265" ->17.4.1.1. How User Profiles Are Handled in Windows 9x / Me?</A +NAME="AEN3325" +>18.4.1.1. How User Profiles Are Handled in Windows 9x / Me?</A ></H4 ><P >When a user logs on to a Windows 9x / Me machine, the local profile path, @@ -16336,8 +15210,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3271" ->17.4.2. MS Windows NT4 Workstation</A +NAME="AEN3331" +>18.4.2. MS Windows NT4 Workstation</A ></H3 ><P >On MS Windows NT4 the default user profile is obtained from the location @@ -16570,8 +15444,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3325" ->17.4.3. MS Windows 200x/XP</A +NAME="AEN3385" +>18.4.3. MS Windows 200x/XP</A ></H3 ><DIV CLASS="NOTE" @@ -16808,23 +15682,23 @@ CLASS="CHAPTER" ><A NAME="INTERDOMAINTRUSTS" ></A ->Chapter 18. Interdomain Trust Relationships</H1 +>Chapter 19. Interdomain Trust Relationships</H1 ><P >Samba-3 supports NT4 style domain trust relationships. This is feature that many sites will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to adopt Active Directory or an LDAP based authentication back end. This section explains some background information regarding trust relationships and how to create them. It is now -possible for Samba3 to NT4 trust (and vica versa), as well as Samba3 to Samba3 trusts.</P +possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts.</P ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3386" ->18.1. Trust Relationship Background</A +NAME="AEN3447" +>19.1. Trust Relationship Background</A ></H2 ><P ->MS Windows NT3.x/4.0 type security domains employ a non-hierchical security structure. +>MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure. The limitations of this architecture as it affects the scalability of MS Windows networking in large organisations is well known. Additionally, the flat-name space that results from this design significantly impacts the delegation of administrative responsibilities in @@ -16837,7 +15711,7 @@ is quite adequate, there thus remains an entrenched user base for whom there is desire to go through a disruptive change to adopt ADS.</P ><P >Microsoft introduced with MS Windows NT the ability to allow differing security domains -to affect a mechanism so that users from one domain may be given access rights and privilidges +to affect a mechanism so that users from one domain may be given access rights and privileges in another domain. The language that describes this capability is couched in terms of <SPAN CLASS="emphasis" @@ -16853,9 +15727,9 @@ CLASS="EMPHASIS" ></SPAN > the users from another domain. The domain from which users are available to another security domain is -said to be a trusted domain. The domain in which those users have assigned rights and privilidges +said to be a trusted domain. The domain in which those users have assigned rights and privileges is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only, -thus if users in both domains are to have privilidges and rights in each others' domain, then it is +thus if users in both domains are to have privileges and rights in each others' domain, then it is necessary to establish two (2) relationships, one in each direction.</P ><P >In an NT4 style MS security domain, all trusts are non-transitive. This means that if there @@ -16867,25 +15741,27 @@ transitive.</P >New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is -an inherent feature of ADS domains.</P +an inherent feature of ADS domains. Samba-3 implements MS Windows NT4 +style Interdomain trusts and interoperates with MS Windows 200x ADS +security domains in similar manner to MS Windows NT4 style domains.</P ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3395" ->18.2. MS Windows NT4 Trust Configuration</A +NAME="AEN3456" +>19.2. Native MS Windows NT4 Trusts Configuration</A ></H2 ><P ->There are two steps to creating an inter-domain trust relationship. </P +>There are two steps to creating an interdomain trust relationship.</P ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3398" ->18.2.1. NT4 as the Trusting Domain</A +NAME="AEN3459" +>19.2.1. NT4 as the Trusting Domain (ie. creating the trusted account)</A ></H3 ><P >For MS Windows NT4, all domain trust relationships are configured using the Domain User Manager. @@ -16895,15 +15771,16 @@ User Manager Policies entry on the menu bar. From the Policy menu, select Trust next to the lower box that is labelled "Permitted to Trust this Domain" are two buttons, "Add" and "Remove". The "Add" button will open a panel in which needs to be entered the remote domain that will be able to assign user rights to your domain. In addition it is necessary to enter a password -that is specific to this trust relationship. The password is added twice.</P +that is specific to this trust relationship. The password needs to be +typed twice (for standard confirmation).</P ></DIV ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3401" ->18.2.2. NT4 as the Trusted Domain</A +NAME="AEN3462" +>19.2.2. NT4 as the Trusted Domain (ie. creating trusted account's password)</A ></H3 ><P >A trust relationship will work only when the other (trusting) domain makes the appropriate connections @@ -16911,8 +15788,6 @@ with the trusted domain. To consumate the trust relationship the administrator w Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the "Add" button that is next to the box that is labelled "Trusted Domains". A panel will open in which must be entered the name of the remote domain as well as the password assigned to that trust.</P -><P -></P ></DIV ></DIV ><DIV @@ -16920,17 +15795,16 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3405" ->18.3. Configuring Samba Domain Trusts</A +NAME="AEN3465" +>19.3. Configuring Samba NT-style Domain Trusts</A ></H2 ><P ->This descitpion is meant to be a fairly short introduction about how to set up a Samba server so +>This description is meant to be a fairly short introduction about how to set up a Samba server so that it could participate in interdomain trust relationships. Trust relationship support in Samba -is in its early stage, so lot of things don't work yet. Paricularly, the contents of this document -applies to NT4-style trusts.</P +is in its early stage, so lot of things don't work yet.</P ><P >Each of the procedures described below is treated as they were performed with Windows NT4 Server on -one end. The other end could just as well be another Samba3 domain. It can be clearly seen, after +one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after reading this document, that combining Samba-specific parts of what's written below leads to trust between domains in purely Samba environment.</P ><DIV @@ -16938,84 +15812,100 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3409" ->18.3.1. Samba3 as the Trusting Domain</A +NAME="AEN3469" +>19.3.1. Samba-3 as the Trusting Domain</A ></H3 ><P >In order to set Samba PDC to be trusted party of the relationship first you need -to create special account for domain that will be the trusting party. To do that, -you can use 'smbpasswd' utility. Creating the trusted domain account is very -similiar to creating the connection to the trusting machine's account. Suppose, -your domain is called SAMBA, and the remote domain is called RUMBA. Your first -step will be to issue this command from your favourite shell:</P +to create special account for the domain that will be the trusting party. To do that, +you can use the 'smbpasswd' utility. Creating the trusted domain account is very +similiar to creating a trusted machine account. Suppose, your domain is +called SAMBA, and the remote domain is called RUMBA. The first step +will be to issue this command from your favourite shell:</P ><P ><PRE -CLASS="PROGRAMLISTING" -> deity# smbpasswd -a -i rumba - New SMB password: XXXXXXXX - Retype SMB password: XXXXXXXX - Added user rumba$ - - where: - -a means to add a new account into the passdb database - -i means create this account with the Inter-Domain trust flag +CLASS="SCREEN" +> <SAMP +CLASS="PROMPT" +>deity#</SAMP +> <KBD +CLASS="USERINPUT" +>smbpasswd -a -i rumba</KBD +> + New SMB password: XXXXXXXX + Retype SMB password: XXXXXXXX + Added user rumba$</PRE +> - The account name will be 'rumba$' (the name ofthe remote domain)</PRE -></P +where <VAR +CLASS="PARAMETER" +>-a</VAR +> means to add a new account into the +passdb database and <VAR +CLASS="PARAMETER" +>-i</VAR +> means: ''create this +account with the InterDomain trust flag''</P +><P +>The account name will be 'rumba$' (the name of the remote domain)</P ><P ->fter issuing this command you'll be asked for typing account's -password. You can use any password you want, but be aware that Windows NT will -not change this password until 7 days have passed since account creating. -After command returns successfully, you can look at your new account's entry +>After issuing this command you'll be asked to enter the password for +the account. You can use any password you want, but be aware that Windows NT will +not change this password until 7 days following account creation. +After the command returns successfully, you can look at the entry for new account (in the way depending on your configuration) and see that account's name is really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm the trust by establishing it from Windows NT Server.</P ><P >Open 'User Manager for Domains' and from menu 'Policies' select 'Trust Relationships...'. -Right beside 'Trusted domains' list press 'Add...' button. You'll be prompted for -trusted domain name and the relationship's password. Type in SAMBA, as this is -your domain name and the password you've just used during account creation. -Press OK and if everything went fine, you will see 'Trusted domain relationship -successfully established' message. Well done.</P +Right beside 'Trusted domains' list box press 'Add...' button. You will be prompted for +the trusted domain name and the relationship password. Type in SAMBA, as this is +your domain name, and the password used at the time of account creation. +Press OK and, if everything went without incident, you will see 'Trusted domain relationship +successfully established' message.</P ></DIV ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3416" ->18.3.2. Samba3 as the Trusted Domain</A +NAME="AEN3481" +>19.3.2. Samba-3 as the Trusted Domain</A ></H3 ><P >This time activities are somewhat reversed. Again, we'll assume that your domain -controlled by Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.</P +controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.</P ><P ->The very first thing is to add account for SAMBA domain on RUMBA's PDC.</P +>The very first thing requirement is to add an account for the SAMBA domain on RUMBA's PDC.</P ><P >Launch the Domain User Manager, then from the menu select 'Policies', 'Trust Relationships'. Now, next to 'Trusted Domains' box press the 'Add' button, and type in the name of the trusted -domein (SAMBA) and password securing the relationship.</P +domain (SAMBA) and password securing the relationship.</P ><P ->Password can be arbitrarily chosen the more, because it's easy to change it -from Samba server whenever you want. After confirming password your account is -ready and waiting. Now it's Samba's turn.</P +>The password can be arbitrarily chosen. It is easy to change it the password +from Samba server whenever you want. After confirming the password your account is +ready for use. Now it's Samba's turn.</P ><P ->Using your favourite shell while being logged on as root, issue this command:</P +>Using your favourite shell while being logged in as root, issue this command:</P ><P -><PRE -CLASS="PROGRAMLISTING" -> deity# net rpc trustdom establish rumba</PRE +><SAMP +CLASS="PROMPT" +>deity# </SAMP +><KBD +CLASS="USERINPUT" +>net rpc trustdom establish rumba</KBD ></P ><P ->You'll be prompted for password you've just typed on your Windows NT4 Server box. -Don't worry if you will see the error message with returned code of -<TT -CLASS="FILENAME" ->NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</TT +>You will be prompted for the password you just typed on your Windows NT4 Server box. +Don not worry if you see an error message that mentions a returned code of +<SPAN +CLASS="ERRORNAME" +>NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</SPAN >. It means the -password you gave is correct and the NT4 Server says the account is ready for trusting your domain -and not for ordinary connection. After that, be patient it can take a while (especially -in large networks), you should see 'Success' message. Contgratulations! Your trust +password you gave is correct and the NT4 Server says the account is +ready for interdomain connection and not for ordinary +connection. After that, be patient it can take a while (especially +in large networks), you should see the 'Success' message. Congratulations! Your trust relationship has just been established.</P ><DIV CLASS="NOTE" @@ -17038,8 +15928,11 @@ ALT="Note"></TD ALIGN="LEFT" VALIGN="TOP" ><P ->Note that you have to run this command as root, since you need write access to -your secrets.tdb file.</P +>Note that you have to run this command as root because you must have write access to +the <TT +CLASS="FILENAME" +>secrets.tdb</TT +> file.