diff options
Diffstat (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html')
-rw-r--r-- | docs/htmldocs/Samba-HOWTO-Collection.html | 8112 |
1 files changed, 5299 insertions, 2813 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index 73bc3eb60a..9b79518cec 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -32,20 +32,41 @@ CLASS="AUTHOR" NAME="AEN4" ></A >SAMBA Team</H3 -><HR></DIV -><HR><H1 +><DIV +CLASS="AFFILIATION" +><DIV +CLASS="ADDRESS" +><P +CLASS="ADDRESS" +><CODE +CLASS="EMAIL" +><<A +HREF="mailto:samba@samba.org" +>samba@samba.org</A +>></CODE +></P +></DIV +></DIV +><H4 +CLASS="EDITEDBY" +>Edited by</H4 +><H3 +CLASS="EDITOR" +>John H Terpstra</H3 +><H3 +CLASS="EDITOR" +>Jelmer Vernooij</H3 +><H3 +CLASS="EDITOR" +>Gerald (Jerry) Carter</H3 +><DIV +><DIV +CLASS="ABSTRACT" +><P +></P ><A -NAME="AEN8" +NAME="AEN32" ></A ->Abstract</H1 -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Last Update</I -></SPAN -> : Wed Jan 15</P ><P >This book is a collection of HOWTOs added to Samba documentation over the years. I try to ensure that all are current, but sometimes the is a larger job @@ -66,6 +87,17 @@ TARGET="_top" >jelmer@samba.org</A >.</P ><P +></P +></DIV +></DIV +><DIV +CLASS="LEGALNOTICE" +><P +></P +><A +NAME="AEN37" +></A +><P >This documentation is distributed under the GNU General Public License (GPL) version 2. A copy of the license is included with the Samba source distribution. A copy can be found on-line at <A @@ -74,7 +106,9 @@ TARGET="_top" >http://www.fsf.org/licenses/gpl.txt</A ></P ><P ->Cheers, jerry</P +></P +></DIV +><HR></DIV ><DIV CLASS="TOC" ><DL @@ -98,34 +132,34 @@ HREF="#INSTALL" ><DL ><DT >1.1. <A -HREF="#AEN26" +HREF="#AEN65" >Obtaining and installing samba</A ></DT ><DT >1.2. <A -HREF="#AEN31" +HREF="#AEN70" >Configuring samba</A ></DT ><DT >1.3. <A -HREF="#AEN64" +HREF="#AEN103" >Try listing the shares available on your server</A ></DT ><DT >1.4. <A -HREF="#AEN73" +HREF="#AEN112" >Try connecting with the unix client</A ></DT ><DT >1.5. <A -HREF="#AEN89" +HREF="#AEN128" >Try connecting from a DOS, WfWg, Win9x, WinNT, Win2k, OS/2, etc... client</A ></DT ><DT >1.6. <A -HREF="#AEN103" +HREF="#AEN142" >What If Things Don't Work?</A ></DT ></DL @@ -139,38 +173,44 @@ HREF="#BROWSING-QUICK" ><DL ><DT >2.1. <A -HREF="#AEN130" +HREF="#AEN174" >Discussion</A ></DT ><DT >2.2. <A -HREF="#AEN139" +HREF="#AEN193" >How browsing functions and how to deploy stable and dependable browsing using Samba</A ></DT ><DT >2.3. <A -HREF="#AEN149" ->Use of the "Remote Announce" parameter</A +HREF="#AEN207" +>Use of the <B +CLASS="COMMAND" +>Remote Announce</B +> parameter</A ></DT ><DT >2.4. <A -HREF="#AEN163" ->Use of the "Remote Browse Sync" parameter</A +HREF="#AEN230" +>Use of the <B +CLASS="COMMAND" +>Remote Browse Sync</B +> parameter</A ></DT ><DT >2.5. <A -HREF="#AEN168" +HREF="#AEN241" >Use of WINS</A ></DT ><DT >2.6. <A -HREF="#AEN179" +HREF="#AEN255" >Do NOT use more than one (1) protocol on MS Windows machines</A ></DT ><DT >2.7. <A -HREF="#AEN187" +HREF="#AEN263" >Name Resolution Order</A ></DT ></DL @@ -184,42 +224,42 @@ HREF="#PASSDB" ><DL ><DT >3.1. <A -HREF="#AEN244" +HREF="#AEN321" >Introduction</A ></DT ><DT >3.2. <A -HREF="#AEN251" +HREF="#AEN328" >Important Notes About Security</A ></DT ><DT >3.3. <A -HREF="#AEN289" +HREF="#AEN366" >The smbpasswd Command</A ></DT ><DT >3.4. <A -HREF="#AEN320" +HREF="#AEN397" >Plain text</A ></DT ><DT >3.5. <A -HREF="#AEN325" +HREF="#AEN402" >TDB</A ></DT ><DT >3.6. <A -HREF="#AEN328" +HREF="#AEN405" >LDAP</A ></DT ><DT >3.7. <A -HREF="#AEN546" +HREF="#AEN623" >MySQL</A ></DT ><DT >3.8. <A -HREF="#AEN588" +HREF="#AEN665" >XML</A ></DT ></DL @@ -242,17 +282,17 @@ HREF="#SERVERTYPE" ><DL ><DT >4.1. <A -HREF="#AEN626" +HREF="#AEN703" >Stand Alone Server</A ></DT ><DT >4.2. <A -HREF="#AEN633" +HREF="#AEN710" >Domain Member Server</A ></DT ><DT >4.3. <A -HREF="#AEN639" +HREF="#AEN716" >Domain Controller</A ></DT ></DL @@ -266,7 +306,7 @@ HREF="#SECURITYLEVELS" ><DL ><DT >5.1. <A -HREF="#AEN668" +HREF="#AEN752" >User and Share security level</A ></DT ></DL @@ -280,37 +320,37 @@ HREF="#SAMBA-PDC" ><DL ><DT >6.1. <A -HREF="#AEN772" +HREF="#AEN859" >Prerequisite Reading</A ></DT ><DT >6.2. <A -HREF="#AEN777" +HREF="#AEN864" >Background</A ></DT ><DT >6.3. <A -HREF="#AEN817" +HREF="#AEN904" >Configuring the Samba Domain Controller</A ></DT ><DT >6.4. <A -HREF="#AEN859" +HREF="#AEN946" >Creating Machine Trust Accounts and Joining Clients to the Domain</A ></DT ><DT >6.5. <A -HREF="#AEN967" +HREF="#AEN1054" >Common Problems and Errors</A ></DT ><DT >6.6. <A -HREF="#AEN1013" +HREF="#AEN1100" >What other help can I get?</A ></DT ><DT >6.7. <A -HREF="#AEN1127" +HREF="#AEN1214" >Domain Control for Windows 9x/ME</A ></DT ></DL @@ -324,27 +364,27 @@ HREF="#SAMBA-BDC" ><DL ><DT >7.1. <A -HREF="#AEN1180" +HREF="#AEN1267" >Prerequisite Reading</A ></DT ><DT >7.2. <A -HREF="#AEN1184" +HREF="#AEN1271" >Background</A ></DT ><DT >7.3. <A -HREF="#AEN1192" +HREF="#AEN1279" >What qualifies a Domain Controller on the network?</A ></DT ><DT >7.4. <A -HREF="#AEN1201" +HREF="#AEN1288" >Can Samba be a Backup Domain Controller to an NT PDC?</A ></DT ><DT >7.5. <A -HREF="#AEN1206" +HREF="#AEN1293" >How do I set up a Samba BDC?</A ></DT ></DL @@ -358,7 +398,7 @@ HREF="#ADS" ><DL ><DT >8.1. <A -HREF="#AEN1238" +HREF="#AEN1336" >Setup your <TT CLASS="FILENAME" >smb.conf</TT @@ -366,7 +406,7 @@ CLASS="FILENAME" ></DT ><DT >8.2. <A -HREF="#AEN1249" +HREF="#AEN1349" >Setup your <TT CLASS="FILENAME" >/etc/krb5.conf</TT @@ -374,22 +414,22 @@ CLASS="FILENAME" ></DT ><DT >8.3. <A -HREF="#AEN1260" +HREF="#ADS-CREATE-MACHINE-ACCOUNT" >Create the computer account</A ></DT ><DT >8.4. <A -HREF="#AEN1272" +HREF="#ADS-TEST-SERVER" >Test your server setup</A ></DT ><DT >8.5. <A -HREF="#AEN1277" +HREF="#ADS-TEST-SMBCLIENT" >Testing with smbclient</A ></DT ><DT >8.6. <A -HREF="#AEN1280" +HREF="#AEN1390" >Notes</A ></DT ></DL @@ -403,12 +443,12 @@ HREF="#DOMAIN-SECURITY" ><DL ><DT >9.1. <A -HREF="#AEN1302" +HREF="#AEN1413" >Joining an NT Domain with Samba 3.0</A ></DT ><DT >9.2. <A -HREF="#AEN1356" +HREF="#AEN1467" >Why is this better than security = server?</A ></DT ></DL @@ -424,358 +464,416 @@ HREF="#OPTIONAL" ><DL ><DT >10. <A -HREF="#ADVANCEDNETWORKMANAGEMENT" ->Advanced Network Manangement Information</A -></DT -><DD -><DL -><DT ->10.1. <A -HREF="#AEN1388" ->Remote Server Administration</A -></DT -></DL -></DD -><DT ->11. <A HREF="#UNIX-PERMISSIONS" >UNIX Permission Bits and Windows NT Access Control Lists</A ></DT ><DD ><DL ><DT ->11.1. <A -HREF="#AEN1416" +>10.1. <A +HREF="#AEN1499" >Viewing and changing UNIX permissions using the NT security dialogs</A ></DT ><DT ->11.2. <A -HREF="#AEN1420" +>10.2. <A +HREF="#AEN1505" >How to view file security on a Samba share</A ></DT ><DT ->11.3. <A -HREF="#AEN1431" +>10.3. <A +HREF="#AEN1516" >Viewing file ownership</A ></DT ><DT ->11.4. <A -HREF="#AEN1451" +>10.4. <A +HREF="#AEN1536" >Viewing file or directory permissions</A ></DT ><DT ->11.5. <A -HREF="#AEN1487" +>10.5. <A +HREF="#AEN1572" >Modifying file or directory permissions</A ></DT ><DT ->11.6. <A -HREF="#AEN1509" +>10.6. <A +HREF="#AEN1594" >Interaction with the standard Samba create mask parameters</A ></DT ><DT ->11.7. <A -HREF="#AEN1563" +>10.7. <A +HREF="#AEN1648" >Interaction with the standard Samba file attribute mapping</A ></DT ></DL ></DD ><DT ->12. <A +>11. <A HREF="#GROUPMAPPING" ->Group mapping HOWTO</A +>Configuring Group Mapping</A ></DT ><DT ->13. <A -HREF="#PAM" ->Configuring PAM for distributed but centrally -managed authentication</A -></DT -><DD -><DL -><DT ->13.1. <A -HREF="#AEN1619" ->Samba and PAM</A -></DT -><DT ->13.2. <A -HREF="#AEN1668" ->Distributed Authentication</A -></DT -><DT ->13.3. <A -HREF="#AEN1673" ->PAM Configuration in smb.conf</A -></DT -></DL -></DD -><DT ->14. <A +>12. <A HREF="#PRINTING" >Printing Support</A ></DT ><DD ><DL ><DT ->14.1. <A -HREF="#AEN1699" +>12.1. <A +HREF="#AEN1711" >Introduction</A ></DT ><DT ->14.2. <A -HREF="#AEN1721" +>12.2. <A +HREF="#AEN1733" >Configuration</A ></DT ><DT ->14.3. <A -HREF="#AEN1829" +>12.3. <A +HREF="#AEN1845" >The Imprints Toolset</A ></DT ><DT ->14.4. <A -HREF="#AEN1872" +>12.4. <A +HREF="#AEN1888" >Diagnosis</A ></DT ></DL ></DD ><DT ->15. <A +>13. <A HREF="#CUPS-PRINTING" >CUPS Printing Support</A ></DT ><DD ><DL ><DT ->15.1. <A -HREF="#AEN1984" +>13.1. <A +HREF="#AEN2000" >Introduction</A ></DT ><DT ->15.2. <A -HREF="#AEN1989" ->CUPS - RAW Print Through Mode</A +>13.2. <A +HREF="#AEN2007" +>Configuring <TT +CLASS="FILENAME" +>smb.conf</TT +> for CUPS</A ></DT ><DT ->15.3. <A -HREF="#AEN2044" ->The CUPS Filter Chains</A +>13.3. <A +HREF="#AEN2026" +>CUPS - RAW Print Through Mode</A ></DT ><DT ->15.4. <A +>13.4. <A HREF="#AEN2083" +>CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe +PostScript driver with CUPS-PPDs downloaded to clients</A +></DT +><DT +>13.5. <A +HREF="#AEN2104" +>Windows Terminal Servers (WTS) as CUPS clients</A +></DT +><DT +>13.6. <A +HREF="#AEN2108" +>Setting up CUPS for driver download</A +></DT +><DT +>13.7. <A +HREF="#AEN2120" +>Sources of CUPS drivers / PPDs</A +></DT +><DT +>13.8. <A +HREF="#AEN2176" +>The CUPS Filter Chains</A +></DT +><DT +>13.9. <A +HREF="#AEN2215" >CUPS Print Drivers and Devices</A ></DT ><DT ->15.5. <A -HREF="#AEN2160" +>13.10. <A +HREF="#AEN2292" >Limiting the number of pages users can print</A ></DT ><DT ->15.6. <A -HREF="#AEN2249" +>13.11. <A +HREF="#AEN2388" >Advanced Postscript Printing from MS Windows</A ></DT ><DT ->15.7. <A -HREF="#AEN2264" +>13.12. <A +HREF="#AEN2403" >Auto-Deletion of CUPS spool files</A ></DT ></DL ></DD ><DT ->16. <A +>14. <A HREF="#WINBIND" >Unified Logons between Windows NT and UNIX using Winbind</A ></DT ><DD ><DL ><DT ->16.1. <A -HREF="#AEN2326" +>14.1. <A +HREF="#AEN2469" >Abstract</A ></DT ><DT ->16.2. <A -HREF="#AEN2330" +>14.2. <A +HREF="#AEN2473" >Introduction</A ></DT ><DT ->16.3. <A -HREF="#AEN2343" +>14.3. <A +HREF="#AEN2486" >What Winbind Provides</A ></DT ><DT ->16.4. <A -HREF="#AEN2354" +>14.4. <A +HREF="#AEN2497" >How Winbind Works</A ></DT ><DT ->16.5. <A -HREF="#AEN2397" +>14.5. <A +HREF="#AEN2540" >Installation and Configuration</A ></DT ><DT ->16.6. <A -HREF="#AEN2654" +>14.6. <A +HREF="#AEN2797" >Limitations</A ></DT ><DT ->16.7. <A -HREF="#AEN2664" +>14.7. <A +HREF="#AEN2807" >Conclusion</A ></DT ></DL ></DD ><DT ->17. <A -HREF="#POLICYMGMT" ->Policy Management - Hows and Whys</A +>15. <A +HREF="#ADVANCEDNETWORKMANAGEMENT" +>Advanced Network Manangement</A ></DT ><DD ><DL ><DT ->17.1. <A -HREF="#AEN2678" ->System Policies</A +>15.1. <A +HREF="#AEN2822" +>Configuring Samba Share Access Controls</A ></DT -></DL -></DD ><DT ->18. <A -HREF="#PROFILEMGMT" ->Profile Management</A +>15.2. <A +HREF="#AEN2860" +>Remote Server Administration</A ></DT -><DD -><DL ><DT ->18.1. <A -HREF="#AEN2761" ->Roaming Profiles</A +>15.3. <A +HREF="#AEN2877" +>Network Logon Script Magic</A ></DT ></DL ></DD ><DT ->19. <A -HREF="#INTEGRATE-MS-NETWORKS" ->Integrating MS Windows networks with Samba</A +>16. <A +HREF="#POLICYMGMT" +>System and Account Policies</A ></DT ><DD ><DL ><DT ->19.1. <A -HREF="#AEN2975" ->Name Resolution in a pure Unix/Linux world</A +>16.1. <A +HREF="#AEN2892" +>Creating and Managing System Policies</A ></DT ><DT ->19.2. <A -HREF="#AEN3038" ->Name resolution as used within MS Windows networking</A +>16.2. <A +HREF="#AEN2965" +>Managing Account/User Policies</A ></DT ></DL ></DD ><DT ->20. <A -HREF="#IMPROVED-BROWSING" ->Improved browsing in samba</A +>17. <A +HREF="#PROFILEMGMT" +>Desktop Profile Management</A ></DT ><DD ><DL ><DT ->20.1. <A -HREF="#AEN3090" ->Overview of browsing</A +>17.1. <A +HREF="#AEN2998" +>Roaming Profiles</A ></DT ><DT ->20.2. <A -HREF="#AEN3095" ->Browsing support in samba</A +>17.2. <A +HREF="#AEN3196" +>Mandatory profiles</A ></DT ><DT ->20.3. <A -HREF="#AEN3103" ->Problem resolution</A +>17.3. <A +HREF="#AEN3203" +>Creating/Managing Group Profiles</A ></DT ><DT ->20.4. <A -HREF="#AEN3112" ->Browsing across subnets</A +>17.4. <A +HREF="#AEN3209" +>Default Profile for Windows Users</A ></DT +></DL +></DD ><DT ->20.5. <A -HREF="#AEN3152" ->Setting up a WINS server</A +>18. <A +HREF="#PAM" +>PAM Configuration for Centrally Managed Authentication</A ></DT +><DD +><DL ><DT ->20.6. <A -HREF="#AEN3171" ->Setting up Browsing in a WORKGROUP</A +>18.1. <A +HREF="#AEN3332" +>Samba and PAM</A ></DT ><DT ->20.7. <A -HREF="#AEN3189" ->Setting up Browsing in a DOMAIN</A +>18.2. <A +HREF="#AEN3383" +>Distributed Authentication</A ></DT ><DT ->20.8. <A -HREF="#AEN3199" ->Forcing samba to be the master</A +>18.3. <A +HREF="#AEN3388" +>PAM Configuration in smb.conf</A ></DT +></DL +></DD ><DT ->20.9. <A -HREF="#AEN3208" ->Making samba the domain master</A +>19. <A +HREF="#VFS" +>Stackable VFS modules</A ></DT +><DD +><DL ><DT ->20.10. <A -HREF="#AEN3226" ->Note about broadcast addresses</A +>19.1. <A +HREF="#AEN3423" +>Introduction and configuration</A ></DT ><DT ->20.11. <A -HREF="#AEN3229" ->Multiple interfaces</A +>19.2. <A +HREF="#AEN3432" +>Included modules</A +></DT +><DT +>19.3. <A +HREF="#AEN3490" +>VFS modules available elsewhere</A ></DT ></DL ></DD ><DT ->21. <A +>20. <A HREF="#MSDFS" >Hosting a Microsoft Distributed File System tree on Samba</A ></DT ><DD ><DL ><DT ->21.1. <A -HREF="#AEN3243" +>20.1. <A +HREF="#AEN3518" >Instructions</A ></DT ></DL ></DD ><DT +>21. <A +HREF="#INTEGRATE-MS-NETWORKS" +>Integrating MS Windows networks with Samba</A +></DT +><DD +><DL +><DT +>21.1. <A +HREF="#AEN3580" +>Name Resolution in a pure Unix/Linux world</A +></DT +><DT +>21.2. <A +HREF="#AEN3643" +>Name resolution as used within MS Windows networking</A +></DT +></DL +></DD +><DT >22. <A -HREF="#VFS" ->Stackable VFS modules</A +HREF="#IMPROVED-BROWSING" +>Improved browsing in samba</A ></DT ><DD ><DL ><DT >22.1. <A -HREF="#AEN3302" ->Introduction and configuration</A +HREF="#AEN3695" +>Overview of browsing</A ></DT ><DT >22.2. <A -HREF="#AEN3311" ->Included modules</A +HREF="#AEN3701" +>Browsing support in samba</A ></DT ><DT >22.3. <A -HREF="#AEN3365" ->VFS modules available elsewhere</A +HREF="#AEN3714" +>Problem resolution</A +></DT +><DT +>22.4. <A +HREF="#AEN3725" +>Browsing across subnets</A +></DT +><DT +>22.5. <A +HREF="#AEN3765" +>Setting up a WINS server</A +></DT +><DT +>22.6. <A +HREF="#AEN3785" +>Setting up Browsing in a WORKGROUP</A +></DT +><DT +>22.7. <A +HREF="#AEN3808" +>Setting up Browsing in a DOMAIN</A +></DT +><DT +>22.8. <A +HREF="#BROWSE-FORCE-MASTER" +>Forcing samba to be the master</A +></DT +><DT +>22.9. <A +HREF="#AEN3843" +>Making samba the domain master</A +></DT +><DT +>22.10. <A +HREF="#AEN3865" +>Note about broadcast addresses</A +></DT +><DT +>22.11. <A +HREF="#AEN3868" +>Multiple interfaces</A ></DT ></DL ></DD @@ -788,32 +886,32 @@ HREF="#SECURING-SAMBA" ><DL ><DT >23.1. <A -HREF="#AEN3391" +HREF="#AEN3884" >Introduction</A ></DT ><DT >23.2. <A -HREF="#AEN3394" +HREF="#AEN3887" >Using host based protection</A ></DT ><DT >23.3. <A -HREF="#AEN3401" +HREF="#AEN3894" >Using interface protection</A ></DT ><DT >23.4. <A -HREF="#AEN3410" +HREF="#AEN3903" >Using a firewall</A ></DT ><DT >23.5. <A -HREF="#AEN3417" +HREF="#AEN3910" >Using a IPC$ share deny</A ></DT ><DT >23.6. <A -HREF="#AEN3426" +HREF="#AEN3919" >Upgrading Samba</A ></DT ></DL @@ -827,12 +925,12 @@ HREF="#UNICODE" ><DL ><DT >24.1. <A -HREF="#AEN3440" +HREF="#AEN3933" >What are charsets and unicode?</A ></DT ><DT >24.2. <A -HREF="#AEN3449" +HREF="#AEN3942" >Samba and charsets</A ></DT ></DL @@ -848,224 +946,262 @@ HREF="#APPENDIXES" ><DL ><DT >25. <A +HREF="#SWAT" +>SWAT - The Samba Web Admininistration Tool</A +></DT +><DD +><DL +><DT +>25.1. <A +HREF="#AEN3976" +>SWAT Features and Benefits</A +></DT +></DL +></DD +><DT +>26. <A +HREF="#NT4MIGRATION" +>Migration from NT4 PDC to Samba-3 PDC</A +></DT +><DD +><DL +><DT +>26.1. <A +HREF="#AEN4012" +>Planning and Getting Started</A +></DT +><DT +>26.2. <A +HREF="#AEN4021" +>Managing Samba-3 Domain Control</A +></DT +></DL +></DD +><DT +>27. <A HREF="#SPEED" >Samba performance issues</A ></DT ><DD ><DL ><DT ->25.1. <A -HREF="#AEN3486" +>27.1. <A +HREF="#AEN4041" >Comparisons</A ></DT ><DT ->25.2. <A -HREF="#AEN3492" +>27.2. <A +HREF="#AEN4047" >Socket options</A ></DT ><DT ->25.3. <A -HREF="#AEN3499" +>27.3. <A +HREF="#AEN4054" >Read size</A ></DT ><DT ->25.4. <A -HREF="#AEN3504" +>27.4. <A +HREF="#AEN4059" >Max xmit</A ></DT ><DT ->25.5. <A -HREF="#AEN3509" +>27.5. <A +HREF="#AEN4064" >Log level</A ></DT ><DT ->25.6. <A -HREF="#AEN3512" +>27.6. <A +HREF="#AEN4067" >Read raw</A ></DT ><DT ->25.7. <A -HREF="#AEN3517" +>27.7. <A +HREF="#AEN4072" >Write raw</A ></DT ><DT ->25.8. <A -HREF="#AEN3521" +>27.8. <A +HREF="#AEN4076" >Slow Clients</A ></DT ><DT ->25.9. <A -HREF="#AEN3525" +>27.9. <A +HREF="#AEN4080" >Slow Logins</A ></DT ><DT ->25.10. <A -HREF="#AEN3528" +>27.10. <A +HREF="#AEN4083" >Client tuning</A ></DT ></DL ></DD ><DT ->26. <A +>28. <A HREF="#PORTABILITY" >Portability</A ></DT ><DD ><DL ><DT ->26.1. <A -HREF="#AEN3568" +>28.1. <A +HREF="#AEN4127" >HPUX</A ></DT ><DT ->26.2. <A -HREF="#AEN3574" +>28.2. <A +HREF="#AEN4133" >SCO Unix</A ></DT ><DT ->26.3. <A -HREF="#AEN3578" +>28.3. <A +HREF="#AEN4137" >DNIX</A ></DT ><DT ->26.4. <A -HREF="#AEN3607" +>28.4. <A +HREF="#AEN4166" >RedHat Linux Rembrandt-II</A ></DT ><DT ->26.5. <A -HREF="#AEN3613" +>28.5. <A +HREF="#AEN4172" >AIX</A ></DT ></DL ></DD ><DT ->27. <A +>29. <A HREF="#OTHER-CLIENTS" >Samba and other CIFS clients</A ></DT ><DD ><DL ><DT ->27.1. <A -HREF="#AEN3633" +>29.1. <A +HREF="#AEN4196" >Macintosh clients?</A ></DT ><DT ->27.2. <A -HREF="#AEN3642" +>29.2. <A +HREF="#AEN4205" >OS2 Client</A ></DT ><DT ->27.3. <A -HREF="#AEN3682" +>29.3. <A +HREF="#AEN4245" >Windows for Workgroups</A ></DT ><DT ->27.4. <A -HREF="#AEN3706" +>29.4. <A +HREF="#AEN4269" >Windows '95/'98</A ></DT ><DT ->27.5. <A -HREF="#AEN3722" +>29.5. <A +HREF="#AEN4285" >Windows 2000 Service Pack 2</A ></DT +><DT +>29.6. <A +HREF="#AEN4302" +>Windows NT 3.1</A +></DT ></DL ></DD ><DT ->28. <A +>30. <A HREF="#COMPILING" >How to compile SAMBA</A ></DT ><DD ><DL ><DT ->28.1. <A -HREF="#AEN3749" +>30.1. <A +HREF="#AEN4323" >Access Samba source code via CVS</A ></DT ><DT ->28.2. <A -HREF="#AEN3792" +>30.2. <A +HREF="#AEN4366" >Accessing the samba sources via rsync and ftp</A ></DT ><DT ->28.3. <A -HREF="#AEN3798" +>30.3. <A +HREF="#AEN4372" >Building the Binaries</A ></DT ><DT ->28.4. <A -HREF="#AEN3855" +>30.4. <A +HREF="#AEN4429" >Starting the smbd and nmbd</A ></DT ></DL ></DD ><DT ->29. <A +>31. <A HREF="#BUGREPORT" >Reporting Bugs</A ></DT ><DD ><DL ><DT ->29.1. <A -HREF="#AEN3917" +>31.1. <A +HREF="#AEN4500" >Introduction</A ></DT ><DT ->29.2. <A -HREF="#AEN3927" +>31.2. <A +HREF="#AEN4510" >General info</A ></DT ><DT ->29.3. <A -HREF="#AEN3933" +>31.3. <A +HREF="#AEN4516" >Debug levels</A ></DT ><DT ->29.4. <A -HREF="#AEN3950" +>31.4. <A +HREF="#AEN4536" >Internal errors</A ></DT ><DT ->29.5. <A -HREF="#AEN3960" +>31.5. <A +HREF="#AEN4550" >Attaching to a running process</A ></DT ><DT ->29.6. <A -HREF="#AEN3963" +>31.6. <A +HREF="#AEN4558" >Patches</A ></DT ></DL ></DD ><DT ->30. <A +>32. <A HREF="#DIAGNOSIS" >The samba checklist</A ></DT ><DD ><DL ><DT ->30.1. <A -HREF="#AEN3986" +>32.1. <A +HREF="#AEN4581" >Introduction</A ></DT ><DT ->30.2. <A -HREF="#AEN3991" +>32.2. <A +HREF="#AEN4586" >Assumptions</A ></DT ><DT ->30.3. <A -HREF="#AEN4001" ->Tests</A +>32.3. <A +HREF="#AEN4596" +>The tests</A ></DT ><DT ->30.4. <A -HREF="#AEN4111" +>32.4. <A +HREF="#AEN4697" >Still having troubles?</A ></DT ></DL @@ -1087,7 +1223,7 @@ CLASS="TITLE" ><DIV CLASS="PARTINTRO" ><A -NAME="AEN21" +NAME="AEN42" ></A ><H1 >Introduction</H1 @@ -1112,60 +1248,60 @@ HREF="#INSTALL" ><DL ><DT >1.1. <A -HREF="#AEN26" +HREF="#AEN65" >Obtaining and installing samba</A ></DT ><DT >1.2. <A -HREF="#AEN31" +HREF="#AEN70" >Configuring samba</A ></DT ><DD ><DL ><DT >1.2.1. <A -HREF="#AEN36" +HREF="#AEN75" >Editing the smb.conf file</A ></DT ><DT >1.2.2. <A -HREF="#AEN58" +HREF="#AEN97" >SWAT</A ></DT ></DL ></DD ><DT >1.3. <A -HREF="#AEN64" +HREF="#AEN103" >Try listing the shares available on your server</A ></DT ><DT >1.4. <A -HREF="#AEN73" +HREF="#AEN112" >Try connecting with the unix client</A ></DT ><DT >1.5. <A -HREF="#AEN89" +HREF="#AEN128" >Try connecting from a DOS, WfWg, Win9x, WinNT, Win2k, OS/2, etc... client</A ></DT ><DT >1.6. <A -HREF="#AEN103" +HREF="#AEN142" >What If Things Don't Work?</A ></DT ><DD ><DL ><DT >1.6.1. <A -HREF="#AEN108" +HREF="#AEN147" >Scope IDs</A ></DT ><DT >1.6.2. <A -HREF="#AEN111" +HREF="#AEN150" >Locking</A ></DT ></DL @@ -1181,38 +1317,44 @@ HREF="#BROWSING-QUICK" ><DL ><DT >2.1. <A -HREF="#AEN130" +HREF="#AEN174" >Discussion</A ></DT ><DT >2.2. <A -HREF="#AEN139" +HREF="#AEN193" >How browsing functions and how to deploy stable and dependable browsing using Samba</A ></DT ><DT >2.3. <A -HREF="#AEN149" ->Use of the "Remote Announce" parameter</A +HREF="#AEN207" +>Use of the <B +CLASS="COMMAND" +>Remote Announce</B +> parameter</A ></DT ><DT >2.4. <A -HREF="#AEN163" ->Use of the "Remote Browse Sync" parameter</A +HREF="#AEN230" +>Use of the <B +CLASS="COMMAND" +>Remote Browse Sync</B +> parameter</A ></DT ><DT >2.5. <A -HREF="#AEN168" +HREF="#AEN241" >Use of WINS</A ></DT ><DT >2.6. <A -HREF="#AEN179" +HREF="#AEN255" >Do NOT use more than one (1) protocol on MS Windows machines</A ></DT ><DT >2.7. <A -HREF="#AEN187" +HREF="#AEN263" >Name Resolution Order</A ></DT ></DL @@ -1226,129 +1368,129 @@ HREF="#PASSDB" ><DL ><DT >3.1. <A -HREF="#AEN244" +HREF="#AEN321" >Introduction</A ></DT ><DT >3.2. <A -HREF="#AEN251" +HREF="#AEN328" >Important Notes About Security</A ></DT ><DD ><DL ><DT >3.2.1. <A -HREF="#AEN277" +HREF="#AEN354" >Advantages of SMB Encryption</A ></DT ><DT >3.2.2. <A -HREF="#AEN283" +HREF="#AEN360" >Advantages of non-encrypted passwords</A ></DT ></DL ></DD ><DT >3.3. <A -HREF="#AEN289" +HREF="#AEN366" >The smbpasswd Command</A ></DT ><DT >3.4. <A -HREF="#AEN320" +HREF="#AEN397" >Plain text</A ></DT ><DT >3.5. <A -HREF="#AEN325" +HREF="#AEN402" >TDB</A ></DT ><DT >3.6. <A -HREF="#AEN328" +HREF="#AEN405" >LDAP</A ></DT ><DD ><DL ><DT >3.6.1. <A -HREF="#AEN330" +HREF="#AEN407" >Introduction</A ></DT ><DT >3.6.2. <A -HREF="#AEN350" +HREF="#AEN427" >Introduction</A ></DT ><DT >3.6.3. <A -HREF="#AEN379" +HREF="#AEN456" >Supported LDAP Servers</A ></DT ><DT >3.6.4. <A -HREF="#AEN384" +HREF="#AEN461" >Schema and Relationship to the RFC 2307 posixAccount</A ></DT ><DT >3.6.5. <A -HREF="#AEN396" +HREF="#AEN473" >Configuring Samba with LDAP</A ></DT ><DT >3.6.6. <A -HREF="#AEN443" +HREF="#AEN520" >Accounts and Groups management</A ></DT ><DT >3.6.7. <A -HREF="#AEN448" +HREF="#AEN525" >Security and sambaAccount</A ></DT ><DT >3.6.8. <A -HREF="#AEN468" +HREF="#AEN545" >LDAP specials attributes for sambaAccounts</A ></DT ><DT >3.6.9. <A -HREF="#AEN538" +HREF="#AEN615" >Example LDIF Entries for a sambaAccount</A ></DT ></DL ></DD ><DT >3.7. <A -HREF="#AEN546" +HREF="#AEN623" >MySQL</A ></DT ><DD ><DL ><DT >3.7.1. <A -HREF="#AEN548" +HREF="#AEN625" >Creating the database</A ></DT ><DT >3.7.2. <A -HREF="#AEN558" +HREF="#AEN635" >Configuring</A ></DT ><DT >3.7.3. <A -HREF="#AEN575" +HREF="#AEN652" >Using plaintext passwords or encrypted password</A ></DT ><DT >3.7.4. <A -HREF="#AEN580" +HREF="#AEN657" >Getting non-column data from the table</A ></DT ></DL ></DD ><DT >3.8. <A -HREF="#AEN588" +HREF="#AEN665" >XML</A ></DT ></DL @@ -1368,7 +1510,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN26" +NAME="AEN65" >1.1. Obtaining and installing samba</A ></H2 ><P @@ -1389,7 +1531,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN31" +NAME="AEN70" >1.2. Configuring samba</A ></H2 ><P @@ -1410,7 +1552,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN36" +NAME="AEN75" >1.2.1. Editing the smb.conf file</A ></H3 ><P @@ -1465,7 +1607,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN50" +NAME="AEN89" >1.2.1.1. Test your config file with <B CLASS="COMMAND" @@ -1496,7 +1638,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN58" +NAME="AEN97" >1.2.2. SWAT</A ></H3 ><P @@ -1524,7 +1666,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN64" +NAME="AEN103" >1.3. Try listing the shares available on your server</A ></H2 @@ -1561,7 +1703,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN73" +NAME="AEN112" >1.4. Try connecting with the unix client</A ></H2 ><P @@ -1614,7 +1756,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN89" +NAME="AEN128" >1.5. Try connecting from a DOS, WfWg, Win9x, WinNT, Win2k, OS/2, etc... client</A ></H2 @@ -1657,7 +1799,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN103" +NAME="AEN142" >1.6. What If Things Don't Work?</A ></H2 ><P @@ -1683,7 +1825,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN108" +NAME="AEN147" >1.6.1. Scope IDs</A ></H3 ><P @@ -1699,7 +1841,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN111" +NAME="AEN150" >1.6.2. Locking</A ></H3 ><P @@ -1769,15 +1911,39 @@ be taken as the fast track guide to implementing browsing across subnets and / or across workgroups (or domains). WINS is the best tool for resolution of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling except by way of name to address mapping.</P +><DIV +CLASS="NOTE" ><P ->Note: MS Windows 2000 and later can be configured to operate with NO NetBIOS +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>MS Windows 2000 and later can be configured to operate with NO NetBIOS over TCP/IP. Samba-3 and later also supports this mode of operation.</P +></TD +></TR +></TABLE +></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN130" +NAME="AEN174" >2.1. Discussion</A ></H2 ><P @@ -1789,29 +1955,63 @@ messaging to affect browse list management. When running NetBIOS over TCP/IP this uses UDP based messaging. UDP messages can be broadcast or unicast.</P ><P >Normally, only unicast UDP messaging can be forwarded by routers. The -"remote announce" parameter to smb.conf helps to project browse announcements -to remote network segments via unicast UDP. Similarly, the "remote browse sync" -parameter of smb.conf implements browse list collation using unicast UDP.