</P ></TD ></TR ></TABLE @@ -17053,14 +15946,14 @@ CLASS="CHAPTER" ><A NAME="PAM" ></A ->Chapter 19. PAM Configuration for Centrally Managed Authentication</H1 +>Chapter 20. PAM Configuration for Centrally Managed Authentication</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3440" ->19.1. Samba and PAM</A +NAME="AEN3508" +>20.1. Samba and PAM</A ></H2 ><P >A number of Unix systems (eg: Sun Solaris), as well as the @@ -17342,8 +16235,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3491" ->19.2. Distributed Authentication</A +NAME="AEN3559" +>20.2. Distributed Authentication</A ></H2 ><P >The astute administrator will realize from this that the @@ -17368,8 +16261,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3496" ->19.3. PAM Configuration in smb.conf</A +NAME="AEN3564" +>20.3. PAM Configuration in smb.conf</A ></H2 ><P >There is an option in smb.conf called <A @@ -17410,14 +16303,14 @@ CLASS="CHAPTER" ><A NAME="VFS" ></A ->Chapter 20. Stackable VFS modules</H1 +>Chapter 21. Stackable VFS modules</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3531" ->20.1. Introduction and configuration</A +NAME="AEN3601" +>21.1. Introduction and configuration</A ></H2 ><P >Since samba 3.0, samba supports stackable VFS(Virtual File System) modules. @@ -17457,16 +16350,16 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3540" ->20.2. Included modules</A +NAME="AEN3610" +>21.2. Included modules</A ></H2 ><DIV CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN3542" ->20.2.1. audit</A +NAME="AEN3612" +>21.2.1. audit</A ></H3 ><P >A simple module to audit file access to the syslog @@ -17503,8 +16396,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3550" ->20.2.2. extd_audit</A +NAME="AEN3620" +>21.2.2. extd_audit</A ></H3 ><P >This module is identical with the <SPAN @@ -17525,8 +16418,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3554" ->20.2.3. recycle</A +NAME="AEN3624" +>21.2.3. recycle</A ></H3 ><P >A recycle-bin like modules. When used any unlink call @@ -17596,8 +16489,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3591" ->20.2.4. netatalk</A +NAME="AEN3661" +>21.2.4. netatalk</A ></H3 ><P >A netatalk module, that will ease co-existence of samba and @@ -17629,8 +16522,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3598" ->20.3. VFS modules available elsewhere</A +NAME="AEN3668" +>21.3. VFS modules available elsewhere</A ></H2 ><P >This section contains a listing of various other VFS modules that @@ -17645,8 +16538,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3602" ->20.3.1. DatabaseFS</A +NAME="AEN3672" +>21.3.1. DatabaseFS</A ></H3 ><P >URL: <A @@ -17679,8 +16572,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3610" ->20.3.2. vscan</A +NAME="AEN3680" +>21.3.2. vscan</A ></H3 ><P >URL: <A @@ -17703,14 +16596,14 @@ CLASS="CHAPTER" ><A NAME="MSDFS" ></A ->Chapter 21. Hosting a Microsoft Distributed File System tree on Samba</H1 +>Chapter 22. Hosting a Microsoft Distributed File System tree on Samba</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3626" ->21.1. Instructions</A +NAME="AEN3696" +>22.1. Instructions</A ></H2 ><P >The Distributed File System (or Dfs) provides a means of @@ -17841,8 +16734,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3661" ->21.1.1. Notes</A +NAME="AEN3731" +>22.1.1. Notes</A ></H3 ><P ></P @@ -17876,7 +16769,7 @@ CLASS="CHAPTER" ><A NAME="INTEGRATE-MS-NETWORKS" ></A ->Chapter 22. Integrating MS Windows networks with Samba</H1 +>Chapter 23. Integrating MS Windows networks with Samba</H1 ><P >This section deals with NetBIOS over TCP/IP name to IP address resolution. If you your MS Windows clients are NOT configured to use NetBIOS over TCP/IP then this @@ -17957,8 +16850,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3688" ->22.1. Name Resolution in a pure Unix/Linux world</A +NAME="AEN3759" +>23.1. Name Resolution in a pure Unix/Linux world</A ></H2 ><P >The key configuration files covered in this section are:</P @@ -17999,8 +16892,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3704" ->22.1.1. <TT +NAME="AEN3775" +>23.1.1. <TT CLASS="FILENAME" >/etc/hosts</TT ></A @@ -18080,8 +16973,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3720" ->22.1.2. <TT +NAME="AEN3791" +>23.1.2. <TT CLASS="FILENAME" >/etc/resolv.conf</TT ></A @@ -18118,8 +17011,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3731" ->22.1.3. <TT +NAME="AEN3802" +>23.1.3. <TT CLASS="FILENAME" >/etc/host.conf</TT ></A @@ -18147,8 +17040,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3739" ->22.1.4. <TT +NAME="AEN3810" +>23.1.4. <TT CLASS="FILENAME" >/etc/nsswitch.conf</TT ></A @@ -18216,8 +17109,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3751" ->22.2. Name resolution as used within MS Windows networking</A +NAME="AEN3822" +>23.2. Name resolution as used within MS Windows networking</A ></H2 ><P >MS Windows networking is predicated about the name each machine @@ -18301,8 +17194,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3763" ->22.2.1. The NetBIOS Name Cache</A +NAME="AEN3834" +>23.2.1. The NetBIOS Name Cache</A ></H3 ><P >All MS Windows machines employ an in memory buffer in which is @@ -18328,8 +17221,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3768" ->22.2.2. The LMHOSTS file</A +NAME="AEN3839" +>23.2.2. The LMHOSTS file</A ></H3 ><P >This file is usually located in MS Windows NT 4.0 or @@ -18431,8 +17324,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3776" ->22.2.3. HOSTS file</A +NAME="AEN3847" +>23.2.3. HOSTS file</A ></H3 ><P >This file is usually located in MS Windows NT 4.0 or 2000 in @@ -18453,8 +17346,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3781" ->22.2.4. DNS Lookup</A +NAME="AEN3852" +>23.2.4. DNS Lookup</A ></H3 ><P >This capability is configured in the TCP/IP setup area in the network @@ -18473,8 +17366,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3784" ->22.2.5. WINS Lookup</A +NAME="AEN3855" +>23.2.5. WINS Lookup</A ></H3 ><P >A WINS (Windows Internet Name Server) service is the equivaent of the @@ -18519,14 +17412,14 @@ CLASS="CHAPTER" ><A NAME="IMPROVED-BROWSING" ></A ->Chapter 23. Improved browsing in samba</H1 +>Chapter 24. Improved browsing in samba</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3804" ->23.1. Overview of browsing</A +NAME="AEN3875" +>24.1. Overview of browsing</A ></H2 ><P >SMB networking provides a mechanism by which clients can access a list @@ -18557,8 +17450,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3810" ->23.2. Browsing support in samba</A +NAME="AEN3881" +>24.2. Browsing support in samba</A ></H2 ><P >Samba facilitates browsing. The browsing is supported by <SPAN @@ -18643,8 +17536,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3825" ->23.3. Problem resolution</A +NAME="AEN3896" +>24.3. Problem resolution</A ></H2 ><P >If something doesn't work then hopefully the log.nmb file will help @@ -18695,8 +17588,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3837" ->23.4. Browsing across subnets</A +NAME="AEN3908" +>24.4. Browsing across subnets</A ></H2 ><P >Since the release of Samba 1.9.17(alpha1) Samba has been @@ -18729,8 +17622,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3843" ->23.4.1. How does cross subnet browsing work ?</A +NAME="AEN3914" +>24.4.1. How does cross subnet browsing work ?</A ></H3 ><P >Cross subnet browsing is a complicated dance, containing multiple @@ -18940,8 +17833,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3878" ->23.5. Setting up a WINS server</A +NAME="AEN3949" +>24.5. Setting up a WINS server</A ></H2 ><P >Either a Samba machine or a Windows NT Server machine may be set up @@ -19035,8 +17928,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3901" ->23.6. Setting up Browsing in a WORKGROUP</A +NAME="AEN3972" +>24.6. Setting up Browsing in a WORKGROUP</A ></H2 ><P >To set up cross subnet browsing on a network containing machines @@ -19145,8 +18038,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3927" ->23.7. Setting up Browsing in a DOMAIN</A +NAME="AEN3998" +>24.7. Setting up Browsing in a DOMAIN</A ></H2 ><P >If you are adding Samba servers to a Windows NT Domain then @@ -19220,7 +18113,7 @@ CLASS="SECT1" CLASS="SECT1" ><A NAME="BROWSE-FORCE-MASTER" ->23.8. Forcing samba to be the master</A +>24.8. Forcing samba to be the master</A ></H2 ><P >Who becomes the <B @@ -19294,8 +18187,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3962" ->23.9. Making samba the domain master</A +NAME="AEN4033" +>24.9. Making samba the domain master</A ></H2 ><P >The domain master is responsible for collating the browse lists of @@ -19379,8 +18272,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3984" ->23.10. Note about broadcast addresses</A +NAME="AEN4055" +>24.10. Note about broadcast addresses</A ></H2 ><P >If your network uses a "0" based broadcast address (for example if it @@ -19393,8 +18286,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3987" ->23.11. Multiple interfaces</A +NAME="AEN4058" +>24.11. Multiple interfaces</A ></H2 ><P >Samba now supports machines with multiple network interfaces. If you @@ -19414,14 +18307,14 @@ CLASS="CHAPTER" ><A NAME="SECURING-SAMBA" ></A ->Chapter 24. Securing Samba</H1 +>Chapter 25. Securing Samba</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN4003" ->24.1. Introduction</A +NAME="AEN4074" +>25.1. Introduction</A ></H2 ><P >This note was attached to the Samba 2.2.8 release notes as it contained an @@ -19433,8 +18326,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4006" ->24.2. Using host based protection</A +NAME="AEN4077" +>25.2. Using host based protection</A ></H2 ><P >In many installations of Samba the greatest threat comes for outside @@ -19474,8 +18367,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4016" ->24.3. Using interface protection</A +NAME="AEN4087" +>25.3. Using interface protection</A ></H2 ><P >By default Samba will accept connections on any network interface that @@ -19491,8 +18384,6 @@ CLASS="PROGRAMLISTING" bind interfaces only = yes</PRE ></P ><P -></P -><P >This tells Samba to only listen for connections on interfaces with a name starting with 'eth' such as eth0, eth1, plus on the loopback interface called 'lo'. The name you will need to use depends on what @@ -19510,8 +18401,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4025" ->24.4. Using a firewall</A +NAME="AEN4095" +>25.4. Using a firewall</A ></H2 ><P >Many people use a firewall to deny access to services that they don't @@ -19540,8 +18431,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4032" ->24.5. Using a IPC$ share deny</A +NAME="AEN4102" +>25.5. Using a IPC$ share deny</A ></H2 ><P >If the above methods are not suitable, then you could also place a @@ -19579,8 +18470,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4041" ->24.6. Upgrading Samba</A +NAME="AEN4111" +>25.6. Upgrading Samba</A ></H2 ><P >Please check regularly on <A @@ -19599,14 +18490,14 @@ CLASS="CHAPTER" ><A NAME="UNICODE" ></A ->Chapter 25. Unicode/Charsets</H1 +>Chapter 26. Unicode/Charsets</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN4056" ->25.1. What are charsets and unicode?</A +NAME="AEN4127" +>26.1. What are charsets and unicode?</A ></H2 ><P >Computers communicate in numbers. In texts, each number will be @@ -19655,8 +18546,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4065" ->25.2. Samba and charsets</A +NAME="AEN4136" +>26.2. Samba and charsets</A ></H2 ><P >As of samba 3.0, samba can (and will) talk unicode over the wire. Internally, @@ -19671,12 +18562,9 @@ CLASS="VARIABLELIST" ><DD ><P > This is the charset used internally by your operating system. - The default is <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->ASCII</I -></SPAN + The default is <CODE +CLASS="CONSTANT" +>ASCII</CODE >, which is fine for most systems. </P @@ -19709,6 +18597,34 @@ CLASS="COMMAND" ></DL ></DIV ></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN4155" +>26.3. Conversion from old names</A +></H2 +><P +>Because previous samba versions did not do any charset conversion, +characters in filenames are usually not correct in the unix charset but only +for the local charset used by the DOS/Windows clients.</P +><P +>The following script from Steve Langasek converts all +filenames from CP850 to the iso8859-15 charset.</P +><P +><SAMP +CLASS="PROMPT" +>#</SAMP +><KBD +CLASS="USERINPUT" +>find <VAR +CLASS="REPLACEABLE" +>/path/to/share</VAR +> -type f -exec bash -c 'CP="{}"; ISO=`echo -n "$CP" | iconv -f cp850 \ + -t iso8859-15`; if [ "$CP" != "$ISO" ]; then mv "$CP" "$ISO"; fi' \;</KBD +></P +></DIV ></DIV ></DIV ><DIV @@ -19721,890 +18637,953 @@ CLASS="TITLEPAGE" ><H1 CLASS="TITLE" >IV. Appendixes</H1 -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->26. <A -HREF="#SWAT" ->SWAT - The Samba Web Admininistration Tool</A -></DT -><DD -><DL -><DT ->26.1. <A -HREF="#AEN4098" ->SWAT Features and Benefits</A -></DT -><DD -><DL -><DT ->26.1.1. <A -HREF="#AEN4101" ->The SWAT Home Page</A -></DT -><DT ->26.1.2. <A -HREF="#AEN4104" ->Global Settings</A -></DT -><DT ->26.1.3. <A -HREF="#AEN4107" ->The SWAT Wizard</A -></DT -><DT ->26.1.4. <A -HREF="#AEN4110" ->Share Settings</A -></DT -><DT ->26.1.5. <A -HREF="#AEN4113" ->Printing Settings</A -></DT -><DT ->26.1.6. <A -HREF="#AEN4116" ->The Status Page</A -></DT -><DT ->26.1.7. <A -HREF="#AEN4119" ->The Password Change Page</A -></DT -></DL -></DD -></DL -></DD -><DT ->27. <A -HREF="#NT4MIGRATION" ->Migration from NT4 PDC to Samba-3 PDC</A -></DT -><DD -><DL -><DT ->27.1. <A -HREF="#AEN4134" ->Planning and Getting Started</A -></DT -><DD -><DL -><DT ->27.1.1. <A -HREF="#AEN4137" ->Objectives</A -></DT -><DT ->27.1.2. <A -HREF="#AEN4140" ->Steps In Migration Process</A -></DT -></DL -></DD -><DT ->27.2. <A -HREF="#AEN4143" ->Managing Samba-3 Domain Control</A -></DT -></DL -></DD -><DT ->28. <A -HREF="#SPEED" ->Samba performance issues</A -></DT -><DD -><DL -><DT ->28.1. <A -HREF="#AEN4163" ->Comparisons</A -></DT -><DT ->28.2. <A -HREF="#AEN4169" ->Socket options</A -></DT -><DT ->28.3. <A -HREF="#AEN4176" ->Read size</A -></DT -><DT ->28.4. <A -HREF="#AEN4181" ->Max xmit</A -></DT -><DT ->28.5. <A -HREF="#AEN4186" ->Log level</A -></DT -><DT ->28.6. <A -HREF="#AEN4189" ->Read raw</A -></DT -><DT ->28.7. <A -HREF="#AEN4194" ->Write raw</A -></DT -><DT ->28.8. <A -HREF="#AEN4198" ->Slow Clients</A -></DT -><DT ->28.9. <A -HREF="#AEN4202" ->Slow Logins</A -></DT -><DT ->28.10. <A -HREF="#AEN4205" ->Client tuning</A -></DT -></DL -></DD -><DT ->29. <A -HREF="#PORTABILITY" ->Portability</A -></DT -><DD -><DL -><DT ->29.1. <A -HREF="#AEN4249" ->HPUX</A -></DT -><DT ->29.2. <A -HREF="#AEN4255" ->SCO Unix</A -></DT -><DT ->29.3. <A -HREF="#AEN4259" ->DNIX</A -></DT -><DT ->29.4. <A -HREF="#AEN4288" ->RedHat Linux Rembrandt-II</A -></DT -><DT ->29.5. <A -HREF="#AEN4294" ->AIX</A -></DT -><DD -><DL -><DT ->29.5.1. <A -HREF="#AEN4296" ->Sequential Read Ahead</A -></DT -></DL -></DD -></DL -></DD -><DT ->30. <A -HREF="#OTHER-CLIENTS" ->Samba and other CIFS clients</A -></DT -><DD -><DL -><DT ->30.1. <A -HREF="#AEN4319" ->Macintosh clients?</A -></DT -><DT ->30.2. <A -HREF="#AEN4328" ->OS2 Client</A -></DT -><DD -><DL -><DT ->30.2.1. <A -HREF="#AEN4330" ->How can I configure OS/2 Warp Connect or - OS/2 Warp 4 as a client for Samba?</A -></DT -><DT ->30.2.2. <A -HREF="#AEN4345" ->How can I configure OS/2 Warp 3 (not Connect), - OS/2 1.2, 1.3 or 2.x for Samba?</A -></DT -><DT ->30.2.3. <A -HREF="#AEN4354" ->Are there any other issues when OS/2 (any version) - is used as a client?</A -></DT -><DT ->30.2.4. <A -HREF="#AEN4358" ->How do I get printer driver download working - for OS/2 clients?</A -></DT -></DL -></DD -><DT ->30.3. <A -HREF="#AEN4368" ->Windows for Workgroups</A -></DT -><DD -><DL -><DT ->30.3.1. <A -HREF="#AEN4370" ->Use latest TCP/IP stack from Microsoft</A -></DT -><DT ->30.3.2. <A -HREF="#AEN4375" ->Delete .pwl files after password change</A -></DT -><DT ->30.3.3. <A -HREF="#AEN4380" ->Configure WfW password handling</A -></DT -><DT ->30.3.4. <A -HREF="#AEN4384" ->Case handling of passwords</A -></DT -><DT ->30.3.5. <A -HREF="#AEN4389" ->Use TCP/IP as default protocol</A -></DT -></DL -></DD -><DT ->30.4. <A -HREF="#AEN4392" ->Windows '95/'98</A -></DT -><DT ->30.5. <A -HREF="#AEN4408" ->Windows 2000 Service Pack 2</A -></DT -><DT ->30.6. <A -HREF="#AEN4425" ->Windows NT 3.1</A -></DT -></DL -></DD -><DT ->31. <A -HREF="#COMPILING" ->How to compile SAMBA</A -></DT -><DD -><DL -><DT ->31.1. <A -HREF="#AEN4446" ->Access Samba source code via CVS</A -></DT -><DD -><DL -><DT ->31.1.1. <A -HREF="#AEN4448" ->Introduction</A -></DT -><DT ->31.1.2. <A -HREF="#AEN4453" ->CVS Access to samba.org</A -></DT -></DL -></DD -><DT ->31.2. <A -HREF="#AEN4489" ->Accessing the samba sources via rsync and ftp</A -></DT -><DT ->31.3. <A -HREF="#AEN4495" ->Building the Binaries</A -></DT -><DD -><DL -><DT ->31.3.1. <A -HREF="#AEN4523" ->Compiling samba with Active Directory support</A -></DT -></DL -></DD -><DT ->31.4. <A -HREF="#AEN4552" ->Starting the smbd and nmbd</A -></DT -><DD -><DL -><DT ->31.4.1. <A -HREF="#AEN4562" ->Starting from inetd.conf</A -></DT -><DT ->31.4.2. <A -HREF="#AEN4596" ->Alternative: starting it as a daemon</A -></DT -></DL -></DD -></DL -></DD -><DT ->32. <A -HREF="#BUGREPORT" ->Reporting Bugs</A -></DT -><DD -><DL -><DT ->32.1. <A -HREF="#AEN4627" ->Introduction</A -></DT -><DT ->32.2. <A -HREF="#AEN4637" ->General info</A -></DT -><DT ->32.3. <A -HREF="#AEN4643" ->Debug levels</A -></DT -><DT ->32.4. <A -HREF="#AEN4664" ->Internal errors</A -></DT -><DT ->32.5. <A -HREF="#AEN4678" ->Attaching to a running process</A -></DT -><DT ->32.6. <A -HREF="#AEN4686" ->Patches</A -></DT -></DL -></DD -><DT ->33. <A -HREF="#DIAGNOSIS" ->The samba checklist</A -></DT -><DD -><DL -><DT ->33.1. <A -HREF="#AEN4709" ->Introduction</A -></DT -><DT ->33.2. <A -HREF="#AEN4714" ->Assumptions</A -></DT -><DT ->33.3. <A -HREF="#AEN4733" ->The tests</A -></DT -><DT ->33.4. <A -HREF="#AEN4900" ->Still having troubles?</A -></DT -></DL -></DD -></DL -></DIV ></DIV ><DIV CLASS="CHAPTER" ><HR><H1 ><A -NAME="SWAT" +NAME="COMPILING" ></A ->Chapter 26. SWAT - The Samba Web Admininistration Tool</H1 +>Chapter 27. How to compile SAMBA</H1 ><P ->This is a rough guide to SWAT.</P +>You can obtain the samba source from the <A +HREF="http://samba.org/" +TARGET="_top" +>samba website</A +>. To obtain a development version, +you can download samba from CVS or using rsync.</P ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4098" ->26.1. SWAT Features and Benefits</A +NAME="AEN4183" +>27.1. Access Samba source code via CVS</A ></H2 -><P ->You must use at least the following ...</P ><DIV CLASS="SECT2" -><HR><H3 +><H3 CLASS="SECT2" ><A -NAME="AEN4101" ->26.1.1. The SWAT Home Page</A +NAME="AEN4185" +>27.1.1. Introduction</A ></H3 ><P ->Blah blah here.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4104" ->26.1.2. Global Settings</A -></H3 +>Samba is developed in an open environment. Developers use CVS +(Concurrent Versioning System) to "checkin" (also known as +"commit") new source code. Samba's various CVS branches can +be accessed via anonymous CVS using the instructions +detailed in this chapter.</P ><P ->Document steps right here!</P +>This chapter is a modified version of the instructions found at +<A +HREF="http://samba.org/samba/cvs.html" +TARGET="_top" +>http://samba.org/samba/cvs.html</A +></P ></DIV ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4107" ->26.1.3. The SWAT Wizard</A +NAME="AEN4190" +>27.1.2. CVS Access to samba.org</A ></H3 ><P ->Lots of blah blah here.</P -></DIV +>The machine samba.org runs a publicly accessible CVS +repository for access to the source code of several packages, +including samba, rsync and jitterbug. There are two main ways of +accessing the CVS server on this host.</P ><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" ><A -NAME="AEN4110" ->26.1.4. Share Settings</A -></H3 +NAME="AEN4193" +>27.1.2.1. Access via CVSweb</A +></H4 ><P ->Document steps right here!</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4113" ->26.1.5. Printing Settings</A -></H3 +>You can access the source code via your +favourite WWW browser. This allows you to access the contents of +individual files in the repository and also to look at the revision +history and commit logs of individual files. You can also ask for a diff +listing between any two versions on the repository.</P ><P ->Document steps right here!</P +>Use the URL : <A +HREF="http://samba.org/cgi-bin/cvsweb" +TARGET="_top" +>http://samba.org/cgi-bin/cvsweb</A +></P ></DIV ><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" ><A -NAME="AEN4116" ->26.1.6. The Status Page</A -></H3 +NAME="AEN4198" +>27.1.2.2. Access via cvs</A +></H4 ><P ->Document steps right here!</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4119" ->26.1.7. The Password Change Page</A -></H3 +>You can also access the source code via a +normal cvs client. This gives you much more control over you can +do with the repository and allows you to checkout whole source trees +and keep them up to date via normal cvs commands. This is the +preferred method of access if you are a developer and not +just a casual browser.</P ><P ->Document steps right here!</P +>To download the latest cvs source code, point your +browser at the URL : <A +HREF="http://www.cyclic.com/" +TARGET="_top" +>http://www.cyclic.com/</A +>. +and click on the 'How to get cvs' link. CVS is free software under +the GNU GPL (as is Samba). Note that there are several graphical CVS clients +which provide a graphical interface to the sometimes mundane CVS commands. +Links to theses clients are also available from http://www.cyclic.com.</P +><P +>To gain access via anonymous cvs use the following steps. +For this example it is assumed that you want a copy of the +samba source code. For the other source code repositories +on this system just substitute the correct package name</P +><P +></P +><OL +TYPE="1" +><LI +><P +> Install a recent copy of cvs. All you really need is a + copy of the cvs client binary. + </P +></LI +><LI +><P +> Run the command + </P +><P +> <KBD +CLASS="USERINPUT" +>cvs -d :pserver:cvs@samba.org:/cvsroot login</KBD +> + </P +><P +> When it asks you for a password type <KBD +CLASS="USERINPUT" +>cvs</KBD +>. + </P +></LI +><LI +><P +> Run the command + </P +><P +> <KBD +CLASS="USERINPUT" +>cvs -d :pserver:cvs@samba.org:/cvsroot co samba</KBD +> + </P +><P +> This will create a directory called samba containing the + latest samba source code (i.e. the HEAD tagged cvs branch). This + currently corresponds to the 3.0 development tree. + </P +><P +> CVS branches other HEAD can be obtained by using the <VAR +CLASS="PARAMETER" +>-r</VAR +> + and defining a tag name. A list of branch tag names can be found on the + "Development" page of the samba web site. A common request is to obtain the + latest 2.2 release code. This could be done by using the following userinput. + </P +><P +> <KBD +CLASS="USERINPUT" +>cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</KBD +> + </P +></LI +><LI +><P +> Whenever you want to merge in the latest code changes use + the following command from within the samba directory: + </P +><P +> <KBD +CLASS="USERINPUT" +>cvs update -d -P</KBD +> + </P +></LI +></OL ></DIV ></DIV ></DIV ><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="NT4MIGRATION" -></A ->Chapter 27. Migration from NT4 PDC to Samba-3 PDC</H1 -><P ->This is a rough guide to assist those wishing to migrate from NT4 domain control to -Samba-3 based domain control.</P -><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4134" ->27.1. Planning and Getting Started</A +NAME="AEN4226" +>27.2. Accessing the samba sources via rsync and ftp</A ></H2 ><P ->You must use at least the following ...</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4137" ->27.1.1. Objectives</A -></H3 -><P ->Blah blah objectives here.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4140" ->27.1.2. Steps In Migration Process</A -></H3 +> pserver.samba.org also exports unpacked copies of most parts of the CVS tree at <A +HREF="ftp://pserver.samba.org/pub/unpacked" +TARGET="_top" +>ftp://pserver.samba.org/pub/unpacked</A +> and also via anonymous rsync at rsync://pserver.samba.org/ftp/unpacked/. I recommend using rsync rather than ftp. + See <A +HREF="http://rsync.samba.org/" +TARGET="_top" +>the rsync homepage</A +> for more info on rsync. + </P ><P ->Document steps right here!</P -></DIV +> The disadvantage of the unpacked trees + is that they do not support automatic + merging of local changes like CVS does. + rsync access is most convenient for an + initial install. + </P ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4143" ->27.2. Managing Samba-3 Domain Control</A +NAME="AEN4232" +>27.3. Verifying Samba's PGP signature</A ></H2 ><P ->Lots of blah blah here.</P -></DIV +>In these days of insecurity, it's strongly recommended that you verify the PGP signature for any +source file before installing it. According to Jerry Carter of the Samba Team, only about 22% of +all Samba downloads have had a corresponding PGP signature download (a very low percentage, which +should be considered a bad thing). Even if you're not downloading from a mirror site, verifying PGP +signatures should be a standard reflex.</P +><P +>With that said, go ahead and download the following files:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> $ wget http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.asc + $ wget http://us1.samba.org/samba/ftp/samba-pubkey.asc</PRE +></P +><P +>The first file is the PGP signature for the Samba source file; the other is the Samba public +PGP key itself. Import the public PGP key with:</P +><PRE +CLASS="PROGRAMLISTING" +> $ gpg --import samba-pubkey.asc</PRE +><P +>And verify the Samba source code integrity with:</P +><PRE +CLASS="PROGRAMLISTING" +> $ gzip -d samba-2.2.8a.tar.gz + $ gpg --verify samba-2.2.8a.tar.asc</PRE +><P +>If you receive a message like, "Good signature from Samba Distribution Verification Key..." +then all is well. The warnings about trust relationships can be ignored. An example of what +you would not want to see would be:</P +><PRE +CLASS="PROGRAMLISTING" +> gpg: BAD signature from "Samba Distribution Verification Key"</PRE ></DIV ><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="SPEED" -></A ->Chapter 28. Samba performance issues</H1 -><DIV CLASS="SECT1" -><H2 +><HR><H2 CLASS="SECT1" ><A -NAME="AEN4163" ->28.1. Comparisons</A +NAME="AEN4244" +>27.4. Building the Binaries</A ></H2 ><P ->The Samba server uses TCP to talk to the client. Thus if you are -trying to see if it performs well you should really compare it to -programs that use the same protocol. The most readily available -programs for file transfer that use TCP are ftp or another TCP based -SMB server.</P +>To do this, first run the program <KBD +CLASS="USERINPUT" +>./configure + </KBD +> in the source directory. This should automatically + configure Samba for your operating system. If you have unusual + needs then you may wish to run</P ><P ->If you want to test against something like a NT or WfWg server then -you will have to disable all but TCP on either the client or -server. Otherwise you may well be using a totally different protocol -(such as Netbeui) and comparisons may not be valid.</P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>./configure --help + </KBD +></P ><P ->Generally you should find that Samba performs similarly to ftp at raw -transfer speed. It should perform quite a bit faster than NFS, -although this very much depends on your system.</P +>first to see what special options you can enable. + Then executing</P ><P ->Several people have done comparisons between Samba and Novell, NFS or -WinNT. In some cases Samba performed the best, in others the worst. I -suspect the biggest factor is not Samba vs some other system but the -hardware and drivers used on the various systems. Given similar -hardware Samba should certainly be competitive in speed with other -systems.</P -></DIV +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>make</KBD +></P +><P +>will create the binaries. Once it's successfully + compiled you can use </P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>make install</KBD +></P +><P +>to install the binaries and manual pages. You can + separately install the binaries and/or man pages using</P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>make installbin + </KBD +></P +><P +>and</P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>make installman + </KBD +></P +><P +>Note that if you are upgrading for a previous version + of Samba you might like to know that the old versions of + the binaries will be renamed with a ".old" extension. You + can go back to the previous version with</P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>make revert + </KBD +></P +><P +>if you find this version a disaster!</P ><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" ><A -NAME="AEN4169" ->28.2. Socket options</A -></H2 +NAME="AEN4272" +>27.4.1. Compiling samba with Active Directory support</A +></H3 ><P ->There are a number of socket options that can greatly affect the -performance of a TCP based server like Samba.