</P +<B +CLASS="COMMAND" +>remote announce</B +> +parameter to smb.conf helps to project browse announcements +to remote network segments via unicast UDP. Similarly, the +<B +CLASS="COMMAND" +>remote browse sync</B +> parameter of <TT +CLASS="FILENAME" +>smb.conf</TT +> +implements browse list collation using unicast UDP.</P ><P >Secondly, in those networks where Samba is the only SMB server technology wherever possible nmbd should be configured on one (1) machine as the WINS server. This makes it easy to manage the browsing environment. If each network segment is configured with it's own Samba WINS server, then the only way to -get cross segment browsing to work is by using the "remote announce" and -the "remote browse sync" parameters to your smb.conf file.</P +get cross segment browsing to work is by using the +<B +CLASS="COMMAND" +>remote announce</B +> and the <B +CLASS="COMMAND" +>remote browse sync</B +> +parameters to your <TT +CLASS="FILENAME" +>smb.conf</TT +> file.</P ><P >If only one WINS server is used for an entire multi-segment network then -the use of the "remote announce" and the "remote browse sync" parameters -should NOT be necessary.</P +the use of the <B +CLASS="COMMAND" +>remote announce</B +> and the +<B +CLASS="COMMAND" +>remote browse sync</B +> parameters should NOT be necessary.</P ><P ->As of Samba-3 WINS replication is being worked on. The bulk of the code has +>As of Samba 3 WINS replication is being worked on. The bulk of the code has been committed, but it still needs maturation.</P ><P >Right now samba WINS does not support MS-WINS replication. This means that when setting up Samba as a WINS server there must only be one nmbd configured as a WINS server on the network. Some sites have used multiple Samba WINS -servers for redundancy (one server per subnet) and then used "remote browse -sync" and "remote announce" to affect browse list collation across all +servers for redundancy (one server per subnet) and then used +<B +CLASS="COMMAND" +>remote browse sync</B +> and <B +CLASS="COMMAND" +>remote announce</B +> +to affect browse list collation across all segments. Note that this means clients will only resolve local names, and must be configured to use DNS to resolve names on other subnets in order to resolve the IP addresses of the servers they can see on other @@ -1828,7 +2028,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN139" +NAME="AEN193" >2.2. How browsing functions and how to deploy stable and dependable browsing using Samba</A ></H2 @@ -1845,7 +2045,11 @@ well as name lookups are done by UDP broadcast. This isolates name resolution to the local subnet, unless LMHOSTS is used to list all names and IP addresses. In such situations Samba provides a means by which the samba server name may be forcibly injected into the browse -list of a remote MS Windows network (using the "remote announce" parameter).</P +list of a remote MS Windows network (using the +<B +CLASS="COMMAND" +>remote announce</B +> parameter).</P ><P >Where a WINS server is used, the MS Windows client will use UDP unicast to register with the WINS server. Such packets can be routed @@ -1873,14 +2077,23 @@ will annoy users because they will have to put up with protracted inability to use the network services.</P ><P >Samba supports a feature that allows forced synchonisation -of browse lists across routed networks using the "remote -browse sync" parameter in the smb.conf file. This causes Samba -to contact the local master browser on a remote network and +of browse lists across routed networks using the <B +CLASS="COMMAND" +>remote +browse sync</B +> parameter in the <TT +CLASS="FILENAME" +>smb.conf</TT +> file. +This causes Samba to contact the local master browser on a remote network and to request browse list synchronisation. This effectively bridges two networks that are separated by routers. The two remote networks may use either broadcast based name resolution or WINS -based name resolution, but it should be noted that the "remote -browse sync" parameter provides browse list synchronisation - and +based name resolution, but it should be noted that the <B +CLASS="COMMAND" +>remote +browse sync</B +> parameter provides browse list synchronisation - and that is distinct from name to address resolution, in other words, for cross subnet browsing to function correctly it is essential that a name to address resolution mechanism be provided. @@ -1895,21 +2108,40 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN149" ->2.3. Use of the "Remote Announce" parameter</A +NAME="AEN207" +>2.3. Use of the <B +CLASS="COMMAND" +>Remote Announce</B +> parameter</A ></H2 ><P ->The "remote announce" parameter of smb.conf can be used to forcibly ensure +>The <B +CLASS="COMMAND" +>remote announce</B +> parameter of +<TT +CLASS="FILENAME" +>smb.conf</TT +> can be used to forcibly ensure that all the NetBIOS names on a network get announced to a remote network. -The syntax of the "remote announce" parameter is: +The syntax of the <B +CLASS="COMMAND" +>remote announce</B +> parameter is: <PRE CLASS="PROGRAMLISTING" -> remote announce = a.b.c.d [e.f.g.h] ...</PRE +> remote announce = <VAR +CLASS="REPLACEABLE" +>a.b.c.d [e.f.g.h]</VAR +> ...</PRE > _or_ <PRE CLASS="PROGRAMLISTING" -> remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...</PRE +> remote announce = <VAR +CLASS="REPLACEABLE" +>a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP]</VAR +> ...</PRE > where: @@ -1919,7 +2151,14 @@ where: CLASS="VARIABLELIST" ><DL ><DT ->a.b.c.d and e.f.g.h</DT +><VAR +CLASS="REPLACEABLE" +>a.b.c.d</VAR +> and +<VAR +CLASS="REPLACEABLE" +>e.f.g.h</VAR +></DT ><DD ><P >is either the LMB (Local Master Browser) IP address @@ -1934,7 +2173,10 @@ undesirable but may be necessary if we do NOT know the IP address of the remote LMB.</P ></DD ><DT ->WORKGROUP</DT +><VAR +CLASS="REPLACEABLE" +>WORKGROUP</VAR +></DT ><DD ><P >is optional and can be either our own workgroup @@ -1953,30 +2195,49 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN163" ->2.4. Use of the "Remote Browse Sync" parameter</A +NAME="AEN230" +>2.4. Use of the <B +CLASS="COMMAND" +>Remote Browse Sync</B +> parameter</A ></H2 ><P ->The "remote browse sync" parameter of smb.conf is used to announce to +>The <B +CLASS="COMMAND" +>remote browse sync</B +> parameter of +<TT +CLASS="FILENAME" +>smb.conf</TT +> is used to announce to another LMB that it must synchronise it's NetBIOS name list with our Samba LMB. It works ONLY if the Samba server that has this option is simultaneously the LMB on it's network segment.</P ><P ->The syntax of the "remote browse sync" parameter is: +>The syntax of the <B +CLASS="COMMAND" +>remote browse sync</B +> parameter is: <PRE CLASS="PROGRAMLISTING" ->remote browse sync = a.b.c.d</PRE +>remote browse sync = <VAR +CLASS="REPLACEABLE" +>a.b.c.d</VAR +></PRE > -where a.b.c.d is either the IP address of the remote LMB or else is the network broadcast address of the remote segment.</P +where <VAR +CLASS="REPLACEABLE" +>a.b.c.d</VAR +> is either the IP address of the remote LMB or else is the network broadcast address of the remote segment.</P ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN168" +NAME="AEN241" >2.5. Use of WINS</A ></H2 ><P @@ -2000,7 +2261,11 @@ of all names that have registered the NetLogon service name_type. This saves broadcast traffic and greatly expedites logon processing. Since broadcast name resolution can not be used across network segments this type of information can only be provided via WINS _or_ via statically configured -"lmhosts" files that must reside on all clients in the absence of WINS.</P +<TT +CLASS="FILENAME" +>lmhosts</TT +> files that must reside on all clients in the +absence of WINS.</P ><P >WINS also serves the purpose of forcing browse list synchronisation by all LMB's. LMB's must synchronise their browse list with the DMB (domain master @@ -2018,8 +2283,15 @@ machines that have not registered with a WINS server will fail name to address lookup attempts by other clients and will therefore cause workstation access errors.</P ><P ->To configure Samba as a WINS server just add "wins support = yes" to the -smb.conf file [globals] section.</P +>To configure Samba as a WINS server just add +<B +CLASS="COMMAND" +>wins support = yes</B +> to the <TT +CLASS="FILENAME" +>smb.conf</TT +> +file [globals] section.</P ><P >To configure Samba to register with a WINS server just add "wins server = a.b.c.d" to your smb.conf file [globals] section.</P @@ -2039,7 +2311,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN179" +NAME="AEN255" >2.6. Do NOT use more than one (1) protocol on MS Windows machines</A ></H2 ><P @@ -2082,7 +2354,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN187" +NAME="AEN263" >2.7. Name Resolution Order</A ></H2 ><P @@ -2173,7 +2445,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN244" +NAME="AEN321" >3.1. Introduction</A ></H2 ><P @@ -2214,7 +2486,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN251" +NAME="AEN328" >3.2. Important Notes About Security</A ></H2 ><P @@ -2377,7 +2649,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN277" +NAME="AEN354" >3.2.1. Advantages of SMB Encryption</A ></H3 ><P @@ -2403,7 +2675,7 @@ BORDER="0" ></TR ><TR ><TD ->Encrypted password support allows auto-matic share +>Encrypted password support allows automatic share (resource) reconnects.</TD ></TR ></TBODY @@ -2416,7 +2688,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN283" +NAME="AEN360" >3.2.2. Advantages of non-encrypted passwords</A ></H3 ><P @@ -2451,7 +2723,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN289" +NAME="AEN366" >3.3. The smbpasswd Command</A ></H2 ><P @@ -2554,7 +2826,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN320" +NAME="AEN397" >3.4. Plain text</A ></H2 ><P @@ -2574,7 +2846,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN325" +NAME="AEN402" >3.5. TDB</A ></H2 ><P @@ -2587,7 +2859,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN328" +NAME="AEN405" >3.6. LDAP</A ></H2 ><DIV @@ -2595,7 +2867,7 @@ CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN330" +NAME="AEN407" >3.6.1. Introduction</A ></H3 ><P @@ -2663,7 +2935,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN350" +NAME="AEN427" >3.6.2. Introduction</A ></H3 ><P @@ -2772,7 +3044,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN379" +NAME="AEN456" >3.6.3. Supported LDAP Servers</A ></H3 ><P @@ -2783,12 +3055,12 @@ and client SDK. However, due to lack of testing so far, there are bound to be compile errors and bugs. These should not be hard to fix. If you are so inclined, please be sure to forward all patches to <A -HREF="samba-patches@samba.org" +HREF="mailto:samba-patches@samba.org" TARGET="_top" >samba-patches@samba.org</A > and <A -HREF="jerry@samba.org" +HREF="mailto:jerry@samba.org" TARGET="_top" >jerry@samba.org</A >.</P @@ -2798,7 +3070,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN384" +NAME="AEN461" >3.6.4. Schema and Relationship to the RFC 2307 posixAccount</A ></H3 ><P @@ -2823,7 +3095,7 @@ CLASS="PROGRAMLISTING" owned by the Samba Team and as such is legal to be openly published. If you translate the schema to be used with Netscape DS, please submit the modified schema file as a patch to <A -HREF="jerry@samba.org" +HREF="mailto:jerry@samba.org" TARGET="_top" >jerry@samba.org</A ></P @@ -2855,7 +3127,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN396" +NAME="AEN473" >3.6.5. Configuring Samba with LDAP</A ></H3 ><DIV @@ -2863,7 +3135,7 @@ CLASS="SECT3" ><H4 CLASS="SECT3" ><A -NAME="AEN398" +NAME="AEN475" >3.6.5.1. OpenLDAP configuration</A ></H4 ><P @@ -2873,9 +3145,9 @@ server, first copy the samba.schema file to slapd's configuration directory.</P ><SAMP CLASS="PROMPT" >root# </SAMP -><B -CLASS="COMMAND" ->cp samba.schema /etc/openldap/schema/</B +><KBD +CLASS="USERINPUT" +>cp samba.schema /etc/openldap/schema/</KBD ></P ><P >Next, include the <TT @@ -2945,7 +3217,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN415" +NAME="AEN492" >3.6.5.2. Configuring Samba</A ></H4 ><P @@ -3061,7 +3333,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN443" +NAME="AEN520" >3.6.6. Accounts and Groups management</A ></H3 ><P @@ -3086,7 +3358,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN448" +NAME="AEN525" >3.6.7. Security and sambaAccount</A ></H3 ><P @@ -3165,7 +3437,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN468" +NAME="AEN545" >3.6.8. LDAP specials attributes for sambaAccounts</A ></H3 ><P @@ -3372,7 +3644,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN538" +NAME="AEN615" >3.6.9. Example LDIF Entries for a sambaAccount</A ></H3 ><P @@ -3431,7 +3703,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN546" +NAME="AEN623" >3.7. MySQL</A ></H2 ><DIV @@ -3439,7 +3711,7 @@ CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN548" +NAME="AEN625" >3.7.1. Creating the database</A ></H3 ><P @@ -3475,7 +3747,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN558" +NAME="AEN635" >3.7.2. Configuring</A ></H3 ><P @@ -3586,7 +3858,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN575" +NAME="AEN652" >3.7.3. Using plaintext passwords or encrypted password</A ></H3 ><P @@ -3601,7 +3873,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN580" +NAME="AEN657" >3.7.4. Getting non-column data from the table</A ></H3 ><P @@ -3627,7 +3899,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN588" +NAME="AEN665" >3.8. XML</A ></H2 ><P @@ -3635,17 +3907,17 @@ NAME="AEN588" ><P >The usage of pdb_xml is pretty straightforward. To export data, use: -<B -CLASS="COMMAND" ->pdbedit -e xml:filename</B +<KBD +CLASS="USERINPUT" +>pdbedit -e xml:filename</KBD > (where filename is the name of the file to put the data in)</P ><P >To import data, use: -<B -CLASS="COMMAND" ->pdbedit -i xml:filename -e current-pdb</B +<KBD +CLASS="USERINPUT" +>pdbedit -i xml:filename -e current-pdb</KBD > Where filename is the name to read the data from and current-pdb to put it in.</P @@ -3665,7 +3937,7 @@ CLASS="TITLE" ><DIV CLASS="PARTINTRO" ><A -NAME="AEN597" +NAME="AEN674" ></A ><H1 >Introduction</H1 @@ -3689,24 +3961,24 @@ HREF="#SERVERTYPE" ><DL ><DT >4.1. <A -HREF="#AEN626" +HREF="#AEN703" >Stand Alone Server</A ></DT ><DT >4.2. <A -HREF="#AEN633" +HREF="#AEN710" >Domain Member Server</A ></DT ><DT >4.3. <A -HREF="#AEN639" +HREF="#AEN716" >Domain Controller</A ></DT ><DD ><DL ><DT >4.3.1. <A -HREF="#AEN642" +HREF="#AEN719" >Domain Controller Types</A ></DT ></DL @@ -3722,34 +3994,34 @@ HREF="#SECURITYLEVELS" ><DL ><DT >5.1. <A -HREF="#AEN668" +HREF="#AEN752" >User and Share security level</A ></DT ><DD ><DL ><DT >5.1.1. <A -HREF="#AEN671" +HREF="#AEN755" >User Level Security</A ></DT ><DT >5.1.2. <A -HREF="#AEN681" +HREF="#AEN765" >Share Level Security</A ></DT ><DT >5.1.3. <A -HREF="#AEN685" +HREF="#AEN769" >Server Level Security</A ></DT ><DT >5.1.4. <A -HREF="#AEN724" +HREF="#AEN808" >Domain Level Security</A ></DT ><DT >5.1.5. <A -HREF="#AEN745" +HREF="#AEN829" >ADS Level Security</A ></DT ></DL @@ -3765,63 +4037,63 @@ HREF="#SAMBA-PDC" ><DL ><DT >6.1. <A -HREF="#AEN772" +HREF="#AEN859" >Prerequisite Reading</A ></DT ><DT >6.2. <A -HREF="#AEN777" +HREF="#AEN864" >Background</A ></DT ><DT >6.3. <A -HREF="#AEN817" +HREF="#AEN904" >Configuring the Samba Domain Controller</A ></DT ><DT >6.4. <A -HREF="#AEN859" +HREF="#AEN946" >Creating Machine Trust Accounts and Joining Clients to the Domain</A ></DT ><DD ><DL ><DT >6.4.1. <A -HREF="#AEN902" +HREF="#AEN989" >Manual Creation of Machine Trust Accounts</A ></DT ><DT >6.4.2. <A -HREF="#AEN943" +HREF="#AEN1030" >"On-the-Fly" Creation of Machine Trust Accounts</A ></DT ><DT >6.4.3. <A -HREF="#AEN952" +HREF="#AEN1039" >Joining the Client to the Domain</A ></DT ></DL ></DD ><DT >6.5. <A -HREF="#AEN967" +HREF="#AEN1054" >Common Problems and Errors</A ></DT ><DT >6.6. <A -HREF="#AEN1013" +HREF="#AEN1100" >What other help can I get?</A ></DT ><DT >6.7. <A -HREF="#AEN1127" +HREF="#AEN1214" >Domain Control for Windows 9x/ME</A ></DT ><DD ><DL ><DT >6.7.1. <A -HREF="#AEN1150" +HREF="#AEN1237" >Configuration Instructions: Network Logons</A ></DT ></DL @@ -3837,53 +4109,53 @@ HREF="#SAMBA-BDC" ><DL ><DT >7.1. <A -HREF="#AEN1180" +HREF="#AEN1267" >Prerequisite Reading</A ></DT ><DT >7.2. <A -HREF="#AEN1184" +HREF="#AEN1271" >Background</A ></DT ><DT >7.3. <A -HREF="#AEN1192" +HREF="#AEN1279" >What qualifies a Domain Controller on the network?</A ></DT ><DD ><DL ><DT >7.3.1. <A -HREF="#AEN1195" +HREF="#AEN1282" >How does a Workstation find its domain controller?</A ></DT ><DT >7.3.2. <A -HREF="#AEN1198" +HREF="#AEN1285" >When is the PDC needed?</A ></DT ></DL ></DD ><DT >7.4. <A -HREF="#AEN1201" +HREF="#AEN1288" >Can Samba be a Backup Domain Controller to an NT PDC?</A ></DT ><DT >7.5. <A -HREF="#AEN1206" +HREF="#AEN1293" >How do I set up a Samba BDC?</A ></DT ><DD ><DL ><DT >7.5.1. <A -HREF="#AEN1223" +HREF="#AEN1310" >How do I replicate the smbpasswd file?</A ></DT ><DT >7.5.2. <A -HREF="#AEN1227" +HREF="#AEN1314" >Can I do this all with LDAP?</A ></DT ></DL @@ -3899,7 +4171,7 @@ HREF="#ADS" ><DL ><DT >8.1. <A -HREF="#AEN1238" +HREF="#AEN1336" >Setup your <TT CLASS="FILENAME" >smb.conf</TT @@ -3907,7 +4179,7 @@ CLASS="FILENAME" ></DT ><DT >8.2. <A -HREF="#AEN1249" +HREF="#AEN1349" >Setup your <TT CLASS="FILENAME" >/etc/krb5.conf</TT @@ -3915,31 +4187,31 @@ CLASS="FILENAME" ></DT ><DT >8.3. <A -HREF="#AEN1260" +HREF="#ADS-CREATE-MACHINE-ACCOUNT" >Create the computer account</A ></DT ><DD ><DL ><DT >8.3.1. <A -HREF="#AEN1264" +HREF="#AEN1373" >Possible errors</A ></DT ></DL ></DD ><DT >8.4. <A -HREF="#AEN1272" +HREF="#ADS-TEST-SERVER" >Test your server setup</A ></DT ><DT >8.5. <A -HREF="#AEN1277" +HREF="#ADS-TEST-SMBCLIENT" >Testing with smbclient</A ></DT ><DT >8.6. <A -HREF="#AEN1280" +HREF="#AEN1390" >Notes</A ></DT ></DL @@ -3953,12 +4225,12 @@ HREF="#DOMAIN-SECURITY" ><DL ><DT >9.1. <A -HREF="#AEN1302" +HREF="#AEN1413" >Joining an NT Domain with Samba 3.0</A ></DT ><DT >9.2. <A -HREF="#AEN1356" +HREF="#AEN1467" >Why is this better than security = server?</A ></DT ></DL @@ -4017,7 +4289,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN626" +NAME="AEN703" >4.1. Stand Alone Server</A ></H2 ><P @@ -4060,7 +4332,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN633" +NAME="AEN710" >4.2. Domain Member Server</A ></H2 ><P @@ -4068,8 +4340,7 @@ NAME="AEN633" of a domain security context. This means by definition that all user authentication will be done from a centrally defined authentication regime. The authentication regime may come from an NT3/4 style (old domain technology) server, or it may be -provided from an Active Directory server (ADS) running on MS Windows 2000 or later. ->/para> </P +provided from an Active Directory server (ADS) running on MS Windows 2000 or later.</P ><P ><SPAN CLASS="emphasis" @@ -4091,7 +4362,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN639" +NAME="AEN716" >4.3. Domain Controller</A ></H2 ><P @@ -4103,7 +4374,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN642" +NAME="AEN719" >4.3.1. Domain Controller Types</A ></H3 ><P @@ -4197,7 +4468,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN668" +NAME="AEN752" >5.1. User and Share security level</A ></H2 ><P @@ -4215,7 +4486,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN671" +NAME="AEN755" >5.1.1. User Level Security</A ></H3 ><P @@ -4256,7 +4527,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN681" +NAME="AEN765" >5.1.2. Share Level Security</A ></H3 ><P @@ -4287,7 +4558,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN685" +NAME="AEN769" >5.1.3. Server Level Security</A ></H3 ><P @@ -4323,7 +4594,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN690" +NAME="AEN774" >5.1.3.1. Configuring Samba for Seemless Windows Network Integration</A ></H4 ><P @@ -4435,7 +4706,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN716" +NAME="AEN800" >5.1.3.2. Use MS Windows NT as an authentication server</A ></H4 ><P @@ -4471,7 +4742,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN724" +NAME="AEN808" >5.1.4. Domain Level Security</A ></H3 ><P @@ -4489,7 +4760,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN728" +NAME="AEN812" >5.1.4.1. Samba as a member of an MS Windows NT security domain</A ></H4 ><P @@ -4552,7 +4823,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN745" +NAME="AEN829" >5.1.5. ADS Level Security</A ></H3 ><P @@ -4579,7 +4850,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN772" +NAME="AEN859" >6.1. Prerequisite Reading</A ></H2 ><P @@ -4602,7 +4873,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN777" +NAME="AEN864" >6.2. Background</A ></H2 ><P @@ -4749,7 +5020,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN817" +NAME="AEN904" >6.3. Configuring the Samba Domain Controller</A ></H2 ><P @@ -4912,8 +5183,7 @@ TARGET="_top" ><P > Encrypted passwords must be enabled. For more details on how to do this, refer to <A -HREF="ENCRYPTION.html" -TARGET="_top" +HREF="#PASSDB" >ENCRYPTION.html</A >. </P @@ -4946,7 +5216,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN859" +NAME="AEN946" >6.4. Creating Machine Trust Accounts and Joining Clients to the Domain</A ></H2 ><P @@ -5132,7 +5402,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN902" +NAME="AEN989" >6.4.1. Manual Creation of Machine Trust Accounts</A ></H3 ><P @@ -5302,7 +5572,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN943" +NAME="AEN1030" >6.4.2. "On-the-Fly" Creation of Machine Trust Accounts</A ></H3 ><P @@ -5339,7 +5609,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN952" +NAME="AEN1039" >6.4.3. Joining the Client to the Domain</A ></H3 ><P @@ -5407,7 +5677,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN967" +NAME="AEN1054" >6.5. Common Problems and Errors</A ></H2 ><P @@ -5606,7 +5876,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1013" +NAME="AEN1100" >6.6. What other help can I get?</A ></H2 ><P @@ -6026,7 +6296,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1127" +NAME="AEN1214" >6.7. Domain Control for Windows 9x/ME</A ></H2 ><P @@ -6125,7 +6395,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1150" +NAME="AEN1237" >6.7.1. Configuration Instructions: Network Logons</A ></H3 ><P @@ -6240,7 +6510,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN1180" +NAME="AEN1267" >7.1. Prerequisite Reading</A ></H2 ><P @@ -6257,7 +6527,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1184" +NAME="AEN1271" >7.2. Background</A ></H2 ><P @@ -6302,7 +6572,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1192" +NAME="AEN1279" >7.3. What qualifies a Domain Controller on the network?</A ></H2 ><P @@ -6319,7 +6589,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1195" +NAME="AEN1282" >7.3.1. How does a Workstation find its domain controller?</A ></H3 ><P @@ -6338,7 +6608,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1198" +NAME="AEN1285" >7.3.2. When is the PDC needed?</A ></H3 ><P @@ -6354,7 +6624,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1201" +NAME="AEN1288" >7.4. Can Samba be a Backup Domain Controller to an NT PDC?</A ></H2 ><P @@ -6377,7 +6647,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1206" +NAME="AEN1293" >7.5. How do I set up a Samba BDC?</A ></H2 ><P @@ -6444,7 +6714,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1223" +NAME="AEN1310" >7.5.1. How do I replicate the smbpasswd file?</A ></H3 ><P @@ -6465,7 +6735,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1227" +NAME="AEN1314" >7.5.2. Can I do this all with LDAP?</A ></H3 ><P @@ -6492,7 +6762,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1238" +NAME="AEN1336" >8.1. Setup your <TT CLASS="FILENAME" >smb.conf</TT @@ -6520,26 +6790,57 @@ CLASS="FILENAME" CLASS="PROGRAMLISTING" > ads server = your.kerberos.server</PRE ></P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" ><P >You do *not* need a smbpasswd file, and older clients will - be authenticated as if "security = domain", although it won't do any harm + be authenticated as if <B +CLASS="COMMAND" +>security = domain</B +>, + although it won't do any harm and allows you to have local users not in the domain. I expect that the above required options will change soon when we get better active directory integration.</P +></TD +></TR +></TABLE +></DIV ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1249" +NAME="AEN1349" >8.2. Setup your <TT CLASS="FILENAME" >/etc/krb5.conf</TT ></A ></H2 ><P ->The minimal configuration for krb5.conf is:</P +>The minimal configuration for <TT +CLASS="FILENAME" +>krb5.conf</TT +> is:</P ><P ><PRE CLASS="PROGRAMLISTING" @@ -6549,10 +6850,43 @@ CLASS="PROGRAMLISTING" }</PRE ></P ><P ->Test your config by doing a "kinit USERNAME@REALM" and making sure that +>Test your config by doing a <KBD +CLASS="USERINPUT" +>kinit <VAR +CLASS="REPLACEABLE" +>USERNAME</VAR +>@<VAR +CLASS="REPLACEABLE" +>REALM</VAR +></KBD +> and making sure that your password is accepted by the Win2000 KDC. </P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" ><P ->NOTE: The realm must be uppercase. </P +>The realm must be uppercase. </P +></TD +></TR +></TABLE +></DIV ><P >You also must ensure that you can do a reverse DNS lookup on the IP address of your KDC. Also, the name that this reverse lookup maps to @@ -6560,13 +6894,28 @@ must either be the netbios name of the KDC (ie. the hostname with no domain attached) or it can alternatively be the netbios name followed by the realm. </P ><P ->The easiest way to ensure you get this right is to add a /etc/hosts -entry mapping the IP address of your KDC to its netbios name. If you -don't get this right then you will get a "local error" when you try -to join the realm.</P +>The easiest way to ensure you get this right is to add a +<TT +CLASS="FILENAME" +>/etc/hosts</TT +> entry mapping the IP address of your KDC to +its netbios name. If you don't get this right then you will get a +"local error" when you try to join the realm.</P ><P >If all you want is kerberos support in smbclient then you can skip -straight to step 5 now. Step 3 is only needed if you want kerberos +straight to <A +HREF="#ADS-TEST-SMBCLIENT" +>Test with smbclient</A +> now. +<A +HREF="#ADS-CREATE-MACHINE-ACCOUNT" +>Creating a computer account</A +> +and <A +HREF="#ADS-TEST-SERVER" +>testing your servers</A +> +is only needed if you want kerberos support for smbd and winbindd.