</P +>In order to compile samba with ADS support, you need to have installed + on your system: + <P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>the MIT kerberos development libraries (either install from the sources or use a package). The heimdal libraries will not work.</TD +></TR +><TR +><TD +>the OpenLDAP development libraries.</TD +></TR +></TBODY +></TABLE ><P ->The socket options that Samba uses are settable both on the command -line with the -O option, or in the smb.conf file.</P +></P +></P ><P ->The "socket options" section of the smb.conf manual page describes how -to set these and gives recommendations.</P +>If your kerberos libraries are in a non-standard location then + remember to add the configure option --with-krb5=DIR.</P ><P ->Getting the socket options right can make a big difference to your -performance, but getting them wrong can degrade it by just as -much. The correct settings are very dependent on your local network.</P +>After you run configure make sure that <TT +CLASS="FILENAME" +>include/config.h</TT +> it generates contains lines like this:</P ><P ->The socket option TCP_NODELAY is the one that seems to make the -biggest single difference for most networks. Many people report that -adding "socket options = TCP_NODELAY" doubles the read performance of -a Samba drive. The best explanation I have seen for this is that the -Microsoft TCP/IP stack is slow in sending tcp ACKs.</P -></DIV +><PRE +CLASS="PROGRAMLISTING" +>#define HAVE_KRB5 1 +#define HAVE_LDAP 1 + </PRE +></P +><P +>If it doesn't then configure did not find your krb5 libraries or + your ldap libraries. Look in config.log to figure out why and fix + it.</P ><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" ><A -NAME="AEN4176" ->28.3. Read size</A -></H2 +NAME="AEN4284" +>27.4.1.1. Installing the required packages for Debian</A +></H4 ><P ->The option "read size" affects the overlap of disk reads/writes with -network reads/writes. If the amount of data being transferred in -several of the SMB commands (currently SMBwrite, SMBwriteX and -SMBreadbraw) is larger than this value then the server begins writing -the data before it has received the whole packet from the network, or -in the case of SMBreadbraw, it begins writing to the network before -all the data has been read from disk.</P +>On Debian you need to install the following packages:</P ><P ->This overlapping works best when the speeds of disk and network access -are similar, having very little effect when the speed of one is much -greater than the other.</P +> <P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>libkrb5-dev</TD +></TR +><TR +><TD +>krb5-user</TD +></TR +></TBODY +></TABLE ><P ->The default value is 16384, but very little experimentation has been -done yet to determine the optimal value, and it is likely that the best -value will vary greatly between systems anyway. A value over 65536 is -pointless and will cause you to allocate memory unnecessarily.</P +></P +> + </P ></DIV ><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" ><A -NAME="AEN4181" ->28.4. Max xmit</A -></H2 +NAME="AEN4291" +>27.4.1.2. Installing the required packages for RedHat</A +></H4 ><P ->At startup the client and server negotiate a "maximum transmit" size, -which limits the size of nearly all SMB commands. You can set the -maximum size that Samba will negotiate using the "max xmit = " option -in smb.conf. Note that this is the maximum size of SMB request that -Samba will accept, but not the maximum size that the *client* will accept. -The client maximum receive size is sent to Samba by the client and Samba -honours this limit.</P +>On RedHat this means you should have at least: </P ><P ->It defaults to 65536 bytes (the maximum), but it is possible that some -clients may perform better with a smaller transmit unit. Trying values -of less than 2048 is likely to cause severe problems.</P +> <P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>krb5-workstation (for kinit)</TD +></TR +><TR +><TD +>krb5-libs (for linking with)</TD +></TR +><TR +><TD +>krb5-devel (because you are compiling from source)</TD +></TR +></TBODY +></TABLE ><P ->In most cases the default is the best option.</P +></P +> + </P +><P +>in addition to the standard development environment.</P +><P +>Note that these are not standard on a RedHat install, and you may need + to get them off CD2.</P +></DIV +></DIV ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4186" ->28.5. Log level</A +NAME="AEN4301" +>27.5. Starting the smbd and nmbd</A ></H2 ><P ->If you set the log level (also known as "debug level") higher than 2 -then you may suffer a large drop in performance. This is because the -server flushes the log file after each operation, which can be very -expensive. </P -></DIV +>You must choose to start smbd and nmbd either + as daemons or from <SPAN +CLASS="APPLICATION" +>inetd</SPAN +>Don't try + to do both! Either you can put them in <TT +CLASS="FILENAME" +> inetd.conf</TT +> and have them started on demand + by <SPAN +CLASS="APPLICATION" +>inetd</SPAN +>, or you can start them as + daemons either from the command line or in <TT +CLASS="FILENAME" +> /etc/rc.local</TT +>. See the man pages for details + on the command line options. Take particular care to read + the bit about what user you need to be in order to start + Samba. In many cases you must be root.</P +><P +>The main advantage of starting <SPAN +CLASS="APPLICATION" +>smbd</SPAN +> + and <SPAN +CLASS="APPLICATION" +>nmbd</SPAN +> using the recommended daemon method + is that they will respond slightly more quickly to an initial connection + request.</P ><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" ><A -NAME="AEN4189" ->28.6. Read raw</A -></H2 +NAME="AEN4311" +>27.5.1. Starting from inetd.conf</A +></H3 ><P ->The "read raw" operation is designed to be an optimised, low-latency -file read operation. A server may choose to not support it, -however. and Samba makes support for "read raw" optional, with it -being enabled by default.</P +>NOTE; The following will be different if + you use NIS, NIS+ or LDAP to distribute services maps.</P ><P ->In some cases clients don't handle "read raw" very well and actually -get lower performance using it than they get using the conventional -read operations. </P +>Look at your <TT +CLASS="FILENAME" +>/etc/services</TT +>. + What is defined at port 139/tcp. If nothing is defined + then add a line like this:</P ><P ->So you might like to try "read raw = no" and see what happens on your -network. It might lower, raise or not affect your performance. Only -testing can really tell.</P +><KBD +CLASS="USERINPUT" +>netbios-ssn 139/tcp</KBD +></P +><P +>similarly for 137/udp you should have an entry like:</P +><P +><KBD +CLASS="USERINPUT" +>netbios-ns 137/udp</KBD +></P +><P +>Next edit your <TT +CLASS="FILENAME" +>/etc/inetd.conf</TT +> + and add two lines something like this:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd + netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd + </PRE +></P +><P +>The exact syntax of <TT +CLASS="FILENAME" +>/etc/inetd.conf</TT +> + varies between unixes. Look at the other entries in inetd.conf + for a guide.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Some unixes already have entries like netbios_ns + (note the underscore) in <TT +CLASS="FILENAME" +>/etc/services</TT +>. + You must either edit <TT +CLASS="FILENAME" +>/etc/services</TT +> or + <TT +CLASS="FILENAME" +>/etc/inetd.conf</TT +> to make them consistent.</P +></TD +></TR +></TABLE ></DIV ><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN4194" ->28.7. Write raw</A -></H2 +CLASS="NOTE" ><P ->The "write raw" operation is designed to be an optimised, low-latency -file write operation. A server may choose to not support it, -however. and Samba makes support for "write raw" optional, with it -being enabled by default.</P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" ><P ->Some machines may find "write raw" slower than normal write, in which -case you may wish to change this option.</P +>On many systems you may need to use the + <B +CLASS="COMMAND" +>interfaces</B +> option in <TT +CLASS="FILENAME" +>smb.conf</TT +> to specify the IP address + and netmask of your interfaces. Run <SPAN +CLASS="APPLICATION" +>ifconfig</SPAN +> + as root if you don't know what the broadcast is for your + net. <SPAN +CLASS="APPLICATION" +>nmbd</SPAN +> tries to determine it at run + time, but fails on some unixes. + </P +></TD +></TR +></TABLE ></DIV ><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN4198" ->28.8. Slow Clients</A -></H2 +CLASS="WARNING" ><P ->One person has reported that setting the protocol to COREPLUS rather -than LANMAN2 gave a dramatic speed improvement (from 10k/s to 150k/s).</P +></P +><TABLE +CLASS="WARNING" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" +HSPACE="5" +ALT="Warning"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" ><P ->I suspect that his PC's (386sx16 based) were asking for more data than -they could chew. I suspect a similar speed could be had by setting -"read raw = no" and "max xmit = 2048", instead of changing the -protocol. Lowering the "read size" might also help.</P +>Many unixes only accept around 5 + parameters on the command line in <TT +CLASS="FILENAME" +>inetd.conf</TT +>. + This means you shouldn't use spaces between the options and + arguments, or you should use a script, and start the script + from <B +CLASS="COMMAND" +>inetd</B +>.</P +></TD +></TR +></TABLE +></DIV +><P +>Restart <B +CLASS="COMMAND" +>inetd</B +>, perhaps just send + it a HUP. If you have installed an earlier version of <SPAN +CLASS="APPLICATION" +> nmbd</SPAN +> then you may need to kill nmbd as well.</P ></DIV ><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" ><A -NAME="AEN4202" ->28.9. Slow Logins</A -></H2 +NAME="AEN4345" +>27.5.2. Alternative: starting it as a daemon</A +></H3 ><P ->Slow logins are almost always due to the password checking time. Using -the lowest practical "password level" will improve things a lot. You -could also enable the "UFC crypt" option in the Makefile.</P +>To start the server as a daemon you should create + a script something like this one, perhaps calling + it <TT +CLASS="FILENAME" +>startsmb</TT +>.</P +><P +><PRE +CLASS="PROGRAMLISTING" +> #!/bin/sh + /usr/local/samba/bin/smbd -D + /usr/local/samba/bin/nmbd -D + </PRE +></P +><P +>then make it executable with <B +CLASS="COMMAND" +>chmod + +x startsmb</B +></P +><P +>You can then run <B +CLASS="COMMAND" +>startsmb</B +> by + hand or execute it from <TT +CLASS="FILENAME" +>/etc/rc.local</TT +> + </P +><P +>To kill it send a kill signal to the processes + <B +CLASS="COMMAND" +>nmbd</B +> and <B +CLASS="COMMAND" +>smbd</B +>.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>If you use the SVR4 style init system then + you may like to look at the <TT +CLASS="FILENAME" +>examples/svr4-startup</TT +> + script to make Samba fit into that system.</P +></TD +></TR +></TABLE +></DIV +></DIV ></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A +NAME="NT4MIGRATION" +></A +>Chapter 28. Migration from NT4 PDC to Samba-3 PDC</H1 +><P +>This is a rough guide to assist those wishing to migrate from NT4 domain control to +Samba-3 based domain control.</P ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4205" ->28.10. Client tuning</A +NAME="AEN4375" +>28.1. Planning and Getting Started</A ></H2 ><P ->Often a speed problem can be traced to the client. The client (for -example Windows for Workgroups) can often be tuned for better TCP -performance.</P -><P ->See your client docs for details. In particular, I have heard rumours -that the WfWg options TCPWINDOWSIZE and TCPSEGMENTSIZE can have a -large impact on performance.</P -><P ->Also note that some people have found that setting DefaultRcvWindow in -the [MSTCP] section of the SYSTEM.INI file under WfWg to 3072 gives a -big improvement. I don't know why.</P -><P ->My own experience wth DefaultRcvWindow is that I get much better -performance with a large value (16384 or larger). Other people have -reported that anything over 3072 slows things down enourmously. One -person even reported a speed drop of a factor of 30 when he went from -3072 to 8192. I don't know why.</P +>In the IT world there is often a saying that all problems are encountered because of +poor planning. The corrollary to this saying is that not all problems can be anticpated +and planned for. Then again, good planning will anticpate most show stopper type situations.</P ><P ->It probably depends a lot on your hardware, and the type of unix box -you have at the other end of the link.</P -><P ->Paul Cochrane has done some testing on client side tuning and come -to the following conclusions:</P +>Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control +environment would do well to develop a detailed migration plan. So here are a few pointers to +help migration get under way.</P +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN4379" +>28.1.1. Objectives</A +></H3 ><P ->Install the W2setup.exe file from www.microsoft.com. This is an -update for the winsock stack and utilities which improve performance.</P +>The key objective for most organisations will be to make the migration from MS Windows NT4 +to Samba-3 domain control as painless as possible. One of the challenges you may experience +in your migration process may well be one of convincing management that the new environment +should remain in place. Many who have introduced open source technologies have experienced +pressure to return to a Microsoft based platform solution at the first sign of trouble. </P ><P ->Configure the win95 TCPIP registry settings to give better -perfomance. I use a program called MTUSPEED.exe which I got off the -net. There are various other utilities of this type freely available. -The setting which give the best performance for me are:</P +>It is strongly advised that before attempting a migration to a Samba-3 controlled network +that every possible effort be made to gain all-round commitment to the change. Firstly, you +should know precisely <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>why</I +></SPAN +> the change is important for the organisation. +Possible motivations to make a change include:</P ><P ></P -><OL -TYPE="1" +><UL ><LI ><P ->MaxMTU Remove</P +>Improve network manageability</P ></LI ><LI ><P ->RWIN Remove</P +>Obtain better user level functionality</P ></LI ><LI ><P ->MTUAutoDiscover Disable</P +>Reduce network operating costs</P ></LI ><LI ><P ->MTUBlackHoleDetect Disable</P +>Reduce exposure caused by Microsoft withdrawal of NT4 support</P ></LI ><LI ><P ->Time To Live Enabled</P +>Avoid MS License 6 implications</P ></LI ><LI ><P ->Time To Live - HOPS 32</P +>Reduce organisation's dependency on Microsoft</P ></LI -><LI +></UL ><P ->NDI Cache Size 0</P -></LI -></OL +>It is vital that oit be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers +an alternative solution that is both different from MS Windows NT4 and that offers some +advantages compared with it. It should also be recognised that Samba-3 lacks many of the +features that Microsoft has promoted as core values in migration from MS Windows NT4 to +MS Windows 2000 and beyond (with or without Active Directory services).</P ><P ->I tried virtually all of the items mentioned in the document and -the only one which made a difference to me was the socket options. It -turned out I was better off without any!!!!!</P -><P ->In terms of overall speed of transfer, between various win95 clients -and a DX2-66 20MB server with a crappy NE2000 compatible and old IDE -drive (Kernel 2.0.30). The transfer rate was reasonable for 10 baseT.</P +>What are the features the Samba-3 can NOT provide?</P ><P -><PRE -CLASS="PROGRAMLISTING" ->The figures are: Put Get -P166 client 3Com card: 420-440kB/s 500-520kB/s -P100 client 3Com card: 390-410kB/s 490-510kB/s -DX4-75 client NE2000: 370-380kB/s 330-350kB/s</PRE ></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Active Directory Server</TD +></TR +><TR +><TD +>Group Policy Objects (in Active Direcrtory)</TD +></TR +><TR +><TD +>Machine Policy objects</TD +></TR +><TR +><TD +>Logon Scripts in Active Directorty</TD +></TR +><TR +><TD +>Software Application and Access Controls in Active Directory</TD +></TR +></TBODY +></TABLE ><P ->I based these test on transfer two files a 4.5MB text file and a 15MB -textfile. The results arn't bad considering the hardware Samba is -running on. It's a crap machine!!!!</P -><P ->The updates mentioned in 1 and 2 brought up the transfer rates from -just over 100kB/s in some clients.</P +></P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN4405" +>28.1.2. Steps In Migration Process</A +></H3 ><P ->A new client is a P333 connected via a 100MB/s card and hub. The -transfer rates from this were good: 450-500kB/s on put and 600+kB/s -on get.</P +>This is not a definitive ste-by-step process yet - just a place holder so the info +is not lost. + +1. You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated + +2. Samba-3 set up as a DC with netlogon share, profile share, etc. + +3. Process: + a. Create a BDC account for the samba server using NT Server Manager + - Samba must NOT be running + + b. rpcclient NT4PDC -U Administrator%passwd + lsaquery + + Note the SID returned by step b. + + c. net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd + + Note the SID in step c. + + d. net getlocalsid + + Note the SID, now check that all three SIDS reported are the same! + + e. net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd + + f. net rpc vampire -S NT4PDC -U administrator%passwd + + g. pdbedit -l + + Note - did the users migrate? + + h. initGrps.sh DOMNAME + + i. smbgroupedit -v + + Now check that all groups are recognised + + j. net rpc campire -S NT4PDC -U administrator%passwd + + k. pdbedit -lv + + Note - check that all group membership has been migrated. + + +Now it is time to migrate all the profiles, then migrate all policy files. + +Moe later.</P +></DIV +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN4408" +>28.2. Managing Samba-3 Domain Control</A +></H2 ><P ->Looking at standard FTP throughput, Samba is a bit slower (100kB/s -upwards). I suppose there is more going on in the samba protocol, but -if it could get up to the rate of FTP the perfomance would be quite -staggering.</P +>Lots of blah blah here.</P ></DIV ></DIV ><DIV @@ -20623,7 +19602,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4249" +NAME="AEN4423" >29.1. HPUX</A ></H2 ><P @@ -20653,7 +19632,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4255" +NAME="AEN4429" >29.2. SCO Unix</A ></H2 ><P @@ -20670,7 +19649,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4259" +NAME="AEN4433" >29.3. DNIX</A ></H2 ><P @@ -20777,7 +19756,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4288" +NAME="AEN4462" >29.4. RedHat Linux Rembrandt-II</A ></H2 ><P @@ -20801,7 +19780,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4294" +NAME="AEN4468" >29.5. AIX</A ></H2 ><DIV @@ -20809,7 +19788,7 @@ CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN4296" +NAME="AEN4470" >29.5.1. Sequential Read Ahead</A ></H3 ><P @@ -20820,6 +19799,36 @@ CLASS="USERINPUT" samba performance significally.</P ></DIV ></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN4474" +>29.6. Solaris</A +></H2 +><P +>Some people have been experiencing problems with F_SETLKW64/fcntl +when running samba on solaris. The built in file locking mechanism was +not scalable. Performance would degrade to the point where processes would +get into loops of trying to lock a file. It woul try a lock, then fail, +then try again. The lock attempt was failing before the grant was +occurring. So the visible manifestation of this would be a handful of +processes stealing all of the CPU, and when they were trussed they would +be stuck if F_SETLKW64 loops.</P +><P +>Sun released patches for Solaris 2.6, 8, and 9. The patch for Solaris 7 +has not been released yet.</P +><P +>The patch revision for 2.6 is 105181-34 +for 8 is 108528-19 +and for 9 is 112233-04</P +><P +>After the install of these patches it is recommended to reconfigure +and rebuild samba.</P +><P +>Thanks to Joe Meslovich for reporting</P +></DIV ></DIV ><DIV CLASS="CHAPTER" @@ -20835,7 +19844,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4319" +NAME="AEN4501" >30.1. Macintosh clients?</A ></H2 ><P @@ -20881,7 +19890,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4328" +NAME="AEN4510" >30.2. OS2 Client</A ></H2 ><DIV @@ -20889,7 +19898,7 @@ CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN4330" +NAME="AEN4512" >30.2.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></H3 @@ -20948,7 +19957,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4345" +NAME="AEN4527" >30.2.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></H3 @@ -20992,7 +20001,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4354" +NAME="AEN4536" >30.2.3. Are there any other issues when OS/2 (any version) is used as a client?</A ></H3 @@ -21014,7 +20023,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4358" +NAME="AEN4540" >30.2.4. How do I get printer driver download working for OS/2 clients?</A ></H3 @@ -21061,7 +20070,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4368" +NAME="AEN4550" >30.3. Windows for Workgroups</A ></H2 ><DIV @@ -21069,7 +20078,7 @@ CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN4370" +NAME="AEN4552" >30.3.1. Use latest TCP/IP stack from Microsoft</A ></H3 ><P @@ -21091,7 +20100,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4375" +NAME="AEN4557" >30.3.2. Delete .pwl files after password change</A ></H3 ><P @@ -21111,7 +20120,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4380" +NAME="AEN4562" >30.3.3. Configure WfW password handling</A ></H3 ><P @@ -21130,7 +20139,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4384" +NAME="AEN4566" >30.3.4. Case handling of passwords</A ></H3 ><P @@ -21148,7 +20157,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4389" +NAME="AEN4571" >30.3.5. Use TCP/IP as default protocol</A ></H3 ><P @@ -21164,7 +20173,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4392" +NAME="AEN4574" >30.4. Windows '95/'98</A ></H2 ><P @@ -21212,7 +20221,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4408" +NAME="AEN4590" >30.5. Windows 2000 Service Pack 2</A ></H2 ><P @@ -21312,7 +20321,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4425" +NAME="AEN4607" >30.6. Windows NT 3.1</A ></H2 ><P @@ -21328,988 +20337,403 @@ TARGET="_top" CLASS="CHAPTER" ><HR><H1 ><A -NAME="COMPILING" +NAME="SWAT" ></A ->Chapter 31. How to compile SAMBA</H1 +>Chapter 31. SWAT - The Samba Web Admininistration Tool</H1 ><P ->You can obtain the samba source from the <A -HREF="http://samba.org/" -TARGET="_top" ->samba website</A ->. To obtain a development version, -you can download samba from CVS or using rsync. </P +>This is a rough guide to SWAT.</P ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4446" ->31.1. Access Samba source code via CVS</A +NAME="AEN4624" +>31.1. SWAT Features and Benefits</A ></H2 +><P +>You must use at least the following ...</P ><DIV CLASS="SECT2" -><H3 +><HR><H3 CLASS="SECT2" ><A -NAME="AEN4448" ->31.1.1. Introduction</A +NAME="AEN4627" +>31.1.1. The SWAT Home Page</A ></H3 ><P ->Samba is developed in an open environment. Developers use CVS -(Concurrent Versioning System) to "checkin" (also known as -"commit") new source code. Samba's various CVS branches can -be accessed via anonymous CVS using the instructions -detailed in this chapter.</P -><P ->This chapter is a modified version of the instructions found at -<A -HREF="http://samba.org/samba/cvs.html" -TARGET="_top" ->http://samba.org/samba/cvs.html</A -></P +>Blah blah here.</P ></DIV ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4453" ->31.1.2. CVS Access to samba.org</A +NAME="AEN4630" +>31.1.2. Global Settings</A ></H3 ><P ->The machine samba.org runs a publicly accessible CVS -repository for access to the source code of several packages, -including samba, rsync and jitterbug. There are two main ways of -accessing the CVS server on this host.</P +>Document steps right here!</P +></DIV ><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" ><A -NAME="AEN4456" ->31.1.2.1. Access via CVSweb</A -></H4 -><P ->You can access the source code via your -favourite WWW browser. This allows you to access the contents of -individual files in the repository and also to look at the revision -history and commit logs of individual files. You can also ask for a diff -listing between any two versions on the repository.</P +NAME="AEN4633" +>31.1.3. The SWAT Wizard</A +></H3 ><P ->Use the URL : <A -HREF="http://samba.org/cgi-bin/cvsweb" -TARGET="_top" ->http://samba.org/cgi-bin/cvsweb</A -></P +>Lots of blah blah here.</P ></DIV ><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" ><A -NAME="AEN4461" ->31.1.2.2. Access via cvs</A -></H4 -><P ->You can also access the source code via a -normal cvs client. This gives you much more control over you can -do with the repository and allows you to checkout whole source trees -and keep them up to date via normal cvs commands. This is the -preferred method of access if you are a developer and not -just a casual browser.</P -><P ->To download the latest cvs source code, point your -browser at the URL : <A -HREF="http://www.cyclic.com/" -TARGET="_top" ->http://www.cyclic.com/</A ->. -and click on the 'How to get cvs' link. CVS is free software under -the GNU GPL (as is Samba). Note that there are several graphical CVS clients -which provide a graphical interface to the sometimes mundane CVS commands. -Links to theses clients are also available from http://www.cyclic.com.</P -><P ->To gain access via anonymous cvs use the following steps. -For this example it is assumed that you want a copy of the -samba source code. For the other source code repositories -on this system just substitute the correct package name</P -><P -></P -><OL -TYPE="1" -><LI -><P -> Install a recent copy of cvs. All you really need is a - copy of the cvs client binary. - </P -></LI -><LI -><P -> Run the command - </P -><P -> <KBD -CLASS="USERINPUT" ->cvs -d :pserver:cvs@samba.org:/cvsroot login</KBD -> - </P -><P -> When it asks you for a password type <KBD -CLASS="USERINPUT" ->cvs</KBD ->. - </P -></LI -><LI -><P -> Run the command - </P -><P -> <KBD -CLASS="USERINPUT" ->cvs -d :pserver:cvs@samba.org:/cvsroot co samba</KBD -> - </P -><P -> This will create a directory called samba containing the - latest samba source code (i.e. the HEAD tagged cvs branch). This - currently corresponds to the 3.0 development tree. - </P -><P -> CVS branches other HEAD can be obtained by using the <VAR -CLASS="PARAMETER" ->-r</VAR -> - and defining a tag name. A list of branch tag names can be found on the - "Development" page of the samba web site. A common request is to obtain the - latest 2.2 release code. This could be done by using the following userinput. - </P -><P -> <KBD -CLASS="USERINPUT" ->cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</KBD -> - </P -></LI -><LI -><P -> Whenever you want to merge in the latest code changes use - the following command from within the samba directory: - </P +NAME="AEN4636" +>31.1.4. Share Settings</A +></H3 ><P -> <KBD -CLASS="USERINPUT" ->cvs update -d -P</KBD -> - </P -></LI -></OL -></DIV -></DIV +>Document steps right here!</P ></DIV ><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" ><A -NAME="AEN4489" ->31.2. Accessing the samba sources via rsync and ftp</A -></H2 -><P -> pserver.samba.org also exports unpacked copies of most parts of the CVS tree at <A -HREF="ftp://pserver.samba.org/pub/unpacked" -TARGET="_top" ->ftp://pserver.samba.org/pub/unpacked</A -> and also via anonymous rsync at rsync://pserver.samba.org/ftp/unpacked/. I recommend using rsync rather than ftp. - See <A -HREF="http://rsync.samba.org/" -TARGET="_top" ->the rsync homepage</A -> for more info on rsync. - </P +NAME="AEN4639" +>31.1.5. Printing Settings</A +></H3 ><P -> The disadvantage of the unpacked trees - is that they do not support automatic - merging of local changes like CVS does. - rsync access is most convenient for an - initial install. - </P +>Document steps right here!