</P ></DIV ><DIV @@ -6574,22 +6923,22 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1260" +NAME="ADS-CREATE-MACHINE-ACCOUNT" >8.3. Create the computer account</A ></H2 ><P >As a user that has write permission on the Samba private directory (usually root) run: -<B -CLASS="COMMAND" ->net ads join</B +<KBD +CLASS="USERINPUT" +>net ads join</KBD ></P ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1264" +NAME="AEN1373" >8.3.1. Possible errors</A ></H3 ><P @@ -6614,18 +6963,18 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1272" +NAME="ADS-TEST-SERVER" >8.4. Test your server setup</A ></H2 ><P ->On a Windows 2000 client try <B -CLASS="COMMAND" ->net use * \\server\share</B +>On a Windows 2000 client try <KBD +CLASS="USERINPUT" +>net use * \\server\share</KBD >. You should be logged in with kerberos without needing to know a password. If -this fails then run <B -CLASS="COMMAND" ->klist tickets</B +this fails then run <KBD +CLASS="USERINPUT" +>klist tickets</KBD >. Did you get a ticket for the server? Does it have an encoding type of DES-CBC-MD5 ? </P ></DIV @@ -6634,20 +6983,23 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1277" +NAME="ADS-TEST-SMBCLIENT" >8.5. Testing with smbclient</A ></H2 ><P >On your Samba server try to login to a Win2000 server or your Samba server using smbclient and kerberos. Use smbclient as usual, but -specify the -k option to choose kerberos authentication.</P +specify the <VAR +CLASS="PARAMETER" +>-k</VAR +> option to choose kerberos authentication.</P ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1280" +NAME="AEN1390" >8.6. Notes</A ></H2 ><P @@ -6670,7 +7022,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN1302" +NAME="AEN1413" >9.1. Joining an NT Domain with Samba 3.0</A ></H2 ><P @@ -6853,7 +7205,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1356" +NAME="AEN1467" >9.2. Why is this better than security = server?</A ></H2 ><P @@ -6965,7 +7317,7 @@ CLASS="TITLE" ><DIV CLASS="PARTINTRO" ><A -NAME="AEN1374" +NAME="AEN1485" ></A ><H1 >Introduction</H1 @@ -6982,234 +7334,195 @@ CLASS="TOC" ></DT ><DT >10. <A -HREF="#ADVANCEDNETWORKMANAGEMENT" ->Advanced Network Manangement Information</A -></DT -><DD -><DL -><DT ->10.1. <A -HREF="#AEN1388" ->Remote Server Administration</A -></DT -></DL -></DD -><DT ->11. <A HREF="#UNIX-PERMISSIONS" >UNIX Permission Bits and Windows NT Access Control Lists</A ></DT ><DD ><DL ><DT ->11.1. <A -HREF="#AEN1416" +>10.1. <A +HREF="#AEN1499" >Viewing and changing UNIX permissions using the NT security dialogs</A ></DT ><DT ->11.2. <A -HREF="#AEN1420" +>10.2. <A +HREF="#AEN1505" >How to view file security on a Samba share</A ></DT ><DT ->11.3. <A -HREF="#AEN1431" +>10.3. <A +HREF="#AEN1516" >Viewing file ownership</A ></DT ><DT ->11.4. <A -HREF="#AEN1451" +>10.4. <A +HREF="#AEN1536" >Viewing file or directory permissions</A ></DT ><DD ><DL ><DT ->11.4.1. <A -HREF="#AEN1466" +>10.4.1. <A +HREF="#AEN1551" >File Permissions</A ></DT ><DT ->11.4.2. <A -HREF="#AEN1480" +>10.4.2. <A +HREF="#AEN1565" >Directory Permissions</A ></DT ></DL ></DD ><DT ->11.5. <A -HREF="#AEN1487" +>10.5. <A +HREF="#AEN1572" >Modifying file or directory permissions</A ></DT ><DT ->11.6. <A -HREF="#AEN1509" +>10.6. <A +HREF="#AEN1594" >Interaction with the standard Samba create mask parameters</A ></DT ><DT ->11.7. <A -HREF="#AEN1563" +>10.7. <A +HREF="#AEN1648" >Interaction with the standard Samba file attribute mapping</A ></DT ></DL ></DD ><DT ->12. <A +>11. <A HREF="#GROUPMAPPING" ->Group mapping HOWTO</A -></DT -><DT ->13. <A -HREF="#PAM" ->Configuring PAM for distributed but centrally -managed authentication</A -></DT -><DD -><DL -><DT ->13.1. <A -HREF="#AEN1619" ->Samba and PAM</A +>Configuring Group Mapping</A ></DT ><DT ->13.2. <A -HREF="#AEN1668" ->Distributed Authentication</A -></DT -><DT ->13.3. <A -HREF="#AEN1673" ->PAM Configuration in smb.conf</A -></DT -></DL -></DD -><DT ->14. <A +>12. <A HREF="#PRINTING" >Printing Support</A ></DT ><DD ><DL ><DT ->14.1. <A -HREF="#AEN1699" +>12.1. <A +HREF="#AEN1711" >Introduction</A ></DT ><DT ->14.2. <A -HREF="#AEN1721" +>12.2. <A +HREF="#AEN1733" >Configuration</A ></DT ><DD ><DL ><DT ->14.2.1. <A -HREF="#AEN1729" +>12.2.1. <A +HREF="#AEN1741" >Creating [print$]</A ></DT ><DT ->14.2.2. <A -HREF="#AEN1764" +>12.2.2. <A +HREF="#AEN1776" >Setting Drivers for Existing Printers</A ></DT ><DT ->14.2.3. <A -HREF="#AEN1780" +>12.2.3. <A +HREF="#AEN1792" >Support a large number of printers</A ></DT ><DT ->14.2.4. <A -HREF="#AEN1791" +>12.2.4. <A +HREF="#AEN1807" >Adding New Printers via the Windows NT APW</A ></DT ><DT ->14.2.5. <A -HREF="#AEN1821" +>12.2.5. <A +HREF="#AEN1837" >Samba and Printer Ports</A ></DT ></DL ></DD ><DT ->14.3. <A -HREF="#AEN1829" +>12.3. <A +HREF="#AEN1845" >The Imprints Toolset</A ></DT ><DD ><DL ><DT ->14.3.1. <A -HREF="#AEN1833" +>12.3.1. <A +HREF="#AEN1849" >What is Imprints?</A ></DT ><DT ->14.3.2. <A -HREF="#AEN1843" +>12.3.2. <A +HREF="#AEN1859" >Creating Printer Driver Packages</A ></DT ><DT ->14.3.3. <A -HREF="#AEN1846" +>12.3.3. <A +HREF="#AEN1862" >The Imprints server</A ></DT ><DT ->14.3.4. <A -HREF="#AEN1850" +>12.3.4. <A +HREF="#AEN1866" >The Installation Client</A ></DT ></DL ></DD ><DT ->14.4. <A -HREF="#AEN1872" +>12.4. <A +HREF="#AEN1888" >Diagnosis</A ></DT ><DD ><DL ><DT ->14.4.1. <A -HREF="#AEN1874" +>12.4.1. <A +HREF="#AEN1890" >Introduction</A ></DT ><DT ->14.4.2. <A -HREF="#AEN1890" +>12.4.2. <A +HREF="#AEN1906" >Debugging printer problems</A ></DT ><DT ->14.4.3. <A -HREF="#AEN1899" +>12.4.3. <A +HREF="#AEN1915" >What printers do I have?</A ></DT ><DT ->14.4.4. <A -HREF="#AEN1907" +>12.4.4. <A +HREF="#AEN1923" >Setting up printcap and print servers</A ></DT ><DT ->14.4.5. <A -HREF="#AEN1935" +>12.4.5. <A +HREF="#AEN1951" >Job sent, no output</A ></DT ><DT ->14.4.6. <A -HREF="#AEN1946" +>12.4.6. <A +HREF="#AEN1962" >Job sent, strange output</A ></DT ><DT ->14.4.7. <A -HREF="#AEN1958" +>12.4.7. <A +HREF="#AEN1974" >Raw PostScript printed</A ></DT ><DT ->14.4.8. <A -HREF="#AEN1961" +>12.4.8. <A +HREF="#AEN1977" >Advanced Printing</A ></DT ><DT ->14.4.9. <A -HREF="#AEN1964" +>12.4.9. <A +HREF="#AEN1980" >Real debugging</A ></DT ></DL @@ -7217,192 +7530,357 @@ HREF="#AEN1964" ></DL ></DD ><DT ->15. <A +>13. <A HREF="#CUPS-PRINTING" >CUPS Printing Support</A ></DT ><DD ><DL ><DT ->15.1. <A -HREF="#AEN1984" +>13.1. <A +HREF="#AEN2000" >Introduction</A ></DT ><DT ->15.2. <A -HREF="#AEN1989" ->CUPS - RAW Print Through Mode</A +>13.2. <A +HREF="#AEN2007" +>Configuring <TT +CLASS="FILENAME" +>smb.conf</TT +> for CUPS</A ></DT ><DT ->15.3. <A -HREF="#AEN2044" ->The CUPS Filter Chains</A +>13.3. <A +HREF="#AEN2026" +>CUPS - RAW Print Through Mode</A ></DT ><DT ->15.4. <A +>13.4. <A HREF="#AEN2083" +>CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe +PostScript driver with CUPS-PPDs downloaded to clients</A +></DT +><DT +>13.5. <A +HREF="#AEN2104" +>Windows Terminal Servers (WTS) as CUPS clients</A +></DT +><DT +>13.6. <A +HREF="#AEN2108" +>Setting up CUPS for driver download</A +></DT +><DT +>13.7. <A +HREF="#AEN2120" +>Sources of CUPS drivers / PPDs</A +></DT +><DD +><DL +><DT +>13.7.1. <A +HREF="#AEN2147" +><B +CLASS="COMMAND" +>cupsaddsmb</B +></A +></DT +></DL +></DD +><DT +>13.8. <A +HREF="#AEN2176" +>The CUPS Filter Chains</A +></DT +><DT +>13.9. <A +HREF="#AEN2215" >CUPS Print Drivers and Devices</A ></DT ><DD ><DL ><DT ->15.4.1. <A -HREF="#AEN2090" +>13.9.1. <A +HREF="#AEN2222" >Further printing steps</A ></DT ></DL ></DD ><DT ->15.5. <A -HREF="#AEN2160" +>13.10. <A +HREF="#AEN2292" >Limiting the number of pages users can print</A ></DT ><DT ->15.6. <A -HREF="#AEN2249" +>13.11. <A +HREF="#AEN2388" >Advanced Postscript Printing from MS Windows</A ></DT ><DT ->15.7. <A -HREF="#AEN2264" +>13.12. <A +HREF="#AEN2403" >Auto-Deletion of CUPS spool files</A ></DT ></DL ></DD ><DT ->16. <A +>14. <A HREF="#WINBIND" >Unified Logons between Windows NT and UNIX using Winbind</A ></DT ><DD ><DL ><DT ->16.1. <A -HREF="#AEN2326" +>14.1. <A +HREF="#AEN2469" >Abstract</A ></DT ><DT ->16.2. <A -HREF="#AEN2330" +>14.2. <A +HREF="#AEN2473" >Introduction</A ></DT ><DT ->16.3. <A -HREF="#AEN2343" +>14.3. <A +HREF="#AEN2486" >What Winbind Provides</A ></DT ><DD ><DL ><DT ->16.3.1. <A -HREF="#AEN2350" +>14.3.1. <A +HREF="#AEN2493" >Target Uses</A ></DT ></DL ></DD ><DT ->16.4. <A -HREF="#AEN2354" +>14.4. <A +HREF="#AEN2497" >How Winbind Works</A ></DT ><DD ><DL ><DT ->16.4.1. <A -HREF="#AEN2359" +>14.4.1. <A +HREF="#AEN2502" >Microsoft Remote Procedure Calls</A ></DT ><DT ->16.4.2. <A -HREF="#AEN2363" +>14.4.2. <A +HREF="#AEN2506" >Microsoft Active Directory Services</A ></DT ><DT ->16.4.3. <A -HREF="#AEN2366" +>14.4.3. <A +HREF="#AEN2509" >Name Service Switch</A ></DT ><DT ->16.4.4. <A -HREF="#AEN2382" +>14.4.4. <A +HREF="#AEN2525" >Pluggable Authentication Modules</A ></DT ><DT ->16.4.5. <A -HREF="#AEN2390" +>14.4.5. <A +HREF="#AEN2533" >User and Group ID Allocation</A ></DT ><DT ->16.4.6. <A -HREF="#AEN2394" +>14.4.6. <A +HREF="#AEN2537" >Result Caching</A ></DT ></DL ></DD ><DT ->16.5. <A -HREF="#AEN2397" +>14.5. <A +HREF="#AEN2540" >Installation and Configuration</A ></DT ><DD ><DL ><DT ->16.5.1. <A -HREF="#AEN2402" +>14.5.1. <A +HREF="#AEN2545" >Introduction</A ></DT ><DT ->16.5.2. <A -HREF="#AEN2415" +>14.5.2. <A +HREF="#AEN2558" >Requirements</A ></DT ><DT ->16.5.3. <A -HREF="#AEN2429" +>14.5.3. <A +HREF="#AEN2572" >Testing Things Out</A ></DT ></DL ></DD ><DT ->16.6. <A -HREF="#AEN2654" +>14.6. <A +HREF="#AEN2797" >Limitations</A ></DT ><DT ->16.7. <A -HREF="#AEN2664" +>14.7. <A +HREF="#AEN2807" >Conclusion</A ></DT ></DL ></DD ><DT ->17. <A +>15. <A +HREF="#ADVANCEDNETWORKMANAGEMENT" +>Advanced Network Manangement</A +></DT +><DD +><DL +><DT +>15.1. <A +HREF="#AEN2822" +>Configuring Samba Share Access Controls</A +></DT +><DD +><DL +><DT +>15.1.1. <A +HREF="#AEN2832" +>Share Permissions Management</A +></DT +></DL +></DD +><DT +>15.2. <A +HREF="#AEN2860" +>Remote Server Administration</A +></DT +><DT +>15.3. <A +HREF="#AEN2877" +>Network Logon Script Magic</A +></DT +></DL +></DD +><DT +>16. <A HREF="#POLICYMGMT" ->Policy Management - Hows and Whys</A +>System and Account Policies</A +></DT +><DD +><DL +><DT +>16.1. <A +HREF="#AEN2892" +>Creating and Managing System Policies</A +></DT +><DD +><DL +><DT +>16.1.1. <A +HREF="#AEN2906" +>Windows 9x/Me Policies</A +></DT +><DT +>16.1.2. <A +HREF="#AEN2918" +>Windows NT4 Style Policy Files</A +></DT +><DT +>16.1.3. <A +HREF="#AEN2936" +>MS Windows 200x / XP Professional Policies</A +></DT +></DL +></DD +><DT +>16.2. <A +HREF="#AEN2965" +>Managing Account/User Policies</A +></DT +><DD +><DL +><DT +>16.2.1. <A +HREF="#AEN2980" +>With Windows NT4/200x</A +></DT +><DT +>16.2.2. <A +HREF="#AEN2983" +>With a Samba PDC</A +></DT +></DL +></DD +></DL +></DD +><DT +>17. <A +HREF="#PROFILEMGMT" +>Desktop Profile Management</A ></DT ><DD ><DL ><DT >17.1. <A -HREF="#AEN2678" ->System Policies</A +HREF="#AEN2998" +>Roaming Profiles</A ></DT ><DD ><DL ><DT >17.1.1. <A -HREF="#AEN2692" ->Creating and Managing Windows 9x/Me Policies</A +HREF="#AEN3006" +>Samba Configuration for Profile Handling</A ></DT ><DT >17.1.2. <A -HREF="#AEN2704" ->Creating and Managing Windows NT4 Style Policy Files</A +HREF="#AEN3031" +>Windows Client Profile Configuration Information</A ></DT ><DT >17.1.3. <A -HREF="#AEN2722" ->Creating and Managing MS Windows 200x Policies</A +HREF="#AEN3151" +>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A +></DT +><DT +>17.1.4. <A +HREF="#AEN3158" +>Profile Migration from Windows NT4/200x Server to Samba</A +></DT +></DL +></DD +><DT +>17.2. <A +HREF="#AEN3196" +>Mandatory profiles</A +></DT +><DT +>17.3. <A +HREF="#AEN3203" +>Creating/Managing Group Profiles</A +></DT +><DT +>17.4. <A +HREF="#AEN3209" +>Default Profile for Windows Users</A +></DT +><DD +><DL +><DT +>17.4.1. <A +HREF="#AEN3213" +>MS Windows 9x/Me</A +></DT +><DT +>17.4.2. <A +HREF="#AEN3225" +>MS Windows NT4 Workstation</A +></DT +><DT +>17.4.3. <A +HREF="#AEN3279" +>MS Windows 200x/XP</A ></DT ></DL ></DD @@ -7410,108 +7888,154 @@ HREF="#AEN2722" ></DD ><DT >18. <A -HREF="#PROFILEMGMT" ->Profile Management</A +HREF="#PAM" +>PAM Configuration for Centrally Managed Authentication</A ></DT ><DD ><DL ><DT >18.1. <A -HREF="#AEN2761" ->Roaming Profiles</A +HREF="#AEN3332" +>Samba and PAM</A +></DT +><DT +>18.2. <A +HREF="#AEN3383" +>Distributed Authentication</A +></DT +><DT +>18.3. <A +HREF="#AEN3388" +>PAM Configuration in smb.conf</A +></DT +></DL +></DD +><DT +>19. <A +HREF="#VFS" +>Stackable VFS modules</A ></DT ><DD ><DL ><DT ->18.1.1. <A -HREF="#AEN2769" ->Windows NT Configuration</A +>19.1. <A +HREF="#AEN3423" +>Introduction and configuration</A ></DT ><DT ->18.1.2. <A -HREF="#AEN2778" ->Windows 9X Configuration</A +>19.2. <A +HREF="#AEN3432" +>Included modules</A ></DT +><DD +><DL ><DT ->18.1.3. <A -HREF="#AEN2786" ->Win9X and WinNT Configuration</A +>19.2.1. <A +HREF="#AEN3434" +>audit</A ></DT ><DT ->18.1.4. <A -HREF="#AEN2793" ->Windows 9X Profile Setup</A +>19.2.2. <A +HREF="#AEN3442" +>extd_audit</A ></DT ><DT ->18.1.5. <A -HREF="#AEN2829" ->Windows NT Workstation 4.0</A +>19.2.3. <A +HREF="#AEN3446" +>recycle</A ></DT ><DT ->18.1.6. <A -HREF="#AEN2837" ->Windows NT/200x Server</A +>19.2.4. <A +HREF="#AEN3483" +>netatalk</A ></DT +></DL +></DD ><DT ->18.1.7. <A -HREF="#AEN2840" ->Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A +>19.3. <A +HREF="#AEN3490" +>VFS modules available elsewhere</A ></DT +><DD +><DL ><DT ->18.1.8. <A -HREF="#AEN2847" ->Windows NT 4</A +>19.3.1. <A +HREF="#AEN3494" +>DatabaseFS</A ></DT ><DT ->18.1.9. <A -HREF="#AEN2885" ->Windows 2000/XP</A +>19.3.2. <A +HREF="#AEN3502" +>vscan</A ></DT ></DL ></DD ></DL ></DD ><DT ->19. <A +>20. <A +HREF="#MSDFS" +>Hosting a Microsoft Distributed File System tree on Samba</A +></DT +><DD +><DL +><DT +>20.1. <A +HREF="#AEN3518" +>Instructions</A +></DT +><DD +><DL +><DT +>20.1.1. <A +HREF="#AEN3553" +>Notes</A +></DT +></DL +></DD +></DL +></DD +><DT +>21. <A HREF="#INTEGRATE-MS-NETWORKS" >Integrating MS Windows networks with Samba</A ></DT ><DD ><DL ><DT ->19.1. <A -HREF="#AEN2975" +>21.1. <A +HREF="#AEN3580" >Name Resolution in a pure Unix/Linux world</A ></DT ><DD ><DL ><DT ->19.1.1. <A -HREF="#AEN2991" +>21.1.1. <A +HREF="#AEN3596" ><TT CLASS="FILENAME" >/etc/hosts</TT ></A ></DT ><DT ->19.1.2. <A -HREF="#AEN3007" +>21.1.2. <A +HREF="#AEN3612" ><TT CLASS="FILENAME" >/etc/resolv.conf</TT ></A ></DT ><DT ->19.1.3. <A -HREF="#AEN3018" +>21.1.3. <A +HREF="#AEN3623" ><TT CLASS="FILENAME" >/etc/host.conf</TT ></A ></DT ><DT ->19.1.4. <A -HREF="#AEN3026" +>21.1.4. <A +HREF="#AEN3631" ><TT CLASS="FILENAME" >/etc/nsswitch.conf</TT @@ -7520,35 +8044,35 @@ CLASS="FILENAME" ></DL ></DD ><DT ->19.2. <A -HREF="#AEN3038" +>21.2. <A +HREF="#AEN3643" >Name resolution as used within MS Windows networking</A ></DT ><DD ><DL ><DT ->19.2.1. <A -HREF="#AEN3050" +>21.2.1. <A +HREF="#AEN3655" >The NetBIOS Name Cache</A ></DT ><DT ->19.2.2. <A -HREF="#AEN3055" +>21.2.2. <A +HREF="#AEN3660" >The LMHOSTS file</A ></DT ><DT ->19.2.3. <A -HREF="#AEN3063" +>21.2.3. <A +HREF="#AEN3668" >HOSTS file</A ></DT ><DT ->19.2.4. <A -HREF="#AEN3068" +>21.2.4. <A +HREF="#AEN3673" >DNS Lookup</A ></DT ><DT ->19.2.5. <A -HREF="#AEN3071" +>21.2.5. <A +HREF="#AEN3676" >WINS Lookup</A ></DT ></DL @@ -7556,159 +8080,79 @@ HREF="#AEN3071" ></DL ></DD ><DT ->20. <A +>22. <A HREF="#IMPROVED-BROWSING" >Improved browsing in samba</A ></DT ><DD ><DL ><DT ->20.1. <A -HREF="#AEN3090" +>22.1. <A +HREF="#AEN3695" >Overview of browsing</A ></DT ><DT ->20.2. <A -HREF="#AEN3095" +>22.2. <A +HREF="#AEN3701" >Browsing support in samba</A ></DT ><DT ->20.3. <A -HREF="#AEN3103" +>22.3. <A +HREF="#AEN3714" >Problem resolution</A ></DT ><DT ->20.4. <A -HREF="#AEN3112" +>22.4. <A +HREF="#AEN3725" >Browsing across subnets</A ></DT ><DD ><DL ><DT ->20.4.1. <A -HREF="#AEN3117" +>22.4.1. <A +HREF="#AEN3730" >How does cross subnet browsing work ?</A ></DT ></DL ></DD ><DT ->20.5. <A -HREF="#AEN3152" +>22.5. <A +HREF="#AEN3765" >Setting up a WINS server</A ></DT ><DT ->20.6. <A -HREF="#AEN3171" +>22.6. <A +HREF="#AEN3785" >Setting up Browsing in a WORKGROUP</A ></DT ><DT ->20.7. <A -HREF="#AEN3189" +>22.7. <A +HREF="#AEN3808" >Setting up Browsing in a DOMAIN</A ></DT ><DT ->20.8. <A -HREF="#AEN3199" +>22.8. <A +HREF="#BROWSE-FORCE-MASTER" >Forcing samba to be the master</A ></DT ><DT ->20.9. <A -HREF="#AEN3208" +>22.9. <A +HREF="#AEN3843" >Making samba the domain master</A ></DT ><DT ->20.10. <A -HREF="#AEN3226" +>22.10. <A +HREF="#AEN3865" >Note about broadcast addresses</A ></DT ><DT ->20.11. <A -HREF="#AEN3229" +>22.11. <A +HREF="#AEN3868" >Multiple interfaces</A ></DT ></DL ></DD ><DT ->21. <A -HREF="#MSDFS" ->Hosting a Microsoft Distributed File System tree on Samba</A -></DT -><DD -><DL -><DT ->21.1. <A -HREF="#AEN3243" ->Instructions</A -></DT -><DD -><DL -><DT ->21.1.1. <A -HREF="#AEN3278" ->Notes</A -></DT -></DL -></DD -></DL -></DD -><DT ->22. <A -HREF="#VFS" ->Stackable VFS modules</A -></DT -><DD -><DL -><DT ->22.1. <A -HREF="#AEN3302" ->Introduction and configuration</A -></DT -><DT ->22.2. <A -HREF="#AEN3311" ->Included modules</A -></DT -><DD -><DL -><DT ->22.2.1. <A -HREF="#AEN3313" ->audit</A -></DT -><DT ->22.2.2. <A -HREF="#AEN3321" ->recycle</A -></DT -><DT ->22.2.3. <A -HREF="#AEN3358" ->netatalk</A -></DT -></DL -></DD -><DT ->22.3. <A -HREF="#AEN3365" ->VFS modules available elsewhere</A -></DT -><DD -><DL -><DT ->22.3.1. <A -HREF="#AEN3369" ->DatabaseFS</A -></DT -><DT ->22.3.2. <A -HREF="#AEN3377" ->vscan</A -></DT -></DL -></DD -></DL -></DD -><DT >23. <A HREF="#SECURING-SAMBA" >Securing Samba</A @@ -7717,32 +8161,32 @@ HREF="#SECURING-SAMBA" ><DL ><DT >23.1. <A -HREF="#AEN3391" +HREF="#AEN3884" >Introduction</A ></DT ><DT >23.2. <A -HREF="#AEN3394" +HREF="#AEN3887" >Using host based protection</A ></DT ><DT >23.3. <A -HREF="#AEN3401" +HREF="#AEN3894" >Using interface protection</A ></DT ><DT >23.4. <A -HREF="#AEN3410" +HREF="#AEN3903" >Using a firewall</A ></DT ><DT >23.5. <A -HREF="#AEN3417" +HREF="#AEN3910" >Using a IPC$ share deny</A ></DT ><DT >23.6. <A -HREF="#AEN3426" +HREF="#AEN3919" >Upgrading Samba</A ></DT ></DL @@ -7756,12 +8200,12 @@ HREF="#UNICODE" ><DL ><DT >24.1. <A -HREF="#AEN3440" +HREF="#AEN3933" >What are charsets and unicode?</A ></DT ><DT >24.2. <A -HREF="#AEN3449" +HREF="#AEN3942" >Samba and charsets</A ></DT ></DL @@ -7773,77 +8217,16 @@ HREF="#AEN3449" CLASS="CHAPTER" ><HR><H1 ><A -NAME="ADVANCEDNETWORKMANAGEMENT" -></A ->Chapter 10. Advanced Network Manangement Information</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN1388" ->10.1. Remote Server Administration</A -></H2 -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->How do I get 'User Manager' and 'Server Manager'</I -></SPAN -></P -><P ->Since I don't need to buy an NT Server CD now, how do I get the 'User Manager for Domains', -the 'Server Manager'?</P -><P ->Microsoft distributes a version of these tools called nexus for installation on Windows 95 -systems. The tools set includes:</P -><P -></P -><UL -><LI -><P ->Server Manager</P -></LI -><LI -><P ->User Manager for Domains</P -></LI -><LI -><P ->Event Viewer</P -></LI -></UL -><P ->Click here to download the archived file <A -HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" -TARGET="_top" ->ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A -></P -><P ->The Windows NT 4.0 version of the 'User Manager for -Domains' and 'Server Manager' are available from Microsoft via ftp -from <A -HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" -TARGET="_top" ->ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A -></P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A NAME="UNIX-PERMISSIONS" ></A ->Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists</H1 +>Chapter 10. UNIX Permission Bits and Windows NT Access Control Lists</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN1416" ->11.1. Viewing and changing UNIX permissions using the NT +NAME="AEN1499" +>10.1. Viewing and changing UNIX permissions using the NT security dialogs</A ></H2 ><P @@ -7854,14 +8237,46 @@ NAME="AEN1416" the security of the UNIX host Samba is running on, and still obeys all the file permission rules that a Samba administrator can set.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> All access to Unix/Linux system file via Samba is controlled at + the operating system file access control level. When trying to + figure out file access problems it is vitally important to identify + the identity of the Windows user as it is presented by Samba at + the point of file access. This can best be determined from the + Samba log files. + </P +></TD +></TR +></TABLE +></DIV ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1420" ->11.2. How to view file security on a Samba share</A +NAME="AEN1505" +>10.2. How to view file security on a Samba share</A ></H2 ><P >From an NT4/2000/XP client, single-click with the right @@ -7929,8 +8344,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1431" ->11.3. Viewing file ownership</A +NAME="AEN1516" +>10.3. Viewing file ownership</A ></H2 ><P >Clicking on the <B @@ -8015,8 +8430,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1451" ->11.4. Viewing file or directory permissions</A +NAME="AEN1536" +>10.4. Viewing file or directory permissions</A ></H2 ><P >The third button is the <B @@ -8069,8 +8484,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1466" ->11.4.1. File Permissions</A +NAME="AEN1551" +>10.4.1. File Permissions</A ></H3 ><P >The standard UNIX user/group/world triple and @@ -8131,8 +8546,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1480" ->11.4.2. Directory Permissions</A +NAME="AEN1565" +>10.4.2. Directory Permissions</A ></H3 ><P >Directories on an NT NTFS file system have two @@ -8163,8 +8578,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1487" ->11.5. Modifying file or directory permissions</A +NAME="AEN1572" +>10.5. Modifying file or directory permissions</A ></H2 ><P >Modifying file and directory permissions is as simple @@ -8259,8 +8674,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1509" ->11.6. Interaction with the standard Samba create mask +NAME="AEN1594" +>10.6. Interaction with the standard Samba create mask parameters</A ></H2 ><P @@ -8453,8 +8868,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1563" ->11.7. Interaction with the standard Samba file attribute +NAME="AEN1648" +>10.7. Interaction with the standard Samba file attribute mapping</A ></H2 ><P @@ -8502,7 +8917,7 @@ CLASS="CHAPTER" ><A NAME="GROUPMAPPING" ></A ->Chapter 12. Group mapping HOWTO</H1 +>Chapter 11. Configuring Group Mapping</H1 ><P > Starting with Samba 3.0 alpha 2, a new group mapping function is available. The @@ -8570,9 +8985,9 @@ CLASS="COMMAND" >domain admins</B > group by running the command:</P ><P -><B -CLASS="COMMAND" ->smbgroupedit -c "Domain Admins" -u domadm</B +><KBD +CLASS="USERINPUT" +>smbgroupedit -c "Domain Admins" -u domadm</KBD ></P ></LI ></OL @@ -8592,377 +9007,25 @@ CLASS="COMMAND" ><P >You can list the various groups in the mapping database like this</P ><P -><B -CLASS="COMMAND" ->smbgroupedit -v</B -></P -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="PAM" -></A ->Chapter 13. Configuring PAM for distributed but centrally -managed authentication</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN1619" ->13.1. Samba and PAM</A -></H2 -><P ->A number of Unix systems (eg: Sun Solaris), as well as the -xxxxBSD family and Linux, now utilize the Pluggable Authentication -Modules (PAM) facility to provide all authentication, -authorization and resource control services. Prior to the -introduction of PAM, a decision to use an alternative to -the system password database (<TT -CLASS="FILENAME" ->/etc/passwd</TT ->) -would require the provision of alternatives for all programs that provide -security services. Such a choice would involve provision of -alternatives to such programs as: <B -CLASS="COMMAND" ->login</B ->, -<B -CLASS="COMMAND" ->passwd</B ->, <B -CLASS="COMMAND" ->chown</B ->, etc.</P -><P ->PAM provides a mechanism that disconnects these security programs -from the underlying authentication/authorization infrastructure. -PAM is configured either through one file <TT -CLASS="FILENAME" ->/etc/pam.conf</TT -> (Solaris), -or by editing individual files that are located in <TT -CLASS="FILENAME" ->/etc/pam.d</TT ->.</P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P -> If the PAM authentication module (loadable link library file) is located in the - default location then it is not necessary to specify the path. In the case of - Linux, the default location is <TT -CLASS="FILENAME" ->/lib/security</TT ->. If the module - is located other than default then the path may be specified as: - - <PRE -CLASS="PROGRAMLISTING" -> eg: "auth required /other_path/pam_strange_module.so" - </PRE -> - </P -></TD -></TR -></TABLE -></DIV -><P ->The following is an example <TT -CLASS="FILENAME" ->/etc/pam.d/login</TT -> configuration file. -This example had all options been uncommented is probably not usable -as it stacks many conditions before allowing successful completion -of the login process. Essentially all conditions can be disabled -by commenting them out except the calls to <TT -CLASS="FILENAME" ->pam_pwdb.so</TT ->.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> #%PAM-1.0 - # The PAM configuration file for the `login' service - # - auth required pam_securetty.so - auth required pam_nologin.so - # auth required pam_dialup.so - # auth optional pam_mail.so - auth required pam_pwdb.so shadow md5 - # account requisite pam_time.so - account required pam_pwdb.so - session required pam_pwdb.so - # session optional pam_lastlog.so - # password required pam_cracklib.so retry=3 - password required pam_pwdb.so shadow md5</PRE -></P -><P ->PAM allows use of replacable modules. Those available on a -sample system include:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> $ /bin/ls /lib/security - pam_access.so pam_ftp.so pam_limits.so - pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so - pam_cracklib.so pam_group.so pam_listfile.so - pam_nologin.so pam_rootok.so pam_tally.so - pam_deny.so pam_issue.so pam_mail.so - pam_permit.so pam_securetty.so pam_time.so - pam_dialup.so pam_lastlog.so pam_mkhomedir.so - pam_pwdb.so pam_shells.so pam_unix.so - pam_env.so pam_ldap.so pam_motd.so - pam_radius.so pam_smbpass.so pam_unix_acct.so - pam_wheel.so pam_unix_auth.so pam_unix_passwd.so - pam_userdb.so pam_warn.so pam_unix_session.so</PRE -></P -><P ->The following example for the login program replaces the use of -the <TT -CLASS="FILENAME" ->pam_pwdb.so</TT -> module which uses the system -password database (<TT -CLASS="FILENAME" ->/etc/passwd</TT ->, -<TT -CLASS="FILENAME" ->/etc/shadow</TT ->, <TT -CLASS="FILENAME" ->/etc/group</TT ->) with -the module <TT -CLASS="FILENAME" ->pam_smbpass.so</TT -> which uses the Samba -database which contains the Microsoft MD4 encrypted password -hashes. This database is stored in either -<TT -CLASS="FILENAME" ->/usr/local/samba/private/smbpasswd</TT ->, -<TT -CLASS="FILENAME" ->/etc/samba/smbpasswd</TT ->, or in -<TT -CLASS="FILENAME" ->/etc/samba.d/smbpasswd</TT ->, depending on the -Samba implementation for your Unix/Linux system. The -<TT -CLASS="FILENAME" ->pam_smbpass.so</TT -> module is provided by -Samba version 2.2.1 or later. It can be compiled by specifying the -<B -CLASS="COMMAND" ->--with-pam_smbpass</B -> options when running Samba's -<TT -CLASS="FILENAME" ->configure</TT -> script. For more information -on the <TT -CLASS="FILENAME" ->pam_smbpass</TT -> module, see the documentation -in the <TT -CLASS="FILENAME" ->source/pam_smbpass</TT -> directory of the Samba -source distribution.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> #%PAM-1.0 - # The PAM configuration file for the `login' service - # - auth required pam_smbpass.so nodelay - account required pam_smbpass.so nodelay - session required pam_smbpass.so nodelay - password required pam_smbpass.so nodelay</PRE -></P -><P ->The following is the PAM configuration file for a particular -Linux system. The default condition uses <TT -CLASS="FILENAME" ->pam_pwdb.so</TT ->.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> #%PAM-1.0 - # The PAM configuration file for the `samba' service - # - auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit - account required /lib/security/pam_pwdb.so audit nodelay - session required /lib/security/pam_pwdb.so nodelay - password required /lib/security/pam_pwdb.so shadow md5</PRE -></P -><P ->In the following example the decision has been made to use the -smbpasswd database even for basic samba authentication. Such a -decision could also be made for the passwd program and would -thus allow the smbpasswd passwords to be changed using the passwd -program.</P -><P -><PRE -CLASS="PROGRAMLISTING" -> #%PAM-1.0 - # The PAM configuration file for the `samba' service - # - auth required /lib/security/pam_smbpass.so nodelay - account required /lib/security/pam_pwdb.so audit nodelay - session required /lib/security/pam_pwdb.so nodelay - password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE -></P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->PAM allows stacking of authentication mechanisms. It is -also possible to pass information obtained within one PAM module through -to the next module in the PAM stack. Please refer to the documentation for -your particular system implementation for details regarding the specific -capabilities of PAM in this environment. Some Linux implmentations also -provide the <TT -CLASS="FILENAME" ->pam_stack.so</TT -> module that allows all -authentication to be configured in a single central file. The -<TT -CLASS="FILENAME" ->pam_stack.so</TT -> method has some very devoted followers -on the basis that it allows for easier administration. As with all issues in -life though, every decision makes trade-offs, so you may want examine the -PAM documentation for further helpful information.</P -></TD -></TR -></TABLE -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1668" ->13.2. Distributed Authentication</A -></H2 -><P ->The astute administrator will realize from this that the -combination of <TT -CLASS="FILENAME" ->pam_smbpass.so</TT ->, -<B -CLASS="COMMAND" ->winbindd</B ->, and a distributed -passdb backend, such as ldap, will allow the establishment of a -centrally managed, distributed -user/password database that can also be used by all -PAM (eg: Linux) aware programs and applications. This arrangement -can have particularly potent advantages compared with the -use of Microsoft Active Directory Service (ADS) in so far as -reduction of wide area network authentication traffic.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1673" ->13.3. PAM Configuration in smb.conf</A -></H2 -><P ->There is an option in smb.conf called <A -HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS" -TARGET="_top" ->obey pam restrictions</A ->. -The following is from the on-line help for this option in SWAT;</P -><P ->When Samba is configured to enable PAM support (i.e. -<CODE -CLASS="CONSTANT" ->--with-pam</CODE ->), this parameter will -control whether or not Samba should obey PAM's account -and session management directives. The default behavior -is to use PAM for clear text authentication only and to -ignore any account or session management. Note that Samba always -ignores PAM for authentication in the case of -<A -HREF="smb.conf.5.html#ENCRYPTPASSWORDS" -TARGET="_top" ->encrypt passwords = yes</A ->. -The reason is that PAM modules cannot support the challenge/response -authentication mechanism needed in the presence of SMB -password encryption. </P -><P ->Default: <B -CLASS="COMMAND" ->obey pam restrictions = no</B +><KBD +CLASS="USERINPUT" +>smbgroupedit -v</KBD ></P ></DIV -></DIV ><DIV CLASS="CHAPTER" ><HR><H1 ><A NAME="PRINTING" ></A ->Chapter 14. Printing Support</H1 +>Chapter 12. Printing Support</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN1699" ->14.1. Introduction</A +NAME="AEN1711" +>12.1. Introduction</A ></H2 ><P >Beginning with the 2.2.0 release, Samba supports @@ -9044,8 +9107,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1721" ->14.2. Configuration</A +NAME="AEN1733" +>12.2. Configuration</A ></H2 ><DIV CLASS="WARNING" @@ -9106,8 +9169,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1729" ->14.2.1. Creating [print$]</A +NAME="AEN1741" +>12.2.1. Creating [print$]</A ></H3 ><P >In order to support the uploading of printer driver @@ -9233,14 +9296,14 @@ Samba follows this model as well.</P >Next create the directory tree below the [print$] share for each architecture you wish to support.</P ><P -><PRE -CLASS="PROGRAMLISTING" +><SAMP +CLASS="COMPUTEROUTPUT" >[print$]----- |-W32X86 ; "Windows NT x86" |-WIN40 ; "Windows 95/98" |-W32ALPHA ; "Windows NT Alpha_AXP" |-W32MIPS ; "Windows NT R4000" - |-W32PPC ; "Windows NT PowerPC"</PRE + |-W32PPC ; "Windows NT PowerPC"</SAMP ></P ><DIV CLASS="WARNING" @@ -9323,8 +9386,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1764" ->14.2.2. Setting Drivers for Existing Printers</A +NAME="AEN1776" +>12.2.2. Setting Drivers for Existing Printers</A ></H3 ><P >The initial listing of printers in the Samba host's @@ -9395,8 +9458,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1780" ->14.2.3. Support a large number of printers</A +NAME="AEN1792" +>12.2.3. Support a large number of printers</A ></H3 ><P >One issue that has arisen during the development @@ -9415,13 +9478,16 @@ setdriver command</B associated with an installed driver. The following is example of how this could be accomplished:</P ><P -><PRE -CLASS="PROGRAMLISTING" -> -<SAMP +><SAMP CLASS="PROMPT" >$ </SAMP ->rpcclient pogo -U root%secret -c "enumdrivers" +><KBD +CLASS="USERINPUT" +>rpcclient pogo -U root%secret -c "enumdrivers"</KBD +> +<PRE +CLASS="PROGRAMLISTING" +> Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] [Windows NT x86] @@ -9432,27 +9498,34 @@ Printer Driver Info 1: Driver Name: [HP LaserJet 2100 Series PS] Printer Driver Info 1: - Driver Name: [HP LaserJet 4Si/4SiMX PS] - + Driver Name: [HP LaserJet 4Si/4SiMX PS]</PRE +> <SAMP CLASS="PROMPT" >$ </SAMP ->rpcclient pogo -U root%secret -c "enumprinters" -Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] +><KBD +CLASS="USERINPUT" +>rpcclient pogo -U root%secret -c "enumprinters"</KBD +> +<PRE +CLASS="PROGRAMLISTING" +>Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] flags:[0x800000] name:[\\POGO\hp-print] description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,] comment:[] - + </PRE +> <SAMP CLASS="PROMPT" >$ </SAMP ->rpcclient pogo -U root%secret \ -<SAMP -CLASS="PROMPT" ->> </SAMP -> -c "setdriver hp-print \"HP LaserJet 4000 Series PS\"" -Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] +><KBD +CLASS="USERINPUT" +>rpcclient pogo -U root%secret -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""</KBD +> +<PRE +CLASS="PROGRAMLISTING" +>Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] Successfully set hp-print to driver HP LaserJet 4000 Series PS.</PRE ></P ></DIV @@ -9461,8 +9534,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1791" ->14.2.4. Adding New Printers via the Windows NT APW</A +NAME="AEN1807" +>12.2.4. Adding New Printers via the Windows NT APW</A ></H3 ><P >By default, Samba offers all printer shares defined in <TT @@ -9616,8 +9689,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1821" ->14.2.5. Samba and Printer Ports</A +NAME="AEN1837" +>12.2.5. Samba and Printer Ports</A ></H3 ><P >Windows NT/2000 print servers associate a port with each printer. These normally @@ -9651,8 +9724,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1829" ->14.3. The Imprints Toolset</A +NAME="AEN1845" +>12.3. The Imprints Toolset</A ></H2 ><P >The Imprints tool set provides a UNIX equivalent of the @@ -9669,8 +9742,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1833" ->14.3.1. What is Imprints?</A +NAME="AEN1849" +>12.3.1. What is Imprints?</A ></H3 ><P >Imprints is a collection of tools for supporting the goals @@ -9701,8 +9774,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1843" ->14.3.2. Creating Printer Driver Packages</A +NAME="AEN1859" +>12.3.2. Creating Printer Driver Packages</A ></H3 ><P >The process of creating printer driver packages is beyond @@ -9717,8 +9790,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1846" ->14.3.3. The Imprints server</A +NAME="AEN1862" +>12.3.3. The Imprints server</A ></H3 ><P >The Imprints server is really a database server that @@ -9741,8 +9814,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1850" ->14.3.4. The Installation Client</A +NAME="AEN1866" +>12.3.4. The Installation Client</A ></H3 ><P >More information regarding the Imprints installation client @@ -9835,16 +9908,16 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1872" ->14.4. Diagnosis</A +NAME="AEN1888" +>12.4. Diagnosis</A ></H2 ><DIV CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN1874" ->14.4.1. Introduction</A +NAME="AEN1890" +>12.4.1. Introduction</A ></H3 ><P >This is a short description of how to debug printing problems with @@ -9918,8 +9991,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1890" ->14.4.2. Debugging printer problems</A +NAME="AEN1906" +>12.4.2. Debugging printer problems</A ></H3 ><P >One way to debug printing problems is to start by replacing these @@ -9975,8 +10048,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1899" ->14.4.3. What printers do I have?</A +NAME="AEN1915" +>12.4.3. What printers do I have?</A ></H3 ><P >You can use the 'testprns' program to check to see if the printer @@ -10004,8 +10077,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1907" ->14.4.4. Setting up printcap and print servers</A +NAME="AEN1923" +>12.4.4. Setting up printcap and print servers</A ></H3 ><P >You may need to set up some printcaps for your Samba system to use. @@ -10088,8 +10161,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1935" ->14.4.5. Job sent, no output</A +NAME="AEN1951" +>12.4.5. Job sent, no output</A ></H3 ><P >This is the most frustrating part of printing. You may have sent the @@ -10133,8 +10206,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1946" ->14.4.6. Job sent, strange output</A +NAME="AEN1962" +>12.4.6. Job sent, strange output</A ></H3 ><P >Once you have the job printing, you can then start worrying about @@ -10179,8 +10252,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1958" ->14.4.7. Raw PostScript printed</A +NAME="AEN1974" +>12.4.7. Raw PostScript printed</A ></H3 ><P >This is a problem that is usually caused by either the print spooling @@ -10194,8 +10267,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1961" ->14.4.8. Advanced Printing</A +NAME="AEN1977" +>12.4.8. Advanced Printing</A ></H3 ><P >Note that you can do some pretty magic things by using your @@ -10210,8 +10283,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1964" ->14.4.9. Real debugging</A +NAME="AEN1980" +>12.4.9. Real debugging</A ></H3 ><P >If the above debug tips don't help, then maybe you need to bring in @@ -10225,14 +10298,14 @@ CLASS="CHAPTER" ><A NAME="CUPS-PRINTING" ></A ->Chapter 15. CUPS Printing Support</H1 +>Chapter 13. CUPS Printing Support</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN1984" ->15.1. Introduction</A +NAME="AEN2000" +>13.1. Introduction</A ></H2 ><P >The Common Unix Print System (CUPS) has become very popular, but to many it is @@ -10253,16 +10326,129 @@ many ways this gives CUPS similar capabilities to the MS Windows print monitorin system. Of course, if you are a CUPS advocate, you would agrue that CUPS is better! In any case, let us now move on to explore how one may configure CUPS for interfacing with MS Windows print clients via Samba.