</P ></DIV ><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" ><A -NAME="AEN4495" ->31.3. Building the Binaries</A -></H2 -><P ->To do this, first run the program <KBD -CLASS="USERINPUT" ->./configure - </KBD -> in the source directory. This should automatically - configure Samba for your operating system. If you have unusual - needs then you may wish to run</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->./configure --help - </KBD -></P -><P ->first to see what special options you can enable. - Then executing</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->make</KBD -></P -><P ->will create the binaries. Once it's successfully - compiled you can use </P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->make install</KBD -></P -><P ->to install the binaries and manual pages. You can - separately install the binaries and/or man pages using</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->make installbin - </KBD -></P -><P ->and</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->make installman - </KBD -></P -><P ->Note that if you are upgrading for a previous version - of Samba you might like to know that the old versions of - the binaries will be renamed with a ".old" extension. You - can go back to the previous version with</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->make revert - </KBD -></P +NAME="AEN4642" +>31.1.6. The Status Page</A +></H3 ><P ->if you find this version a disaster!</P +>Document steps right here!</P +></DIV ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4523" ->31.3.1. Compiling samba with Active Directory support</A +NAME="AEN4645" +>31.1.7. The Password Change Page</A ></H3 ><P ->In order to compile samba with ADS support, you need to have installed - on your system: - <P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->the MIT kerberos development libraries (either install from the sources or use a package). The heimdal libraries will not work.</TD -></TR -><TR -><TD ->the OpenLDAP development libraries.</TD -></TR -></TBODY -></TABLE -><P -></P -> - - </P -><P ->If your kerberos libraries are in a non-standard location then - remember to add the configure option --with-krb5=DIR.</P -><P ->After you run configure make sure that <TT -CLASS="FILENAME" ->include/config.h</TT -> it generates contains lines like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->#define HAVE_KRB5 1 -#define HAVE_LDAP 1 - </PRE -></P -><P ->If it doesn't then configure did not find your krb5 libraries or - your ldap libraries. Look in config.log to figure out why and fix - it.</P +>Document steps right here!</P +></DIV +></DIV +></DIV ><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" +CLASS="CHAPTER" +><HR><H1 ><A -NAME="AEN4535" ->31.3.1.1. Installing the required packages for Debian</A -></H4 -><P ->On Debian you need to install the following packages:</P -><P -> <P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->libkrb5-dev</TD -></TR -><TR -><TD ->krb5-user</TD -></TR -></TBODY -></TABLE -><P -></P -> - </P -></DIV +NAME="SPEED" +></A +>Chapter 32. Samba performance issues</H1 ><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" +CLASS="SECT1" +><H2 +CLASS="SECT1" ><A -NAME="AEN4542" ->31.3.1.2. Installing the required packages for RedHat</A -></H4 -><P ->On RedHat this means you should have at least: </P +NAME="AEN4666" +>32.1. Comparisons</A +></H2 ><P -> <P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->krb5-workstation (for kinit)</TD -></TR -><TR -><TD ->krb5-libs (for linking with)</TD -></TR -><TR -><TD ->krb5-devel (because you are compiling from source)</TD -></TR -></TBODY -></TABLE +>The Samba server uses TCP to talk to the client. Thus if you are +trying to see if it performs well you should really compare it to +programs that use the same protocol. The most readily available +programs for file transfer that use TCP are ftp or another TCP based +SMB server.</P ><P -></P -> - </P +>If you want to test against something like a NT or WfWg server then +you will have to disable all but TCP on either the client or +server. Otherwise you may well be using a totally different protocol +(such as Netbeui) and comparisons may not be valid.</P ><P ->in addition to the standard development environment.</P +>Generally you should find that Samba performs similarly to ftp at raw +transfer speed. It should perform quite a bit faster than NFS, +although this very much depends on your system.</P ><P ->Note that these are not standard on a RedHat install, and you may need - to get them off CD2.</P -></DIV -></DIV +>Several people have done comparisons between Samba and Novell, NFS or +WinNT. In some cases Samba performed the best, in others the worst. I +suspect the biggest factor is not Samba vs some other system but the +hardware and drivers used on the various systems. Given similar +hardware Samba should certainly be competitive in speed with other +systems.</P ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4552" ->31.4. Starting the smbd and nmbd</A +NAME="AEN4672" +>32.2. Socket options</A ></H2 ><P ->You must choose to start smbd and nmbd either - as daemons or from <SPAN -CLASS="APPLICATION" ->inetd</SPAN ->Don't try - to do both! Either you can put them in <TT -CLASS="FILENAME" -> inetd.conf</TT -> and have them started on demand - by <SPAN -CLASS="APPLICATION" ->inetd</SPAN ->, or you can start them as - daemons either from the command line or in <TT -CLASS="FILENAME" -> /etc/rc.local</TT ->. See the man pages for details - on the command line options. Take particular care to read - the bit about what user you need to be in order to start - Samba. In many cases you must be root.</P -><P ->The main advantage of starting <SPAN -CLASS="APPLICATION" ->smbd</SPAN -> - and <SPAN -CLASS="APPLICATION" ->nmbd</SPAN -> using the recommended daemon method - is that they will respond slightly more quickly to an initial connection - request.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4562" ->31.4.1. Starting from inetd.conf</A -></H3 -><P ->NOTE; The following will be different if - you use NIS, NIS+ or LDAP to distribute services maps.</P -><P ->Look at your <TT -CLASS="FILENAME" ->/etc/services</TT ->. - What is defined at port 139/tcp. If nothing is defined - then add a line like this:</P -><P -><KBD -CLASS="USERINPUT" ->netbios-ssn 139/tcp</KBD -></P -><P ->similarly for 137/udp you should have an entry like:</P -><P -><KBD -CLASS="USERINPUT" ->netbios-ns 137/udp</KBD -></P -><P ->Next edit your <TT -CLASS="FILENAME" ->/etc/inetd.conf</TT -> - and add two lines something like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd - netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd - </PRE -></P -><P ->The exact syntax of <TT -CLASS="FILENAME" ->/etc/inetd.conf</TT -> - varies between unixes. Look at the other entries in inetd.conf - for a guide.</P -><DIV -CLASS="NOTE" +>There are a number of socket options that can greatly affect the +performance of a TCP based server like Samba.</P ><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" +>The socket options that Samba uses are settable both on the command +line with the -O option, or in the smb.conf file.</P ><P ->Some unixes already have entries like netbios_ns - (note the underscore) in <TT -CLASS="FILENAME" ->/etc/services</TT ->. - You must either edit <TT -CLASS="FILENAME" ->/etc/services</TT -> or - <TT -CLASS="FILENAME" ->/etc/inetd.conf</TT -> to make them consistent.</P -></TD -></TR -></TABLE -></DIV -><DIV -CLASS="NOTE" +>The "socket options" section of the smb.conf manual page describes how +to set these and gives recommendations.</P ><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" +>Getting the socket options right can make a big difference to your +performance, but getting them wrong can degrade it by just as +much. The correct settings are very dependent on your local network.</P ><P ->On many systems you may need to use the - <B -CLASS="COMMAND" ->interfaces</B -> option in <TT -CLASS="FILENAME" ->smb.conf</TT -> to specify the IP address - and netmask of your interfaces. Run <SPAN -CLASS="APPLICATION" ->ifconfig</SPAN -> - as root if you don't know what the broadcast is for your - net. <SPAN -CLASS="APPLICATION" ->nmbd</SPAN -> tries to determine it at run - time, but fails on some unixes. - </P -></TD -></TR -></TABLE +>The socket option TCP_NODELAY is the one that seems to make the +biggest single difference for most networks. Many people report that +adding "socket options = TCP_NODELAY" doubles the read performance of +a Samba drive. The best explanation I have seen for this is that the +Microsoft TCP/IP stack is slow in sending tcp ACKs.</P ></DIV ><DIV -CLASS="WARNING" +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN4679" +>32.3. Read size</A +></H2 ><P -></P -><TABLE -CLASS="WARNING" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" -HSPACE="5" -ALT="Warning"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" +>The option "read size" affects the overlap of disk reads/writes with +network reads/writes. If the amount of data being transferred in +several of the SMB commands (currently SMBwrite, SMBwriteX and +SMBreadbraw) is larger than this value then the server begins writing +the data before it has received the whole packet from the network, or +in the case of SMBreadbraw, it begins writing to the network before +all the data has been read from disk.</P ><P ->Many unixes only accept around 5 - parameters on the command line in <TT -CLASS="FILENAME" ->inetd.conf</TT ->. - This means you shouldn't use spaces between the options and - arguments, or you should use a script, and start the script - from <B -CLASS="COMMAND" ->inetd</B ->.</P -></TD -></TR -></TABLE -></DIV +>This overlapping works best when the speeds of disk and network access +are similar, having very little effect when the speed of one is much +greater than the other.</P ><P ->Restart <B -CLASS="COMMAND" ->inetd</B ->, perhaps just send - it a HUP. If you have installed an earlier version of <SPAN -CLASS="APPLICATION" -> nmbd</SPAN -> then you may need to kill nmbd as well.</P +>The default value is 16384, but very little experimentation has been +done yet to determine the optimal value, and it is likely that the best +value will vary greatly between systems anyway. A value over 65536 is +pointless and will cause you to allocate memory unnecessarily.</P ></DIV ><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" ><A -NAME="AEN4596" ->31.4.2. Alternative: starting it as a daemon</A -></H3 -><P ->To start the server as a daemon you should create - a script something like this one, perhaps calling - it <TT -CLASS="FILENAME" ->startsmb</TT ->.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> #!/bin/sh - /usr/local/samba/bin/smbd -D - /usr/local/samba/bin/nmbd -D - </PRE -></P -><P ->then make it executable with <B -CLASS="COMMAND" ->chmod - +x startsmb</B -></P -><P ->You can then run <B -CLASS="COMMAND" ->startsmb</B -> by - hand or execute it from <TT -CLASS="FILENAME" ->/etc/rc.local</TT -> - </P +NAME="AEN4684" +>32.4. Max xmit</A +></H2 ><P ->To kill it send a kill signal to the processes - <B -CLASS="COMMAND" ->nmbd</B -> and <B -CLASS="COMMAND" ->smbd</B ->.</P -><DIV -CLASS="NOTE" +>At startup the client and server negotiate a "maximum transmit" size, +which limits the size of nearly all SMB commands. You can set the +maximum size that Samba will negotiate using the "max xmit = " option +in smb.conf. Note that this is the maximum size of SMB request that +Samba will accept, but not the maximum size that the *client* will accept. +The client maximum receive size is sent to Samba by the client and Samba +honours this limit.</P ><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" +>It defaults to 65536 bytes (the maximum), but it is possible that some +clients may perform better with a smaller transmit unit. Trying values +of less than 2048 is likely to cause severe problems.</P ><P ->If you use the SVR4 style init system then - you may like to look at the <TT -CLASS="FILENAME" ->examples/svr4-startup</TT -> - script to make Samba fit into that system.</P -></TD -></TR -></TABLE -></DIV -></DIV -></DIV +>In most cases the default is the best option.</P ></DIV ><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="BUGREPORT" -></A ->Chapter 32. Reporting Bugs</H1 -><DIV CLASS="SECT1" -><H2 +><HR><H2 CLASS="SECT1" ><A -NAME="AEN4627" ->32.1. Introduction</A +NAME="AEN4689" +>32.5. Log level</A ></H2 ><P ->The email address for bug reports for stable releases is <A -HREF="mailto:samba@samba.org" -TARGET="_top" ->samba@samba.org</A ->. -Bug reports for alpha releases should go to <A -HREF="mailto:samba-technical@samba.org" -TARGET="_top" ->samba-technical@samba.org</A ->.</P -><P ->Please take the time to read this file before you submit a bug -report. Also, please see if it has changed between releases, as we -may be changing the bug reporting mechanism at some time.</P -><P ->Please also do as much as you can yourself to help track down the -bug. Samba is maintained by a dedicated group of people who volunteer -their time, skills and efforts. We receive far more mail about it than -we can possibly answer, so you have a much higher chance of an answer -and a fix if you send us a "developer friendly" bug report that lets -us fix it fast. </P -><P ->Do not assume that if you post the bug to the comp.protocols.smb -newsgroup or the mailing list that we will read it. If you suspect that your -problem is not a bug but a configuration problem then it is better to send -it to the Samba mailing list, as there are (at last count) 5000 other users on -that list that may be able to help you.</P -><P ->You may also like to look though the recent mailing list archives, -which are conveniently accessible on the Samba web pages -at <A -HREF="http://samba.org/samba/" -TARGET="_top" ->http://samba.org/samba/</A ->.</P +>If you set the log level (also known as "debug level") higher than 2 +then you may suffer a large drop in performance. This is because the +server flushes the log file after each operation, which can be very +expensive. </P ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4637" ->32.2. General info</A +NAME="AEN4692" +>32.6. Read raw</A ></H2 ><P ->Before submitting a bug report check your config for silly -errors. Look in your log files for obvious messages that tell you that -you've misconfigured something and run testparm to test your config -file for correct syntax.</P +>The "read raw" operation is designed to be an optimised, low-latency +file read operation. A server may choose to not support it, +however. and Samba makes support for "read raw" optional, with it +being enabled by default.</P ><P ->Have you run through the <A -HREF="#DIAGNOSIS" ->diagnosis</A ->? -This is very important.</P +>In some cases clients don't handle "read raw" very well and actually +get lower performance using it than they get using the conventional +read operations. </P ><P ->If you include part of a log file with your bug report then be sure to -annotate it with exactly what you were doing on the client at the -time, and exactly what the results were.</P +>So you might like to try "read raw = no" and see what happens on your +network. It might lower, raise or not affect your performance. Only +testing can really tell.</P ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4643" ->32.3. Debug levels</A +NAME="AEN4697" +>32.7. Write raw</A ></H2 ><P ->If the bug has anything to do with Samba behaving incorrectly as a -server (like refusing to open a file) then the log files will probably -be very useful. Depending on the problem a log level of between 3 and -10 showing the problem may be appropriate. A higher level givesmore -detail, but may use too much disk space.</P -><P ->To set the debug level use <B -CLASS="COMMAND" ->log level =</B -> in your -<TT -CLASS="FILENAME" ->smb.conf</TT ->. You may also find it useful to set the log -level higher for just one machine and keep separate logs for each machine. -To do this use:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->log level = 10 -log file = /usr/local/samba/lib/log.%m -include = /usr/local/samba/lib/smb.conf.%m</PRE -></P -><P ->then create a file -<TT -CLASS="FILENAME" ->/usr/local/samba/lib/smb.conf.<VAR -CLASS="REPLACEABLE" ->machine</VAR -></TT -> where -<VAR -CLASS="REPLACEABLE" ->machine</VAR -> is the name of the client you wish to debug. In that file -put any <TT -CLASS="FILENAME" ->smb.conf</TT -> commands you want, for example -<B -CLASS="COMMAND" ->log level=</B -> may be useful. This also allows you to -experiment with different security systems, protocol levels etc on just -one machine.</P -><P ->The <TT -CLASS="FILENAME" ->smb.conf</TT -> entry <B -CLASS="COMMAND" ->log level =</B -> -is synonymous with the entry <B -CLASS="COMMAND" ->debuglevel =</B -> that has been -used in older versions of Samba and is being retained for backwards -compatibility of <TT -CLASS="FILENAME" ->smb.conf</TT -> files.</P +>The "write raw" operation is designed to be an optimised, low-latency +file write operation. A server may choose to not support it, +however. and Samba makes support for "write raw" optional, with it +being enabled by default.</P ><P ->As the <B -CLASS="COMMAND" ->log level =</B -> value is increased you will record -a significantly increasing level of debugging information. For most -debugging operations you may not need a setting higher than 3. Nearly -all bugs can be tracked at a setting of 10, but be prepared for a VERY -large volume of log data.</P +>Some machines may find "write raw" slower than normal write, in which +case you may wish to change this option.</P ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4664" ->32.4. Internal errors</A +NAME="AEN4701" +>32.8. Slow Clients</A ></H2 ><P ->If you get a "INTERNAL ERROR" message in your log files it means that -Samba got an unexpected signal while running. It is probably a -segmentation fault and almost certainly means a bug in Samba (unless -you have faulty hardware or system software).</P -><P ->If the message came from smbd then it will probably be accompanied by -a message which details the last SMB message received by smbd. This -info is often very useful in tracking down the problem so please -include it in your bug report.</P -><P ->You should also detail how to reproduce the problem, if -possible. Please make this reasonably detailed.</P -><P ->You may also find that a core file appeared in a <TT -CLASS="FILENAME" ->corefiles</TT -> -subdirectory of the directory where you keep your samba log -files. This file is the most useful tool for tracking down the bug. To -use it you do this:</P -><P -><B -CLASS="COMMAND" ->gdb smbd core</B -></P -><P ->adding appropriate paths to smbd and core so gdb can find them. If you -don't have gdb then try <KBD -CLASS="USERINPUT" ->dbx</KBD ->. Then within the debugger use the -command <KBD -CLASS="USERINPUT" ->where</KBD -> to give a stack trace of where the problem -occurred. Include this in your mail.</P +>One person has reported that setting the protocol to COREPLUS rather +than LANMAN2 gave a dramatic speed improvement (from 10k/s to 150k/s).</P ><P ->If you known any assembly language then do a <KBD -CLASS="USERINPUT" ->disass</KBD -> of the routine -where the problem occurred (if its in a library routine then -disassemble the routine that called it) and try to work out exactly -where the problem is by looking at the surrounding code. Even if you -don't know assembly then incuding this info in the bug report can be -useful. </P +>I suspect that his PC's (386sx16 based) were asking for more data than +they could chew. I suspect a similar speed could be had by setting +"read raw = no" and "max xmit = 2048", instead of changing the +protocol. Lowering the "read size" might also help.</P ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4678" ->32.5. Attaching to a running process</A +NAME="AEN4705" +>32.9. Slow Logins</A ></H2 ><P ->Unfortunately some unixes (in particular some recent linux kernels) -refuse to dump a core file if the task has changed uid (which smbd -does often). To debug with this sort of system you could try to attach -to the running process using <KBD -CLASS="USERINPUT" ->gdb smbd <VAR -CLASS="REPLACEABLE" ->PID</VAR -></KBD -> where you get <VAR -CLASS="REPLACEABLE" ->PID</VAR -> from -<SPAN -CLASS="APPLICATION" ->smbstatus</SPAN ->. Then use <KBD -CLASS="USERINPUT" ->c</KBD -> to continue and try to cause the core dump -using the client. The debugger should catch the fault and tell you -where it occurred.</P +>Slow logins are almost always due to the password checking time. Using +the lowest practical "password level" will improve things a lot. You +could also enable the "UFC crypt" option in the Makefile.</P ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4686" ->32.6. Patches</A +NAME="AEN4708" +>32.10. Client tuning</A ></H2 ><P ->The best sort of bug report is one that includes a fix! If you send us -patches please use <KBD -CLASS="USERINPUT" ->diff -u</KBD -> format if your version of -diff supports it, otherwise use <KBD -CLASS="USERINPUT" ->diff -c4</KBD ->. Make sure -your do the diff against a clean version of the source and let me know -exactly what version you used. </P +>Often a speed problem can be traced to the client. The client (for +example Windows for Workgroups) can often be tuned for better TCP +performance.</P +><P +>See your client docs for details. In particular, I have heard rumours +that the WfWg options TCPWINDOWSIZE and TCPSEGMENTSIZE can have a +large impact on performance.</P +><P +>Also note that some people have found that setting DefaultRcvWindow in +the [MSTCP] section of the SYSTEM.INI file under WfWg to 3072 gives a +big improvement. I don't know why.</P +><P +>My own experience wth DefaultRcvWindow is that I get much better +performance with a large value (16384 or larger). Other people have +reported that anything over 3072 slows things down enourmously. One +person even reported a speed drop of a factor of 30 when he went from +3072 to 8192. I don't know why.</P +><P +>It probably depends a lot on your hardware, and the type of unix box +you have at the other end of the link.</P +><P +>Paul Cochrane has done some testing on client side tuning and come +to the following conclusions:</P +><P +>Install the W2setup.exe file from www.microsoft.com. This is an +update for the winsock stack and utilities which improve performance.</P +><P +>Configure the win95 TCPIP registry settings to give better +perfomance. I use a program called MTUSPEED.exe which I got off the +net. There are various other utilities of this type freely available. +The setting which give the best performance for me are:</P +><P +></P +><OL +TYPE="1" +><LI +><P +>MaxMTU Remove</P +></LI +><LI +><P +>RWIN Remove</P +></LI +><LI +><P +>MTUAutoDiscover Disable</P +></LI +><LI +><P +>MTUBlackHoleDetect Disable</P +></LI +><LI +><P +>Time To Live Enabled</P +></LI +><LI +><P +>Time To Live - HOPS 32</P +></LI +><LI +><P +>NDI Cache Size 0</P +></LI +></OL +><P +>I tried virtually all of the items mentioned in the document and +the only one which made a difference to me was the socket options. It +turned out I was better off without any!!!!!</P +><P +>In terms of overall speed of transfer, between various win95 clients +and a DX2-66 20MB server with a crappy NE2000 compatible and old IDE +drive (Kernel 2.0.30). The transfer rate was reasonable for 10 baseT.</P +><P +><PRE +CLASS="PROGRAMLISTING" +>The figures are: Put Get +P166 client 3Com card: 420-440kB/s 500-520kB/s +P100 client 3Com card: 390-410kB/s 490-510kB/s +DX4-75 client NE2000: 370-380kB/s 330-350kB/s</PRE +></P +><P +>I based these test on transfer two files a 4.5MB text file and a 15MB +textfile. The results arn't bad considering the hardware Samba is +running on. It's a crap machine!!!!</P +><P +>The updates mentioned in 1 and 2 brought up the transfer rates from +just over 100kB/s in some clients.</P +><P +>A new client is a P333 connected via a 100MB/s card and hub. The +transfer rates from this were good: 450-500kB/s on put and 600+kB/s +on get.</P +><P +>Looking at standard FTP throughput, Samba is a bit slower (100kB/s +upwards). I suppose there is more going on in the samba protocol, but +if it could get up to the rate of FTP the perfomance would be quite +staggering.</P ></DIV ></DIV ><DIV @@ -22324,7 +20748,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN4709" +NAME="AEN4760" >33.1. Introduction</A ></H2 ><P @@ -22346,7 +20770,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4714" +NAME="AEN4765" >33.2. Assumptions</A ></H2 ><P @@ -22432,7 +20856,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4733" +NAME="AEN4784" >33.3. The tests</A ></H2 ><DIV @@ -23049,24 +21473,674 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4900" +NAME="AEN4951" >33.4. Still having troubles?</A ></H2 ><P ->Try the mailing list or newsgroup, or use the ethereal utility to -sniff the problem. The official samba mailing list can be reached at +>Read the chapter on +<A +HREF="#PROBLEMS" +>Analysing and Solving Problems</A +>.</P +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A +NAME="PROBLEMS" +></A +>Chapter 34. Analysing and solving samba problems</H1 +><P +>There are many sources of information available in the form +of mailing lists, RFC's and documentation. The docs that come +with the samba distribution contain very good explanations of +general SMB topics such as browsing.</P +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN4983" +>34.1. Diagnostics tools</A +></H2 +><P +>One of the best diagnostic tools for debugging problems is Samba itself. +You can use the -d option for both smbd and nmbd to specify what +'debug level' at which to run. See the man pages on smbd, nmbd and +smb.conf for more information on debugging options. The debug +level can range from 1 (the default) to 10 (100 for debugging passwords).</P +><P +>Another helpful method of debugging is to compile samba using the +<B +CLASS="COMMAND" +>gcc -g </B +> flag. This will include debug +information in the binaries and allow you to attach gdb to the +running smbd / nmbd process. In order to attach gdb to an smbd +process for an NT workstation, first get the workstation to make the +connection. Pressing ctrl-alt-delete and going down to the domain box +is sufficient (at least, on the first time you join the domain) to +generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation +maintains an open connection, and therefore there will be an smbd +process running (assuming that you haven't set a really short smbd +idle timeout) So, in between pressing ctrl alt delete, and actually +typing in your password, you can gdb attach and continue.</P +><P +>Some useful samba commands worth investigating:</P +><P +></P +><UL +><LI +><P +>testparam | more</P +></LI +><LI +><P +>smbclient -L //{netbios name of server}</P +></LI +></UL +><P +>An SMB enabled version of tcpdump is available from <A +HREF="http://www.tcpdump.org/" +TARGET="_top" +>http://www.tcpdup.org/</A +>. +Ethereal, another good packet sniffer for Unix and Win32 +hosts, can be downloaded from <A +HREF="http://www.ethereal.com/" +TARGET="_top" +>http://www.ethereal.com</A +>.</P +><P +>For tracing things on the Microsoft Windows NT, Network Monitor +(aka. netmon) is available on the Microsoft Developer Network CD's, +the Windows NT Server install CD and the SMS CD's. The version of +netmon that ships with SMS allows for dumping packets between any two +computers (i.e. placing the network interface in promiscuous mode). +The version on the NT Server install CD will only allow monitoring +of network traffic directed to the local NT box and broadcasts on the +local subnet. Be aware that Ethereal can read and write netmon +formatted files.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN4998" +>34.2. Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</A +></H2 +><P +>Installing netmon on an NT workstation requires a couple +of steps. The following are for installing Netmon V4.00.349, which comes +with Microsoft Windows NT Server 4.0, on Microsoft Windows NT +Workstation 4.0. The process should be similar for other version of +Windows NT / Netmon. You will need both the Microsoft Windows +NT Server 4.0 Install CD and the Workstation 4.0 Install CD.</P +><P +>Initially you will need to install 'Network Monitor Tools and Agent' +on the NT Server. To do this </P +><P +></P +><UL +><LI +><P +>Goto Start - Settings - Control Panel - + Network - Services - Add </P +></LI +><LI +><P +>Select the 'Network Monitor Tools and Agent' and + click on 'OK'.</P +></LI +><LI +><P +>Click 'OK' on the Network Control Panel. + </P +></LI +><LI +><P +>Insert the Windows NT Server 4.0 install CD + when prompted.</P +></LI +></UL +><P +>At this point the Netmon files should exist in +<TT +CLASS="FILENAME" +>%SYSTEMROOT%\System32\netmon\*.*</TT +>. +Two subdirectories exist as well, <TT +CLASS="FILENAME" +>parsers\</TT +> +which contains the necessary DLL's for parsing the netmon packet +dump, and <TT +CLASS="FILENAME" +>captures\</TT +>.</P +><P +>In order to install the Netmon tools on an NT Workstation, you will +first need to install the 'Network Monitor Agent' from the Workstation +install CD.</P +><P +></P +><UL +><LI +><P +>Goto Start - Settings - Control Panel - + Network - Services - Add</P +></LI +><LI +><P +>Select the 'Network Monitor Agent' and click + on 'OK'.</P +></LI +><LI +><P +>Click 'OK' on the Network Control Panel. + </P +></LI +><LI +><P +>Insert the Windows NT Workstation 4.0 install + CD when prompted.</P +></LI +></UL +><P +>Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* +to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set +permissions as you deem appropriate for your site. You will need +administrative rights on the NT box to run netmon.</P +><P +>To install Netmon on a Windows 9x box install the network monitor agent +from the Windows 9x CD (\admin\nettools\netmon). There is a readme +file located with the netmon driver files on the CD if you need +information on how to do this. Copy the files from a working +Netmon installation.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN5027" +>34.3. Useful URL's</A +></H2 +><P +></P +><UL +><LI +><P +>Home of Samba site <A +HREF="http://samba.org" +TARGET="_top" +> http://samba.org</A +>. We have a mirror near you !</P +></LI +><LI +><P +> The <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Development</I +></SPAN +> document +on the Samba mirrors might mention your problem. If so, +it might mean that the developers are working on it.</P +></LI +><LI +><P +>See how Scott Merrill simulates a BDC behavior at + <A +HREF="http://www.skippy.net/linux/smb-howto.html" +TARGET="_top" +> http://www.skippy.net/linux/smb-howto.html</A +>. </P +></LI +><LI +><P +>Although 2.0.7 has almost had its day as a PDC, David Bannon will + keep the 2.0.7 PDC pages at <A +HREF="http://bioserve.latrobe.edu.au/samba" +TARGET="_top" +> http://bioserve.latrobe.edu.au/samba</A +> going for a while yet.</P +></LI +><LI +><P +>Misc links to CIFS information + <A +HREF="http://samba.org/cifs/" +TARGET="_top" +>http://samba.org/cifs/</A +></P +></LI +><LI +><P +>NT Domains for Unix <A +HREF="http://mailhost.cb1.com/~lkcl/ntdom/" +TARGET="_top" +> http://mailhost.cb1.com/~lkcl/ntdom/</A +></P +></LI +><LI +><P +>FTP site for older SMB specs: + <A +HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/" +TARGET="_top" +> ftp://ftp.microsoft.com/developr/drg/CIFS/</A +></P +></LI +></UL +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN5051" +>34.4. Getting help from the mailing lists</A +></H2 +><P +>There are a number of Samba related mailing lists. Go to <A +HREF="http://samba.org" +TARGET="_top" +>http://samba.org</A +>, click on your nearest mirror +and then click on <B +CLASS="COMMAND" +>Support</B +> and then click on <B +CLASS="COMMAND" +>Samba related mailing lists</B +>.</P +><P +>For questions relating to Samba TNG go to +<A +HREF="http://www.samba-tng.org/" +TARGET="_top" +>http://www.samba-tng.org/</A +> +It has been requested that you don't post questions about Samba-TNG to the +main stream Samba lists.</P +><P +>If you post a message to one of the lists please observe the following guide lines :</P +><P +></P +><UL +><LI +><P +> Always remember that the developers are volunteers, they are +not paid and they never guarantee to produce a particular feature at +a particular time. Any time lines are 'best guess' and nothing more.</P +></LI +><LI +><P +> Always mention what version of samba you are using and what +operating system its running under. You should probably list the +relevant sections of your <TT +CLASS="FILENAME" +>smb.conf</TT +> file, at least the options +in [global] that affect PDC support.</P +></LI +><LI +><P +>In addition to the version, if you obtained Samba via +CVS mention the date when you last checked it out.</P +></LI +><LI +><P +> Try and make your question clear and brief, lots of long, +convoluted questions get deleted before they are completely read ! +Don't post html encoded messages (if you can select colour or font +size its html).</P +></LI +><LI +><P +> If you run one of those nifty 'I'm on holidays' things when +you are away, make sure its configured to not answer mailing lists.</P +></LI +><LI +><P +> Don't cross post. Work out which is the best list to post to +and see what happens, i.e. don't post to both samba-ntdom and samba-technical. +Many people active on the lists subscribe to more +than one list and get annoyed to see the same message two or more times. +Often someone will see a message and thinking it would be better dealt +with on another, will forward it on for you.</P +></LI +><LI +><P +>You might include <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>partial</I +></SPAN +> +log files written at a debug level set to as much as 20. +Please don't send the entire log but enough to give the context of the +error messages.</P +></LI +><LI +><P +>(Possibly) If you have a complete netmon trace ( from the opening of +the pipe to the error ) you can send the *.CAP file as well.</P +></LI +><LI +><P +>Please think carefully before attaching a document to an email. +Consider pasting the relevant parts into the body of the message. The samba +mailing lists go to a huge number of people, do they all need a copy of your +smb.conf in their attach directory?</P +></LI +></UL +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN5081" +>34.5. How to get off the mailinglists</A +></H2 +><P +>To have your name removed from a samba mailing list, go to the +same place you went to to get on it. Go to <A +HREF="http://lists.samba.org/" +TARGET="_top" +>http://lists.samba.org</A +>, +click on your nearest mirror and then click on <B +CLASS="COMMAND" +>Support</B +> and +then click on <B +CLASS="COMMAND" +> Samba related mailing lists</B +>. Or perhaps see +<A +HREF="http://lists.samba.org/mailman/roster/samba-ntdom" +TARGET="_top" +>here</A +></P +><P +>Please don't post messages to the list asking to be removed, you will just +be referred to the above address (unless that process failed in some way...)</P +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A +NAME="BUGREPORT" +></A +>Chapter 35. Reporting Bugs</H1 +><DIV +CLASS="SECT1" +><H2 +CLASS="SECT1" +><A +NAME="AEN5104" +>35.1. Introduction</A +></H2 +><P +>The email address for bug reports for stable releases is <A HREF="mailto:samba@samba.org" TARGET="_top" >samba@samba.org</A ->. To find -out more about samba and how to subscribe to the mailing list check -out the samba web page at -<A -HREF="http://samba.org/samba" +>. +Bug reports for alpha releases should go to <A +HREF="mailto:samba-technical@samba.org" +TARGET="_top" +>samba-technical@samba.org</A +>.</P +><P +>Please take the time to read this file before you submit a bug +report. Also, please see if it has changed between releases, as we +may be changing the bug reporting mechanism at some time.</P +><P +>Please also do as much as you can yourself to help track down the +bug. Samba is maintained by a dedicated group of people who volunteer +their time, skills and efforts. We receive far more mail about it than +we can possibly answer, so you have a much higher chance of an answer +and a fix if you send us a "developer friendly" bug report that lets +us fix it fast. </P +><P +>Do not assume that if you post the bug to the comp.protocols.smb +newsgroup or the mailing list that we will read it. If you suspect that your +problem is not a bug but a configuration problem then it is better to send +it to the Samba mailing list, as there are (at last count) 5000 other users on +that list that may be able to help you.</P +><P +>You may also like to look though the recent mailing list archives, +which are conveniently accessible on the Samba web pages +at <A +HREF="http://samba.org/samba/" TARGET="_top" >http://samba.org/samba/</A +>.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN5114" +>35.2. General info</A +></H2 +><P +>Before submitting a bug report check your config for silly +errors. Look in your log files for obvious messages that tell you that +you've misconfigured something and run testparm to test your config +file for correct syntax.</P +><P +>Have you run through the <A +HREF="#DIAGNOSIS" +>diagnosis</A +>? +This is very important.</P +><P +>If you include part of a log file with your bug report then be sure to +annotate it with exactly what you were doing on the client at the +time, and exactly what the results were.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN5120" +>35.3. Debug levels</A +></H2 +><P +>If the bug has anything to do with Samba behaving incorrectly as a +server (like refusing to open a file) then the log files will probably +be very useful. Depending on the problem a log level of between 3 and +10 showing the problem may be appropriate. A higher level givesmore +detail, but may use too much disk space.</P +><P +>To set the debug level use <B +CLASS="COMMAND" +>log level =</B +> in your +<TT +CLASS="FILENAME" +>smb.conf</TT +>. You may also find it useful to set the log +level higher for just one machine and keep separate logs for each machine. +To do this use:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>log level = 10 +log file = /usr/local/samba/lib/log.%m +include = /usr/local/samba/lib/smb.conf.%m</PRE ></P +><P +>then create a file +<TT +CLASS="FILENAME" +>/usr/local/samba/lib/smb.conf.<VAR +CLASS="REPLACEABLE" +>machine</VAR +></TT +> where +<VAR +CLASS="REPLACEABLE" +>machine</VAR +> is the name of the client you wish to debug. In that file +put any <TT +CLASS="FILENAME" +>smb.conf</TT +> commands you want, for example +<B +CLASS="COMMAND" +>log level=</B +> may be useful. This also allows you to +experiment with different security systems, protocol levels etc on just +one machine.</P +><P +>The <TT +CLASS="FILENAME" +>smb.conf</TT +> entry <B +CLASS="COMMAND" +>log level =</B +> +is synonymous with the entry <B +CLASS="COMMAND" +>debuglevel =</B +> that has been +used in older versions of Samba and is being retained for backwards +compatibility of <TT +CLASS="FILENAME" +>smb.conf</TT +> files.</P +><P +>As the <B +CLASS="COMMAND" +>log level =</B +> value is increased you will record +a significantly increasing level of debugging information. For most +debugging operations you may not need a setting higher than 3. Nearly +all bugs can be tracked at a setting of 10, but be prepared for a VERY +large volume of log data.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN5141" +>35.4. Internal errors</A +></H2 +><P +>If you get a "INTERNAL ERROR" message in your log files it means that +Samba got an unexpected signal while running. It is probably a +segmentation fault and almost certainly means a bug in Samba (unless +you have faulty hardware or system software).</P +><P +>If the message came from smbd then it will probably be accompanied by +a message which details the last SMB message received by smbd. This +info is often very useful in tracking down the problem so please +include it in your bug report.</P +><P +>You should also detail how to reproduce the problem, if +possible. Please make this reasonably detailed.</P +><P +>You may also find that a core file appeared in a <TT +CLASS="FILENAME" +>corefiles</TT +> +subdirectory of the directory where you keep your samba log +files. This file is the most useful tool for tracking down the bug. To +use it you do this:</P +><P +><B +CLASS="COMMAND" +>gdb smbd core</B +></P +><P +>adding appropriate paths to smbd and core so gdb can find them. If you +don't have gdb then try <KBD +CLASS="USERINPUT" +>dbx</KBD +>. Then within the debugger use the +command <KBD +CLASS="USERINPUT" +>where</KBD +> to give a stack trace of where the problem +occurred. Include this in your mail.</P +><P +>If you known any assembly language then do a <KBD +CLASS="USERINPUT" +>disass</KBD +> of the routine +where the problem occurred (if its in a library routine then +disassemble the routine that called it) and try to work out exactly +where the problem is by looking at the surrounding code. Even if you +don't know assembly then incuding this info in the bug report can be +useful. </P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN5155" +>35.5. Attaching to a running process</A +></H2 +><P +>Unfortunately some unixes (in particular some recent linux kernels) +refuse to dump a core file if the task has changed uid (which smbd +does often). To debug with this sort of system you could try to attach +to the running process using <KBD +CLASS="USERINPUT" +>gdb smbd <VAR +CLASS="REPLACEABLE" +>PID</VAR +></KBD +> where you get <VAR +CLASS="REPLACEABLE" +>PID</VAR +> from +<SPAN +CLASS="APPLICATION" +>smbstatus</SPAN +>. Then use <KBD +CLASS="USERINPUT" +>c</KBD +> to continue and try to cause the core dump +using the client. The debugger should catch the fault and tell you +where it occurred.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN5163" +>35.6. Patches</A +></H2 +><P +>The best sort of bug report is one that includes a fix! If you send us +patches please use <KBD +CLASS="USERINPUT" +>diff -u</KBD +> format if your version of +diff supports it, otherwise use <KBD +CLASS="USERINPUT" +>diff -c4</KBD +>. Make sure +your do the diff against a clean version of the source and let me know +exactly what version you used. </P ></DIV ></DIV ></DIV |