</P +><P +><A +HREF="http://www.cups.org/" +TARGET="_top" +>CUPS</A +> is a newcomer in the UNIX printing scene, +which has convinced many people upon first trial already. However, it has quite a few +new features, which make it different from other, more traditional printing systems.</P ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1989" ->15.2. CUPS - RAW Print Through Mode</A +NAME="AEN2007" +>13.2. Configuring <TT +CLASS="FILENAME" +>smb.conf</TT +> for CUPS</A ></H2 ><P +>Printing with CUPS in the most basic <TT +CLASS="FILENAME" +>smb.conf</TT +> +setup in Samba-3 only needs two settings: <B +CLASS="COMMAND" +>printing = cups</B +> and +<B +CLASS="COMMAND" +>printcap = cups</B +>. While CUPS itself doesn't need a printcap +anymore, the <TT +CLASS="FILENAME" +>cupsd.conf</TT +> configuration file knows two directives +(example: <B +CLASS="COMMAND" +>Printcap /etc/printcap</B +> and <B +CLASS="COMMAND" +>PrintcapFormat +BSD</B +>), which control if such a file should be created for the +convenience of third party applications. Make sure it is set! For details see +<B +CLASS="COMMAND" +>man cupsd.conf</B +> and other CUPS-related documentation.</P +><P +>If SAMBA is compiled against libcups, then <B +CLASS="COMMAND" +>printcap = cups</B +> uses the +CUPS API to list printers, submit jobs, etc. Otherwise it maps to the System V commands +with an additional <VAR +CLASS="PARAMETER" +>-oraw</VAR +> option for printing. On a Linux system, +you can use the <B +CLASS="COMMAND" +>ldd</B +> command to find out details (ldd may not be +present on other OS platforms, or its function may be embodied by a different command):</P +><P +><PRE +CLASS="PROGRAMLISTING" +>transmeta:/home/kurt # ldd `which smbd` + libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x4002d000) + libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005a000) + libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000) + libdl.so.2 => /lib/libdl.so.2 (0x401e8000) + libnsl.so.1 => /lib/libnsl.so.1 (0x401ec000) + libpam.so.0 => /lib/libpam.so.0 (0x40202000) + libc.so.6 => /lib/libc.so.6 (0x4020b000) + /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)</PRE +></P +><P +>The line "libcups.so.2 => /usr/lib/libcups.so.2 +(0x40123000)" shows there is CUPS support compiled into this version of +Samba. If this is the case, and <B +CLASS="COMMAND" +>printing = cups</B +> is set, then any +otherwise manually set print command in smb.conf is ignored.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN2026" +>13.3. CUPS - RAW Print Through Mode</A +></H2 +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>When used in raw print through mode is will be necessary to use the printer +vendor's drivers in each Windows client PC.</P +></TD +></TR +></TABLE +></DIV +><P >When CUPS printers are configured for RAW print-through mode operation it is the responsibility of the Samba client to fully render the print job (file) in a format that is suitable for direct delivery to the printer. In this case CUPS will NOT @@ -10545,8 +10731,506 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2044" ->15.3. The CUPS Filter Chains</A +NAME="AEN2083" +>13.4. CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe +PostScript driver with CUPS-PPDs downloaded to clients</A +></H2 +><P +>CUPS is perfectly able to use PPD files (PostScript +Printer Descriptions). PPDs can control all print device options. They +are usually provided by the manufacturer -- if you own a PostSript printer, +that is. PPD files are always a component of PostScript printer drivers on MS +Windows or Apple Mac OS systems. They are ASCII files containing +user-selectable print options, mapped to appropriate PostScript, PCL or PJL +commands for the target printer. Printer driver GUI dialogs translate these +options "on-the-fly" into buttons and drop-down lists for the user to +select.</P +><P +>CUPS can load, without any conversions, the PPD file from +any Windows (NT is recommended) PostScript driver and handle the options. +There is a web browser interface to the print options (select +http://localhost:631/printers/ and click on one "Configure Printer" button +to see it), a commandline interface (see <B +CLASS="COMMAND" +>man lpoptions</B +> or +try if you have <B +CLASS="COMMAND" +>lphelp</B +> on your system) plus some different GUI frontends on Linux +UNIX, which can present PPD options to the users. PPD options are normally +meant to become evaluated by the PostScript RIP on the real PostScript +printer.</P +><P +>CUPS doesn't stop at "real" PostScript printers in its +usage of PPDs. The CUPS developers have extended the PPD concept, to also +describe available device and driver options for non-PostScript printers +through CUPS-PPDs.</P +><P +>This is logical, as CUPS includes a fully featured +PostScript interpreter (RIP). This RIP is based on Ghostscript. It can +process all received PostScript (and additionally many other file formats) +from clients. All CUPS-PPDs geared to non-PostScript printers contain an +additional line, starting with the keyword <VAR +CLASS="PARAMETER" +>*cupsFilter</VAR +>. +This line +tells the CUPS print system which printer-specific filter to use for the +interpretation of the accompanying PostScript. Thus CUPS lets all its +printers appear as PostScript devices to its clients, because it can act as a +PostScript RIP for those printers, processing the received PostScript code +into a proper raster print format.</P +><P +>CUPS-PPDs can also be used on Windows-Clients, on top of a +PostScript driver (recommended is the Adobe one).</P +><P +>This feature enables CUPS to do a few tricks no other +spooler can do:</P +><P +></P +><UL +><LI +><P +>act as a networked PostScript RIP (Raster Image Processor), handling + printfiles from all client platforms in a uniform way;</P +></LI +><LI +><P +>act as a central accounting and billing server, as all files are passed + through the <B +CLASS="COMMAND" +>pstops</B +> Filter and are therefor logged in + the CUPS <TT +CLASS="FILENAME" +>page_log</TT +>. - <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>NOTE: </I +></SPAN +>this + can not happen with "raw" print jobs, which always remain unfiltered + per definition;</P +></LI +><LI +><P +>enable clients to consolidate on a single PostScript driver, even for + many different target printers.</P +></LI +></UL +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN2104" +>13.5. Windows Terminal Servers (WTS) as CUPS clients</A +></H2 +><P +>This setup may be of special interest to people +experiencing major problems in WTS environments. WTS need often a multitude +of non-PostScript drivers installed to run their clients' variety of +different printer models. This often imposes the price of much increased +instability. In many cases, in an attempt to overcome this problem, site +administrators have resorted to restrict the allowed drivers installed on +their WTS to one generic PCL- and one PostScript driver. This however +restricts the clients in the amount of printer options available for them -- +often they can't get out more then simplex prints from one standard paper +tray, while their devices could do much better, if driven by a different +driver!</P +><P +>Using an Adobe PostScript driver, enabled with a CUPS-PPD, +seems to be a very elegant way to overcome all these shortcomings. The +PostScript driver is not known to cause major stability problems on WTS (even +if used with many different PPDs). The clients will be able to (again) chose +paper trays, duplex printing and other settings. However, there is a certain +price for this too: a CUPS server acting as a PostScript RIP for its clients +requires more CPU and RAM than just to act as a "raw spooling" device. Plus, +this setup is not yet widely tested, although the first feedbacks look very +promising...</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN2108" +>13.6. Setting up CUPS for driver download</A +></H2 +><P +>The <B +CLASS="COMMAND" +>cupsadsmb</B +> utility (shipped with all current +CUPS versions) makes the sharing of any (or all) installed CUPS printers very +easy. Prior to using it, you need the following settings in smb.conf:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>[global] + load printers = yes + printing = cups + printcap name = cups + + [printers] + comment = All Printers + path = /var/spool/samba + browseable = no + public = yes + guest ok = yes + writable = no + printable = yes + printer admin = root + + [print$] + comment = Printer Drivers + path = /etc/samba/drivers + browseable = yes + guest ok = no + read only = yes + write list = root + </PRE +></P +><P +>For licensing reasons the necessary files of the Adobe +Postscript driver can not be distributed with either Samba or CUPS. You need +to download them yourself from the Adobe website. Once extracted, create a +<TT +CLASS="FILENAME" +>drivers</TT +> directory in the CUPS data directory (usually +<TT +CLASS="FILENAME" +>/usr/share/cups/</TT +>). Copy the Adobe files using +UPPERCASE filenames, to this directory as follows:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> ADFONTS.MFM + ADOBEPS4.DRV + ADOBEPS4.HLP + ADOBEPS5.DLL + ADOBEPSU.DLL + ADOBEPSU.HLP + DEFPRTR2.PPD + ICONLIB.DLL + </PRE +></P +><P +>Users of the ESP Print Pro software are able to install +their "Samba Drivers" package for this purpose with no problem.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN2120" +>13.7. Sources of CUPS drivers / PPDs</A +></H2 +><P +>On the internet you can find now many thousand CUPS-PPD +files (with their companion filters), in many national languages, +supporting more than 1.000 non-PostScript models.</P +><P +></P +><UL +><LI +><P +><A +HREF="http://wwwl.easysw.com/printpro/" +TARGET="_top" +>ESP PrintPro + (http://wwwl.easysw.com/printpro/)</A +> + (commercial, non-Free) is packaged with more than 3.000 PPDs, ready for + successful usage "out of the box" on Linux, IBM-AIX, HP-UX, Sun-Solaris, + SGI-IRIX, Compaq Tru64, Digital Unix and some more commercial Unices (it + is written by the CUPS developers themselves and its sales help finance + the further development of CUPS, as they feed their creators)</P +></LI +><LI +><P +>the <A +HREF="http://gimp-print.sourceforge.net/" +TARGET="_top" +>Gimp-Print-Project + (http://gimp-print.sourceforge.net/)</A +> + (GPL, Free Software) provides around 120 PPDs (supporting nearly 300 + printers, many driven to photo quality output), to be used alongside the + Gimp-Print CUPS filters;</P +></LI +><LI +><P +><A +HREF="http://www.turboprint.com/" +TARGET="_top" +>TurboPrint + (http://www.turboprint.com/)</A +> + (Shareware, non-Freee) supports roughly the same amount of printers in + excellent quality;</P +></LI +><LI +><P +><A +HREF="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/" +TARGET="_top" +>OMNI + (http://www-124.ibm.com/developerworks/oss/linux/projects/omni/)</A +> + (LPGL, Free) is a package made by IBM, now containing support for more + than 400 printers, stemming from the inheritance of IBM OS/2 KnowHow + ported over to Linux (CUPS support is in a Beta-stage at present);</P +></LI +><LI +><P +><A +HREF="http://hpinkjet.sourceforge.net/" +TARGET="_top" +>HPIJS + (http://hpinkjet.sourceforge.net/)</A +> + (BSD-style licnes, Free) supports around 120 of HP's own printers and is + also providing excellent print quality now;</P +></LI +><LI +><P +><A +HREF="http://www.linuxprinting.org/" +TARGET="_top" +>Foomatic/cupsomatic (http://www.linuxprinting.org/)</A +> + (LPGL, Free) from Linuxprinting.org are providing PPDs for practically every + Ghostscript filter known to the world, now usable with CUPS.</P +></LI +></UL +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>NOTE: </I +></SPAN +>the cupsomatic trick from Linuxprinting.org is +working different from the other drivers. While the other drivers take the +generic CUPS raster (produced by CUPS' own pstoraster PostScript RIP) as +their input, cupsomatic "kidnaps" the PostScript inside CUPS, before +RIP-ping, deviates it to an external Ghostscript installation (which now +becomes the RIP) and gives it back to a CUPS backend once Ghostscript is +finished. -- CUPS versions from 1.1.15 and later will provide their pstoraster +PostScript RIP function again inside a system-wide Ghostscript +installation rather than in "their own" pstoraster filter. (This +CUPS-enabling Ghostscript version may be installed either as a +patch to GNU or AFPL Ghostscript, or as a complete ESP Ghostscript package). +However, this will not change the cupsomatic approach of guiding the printjob +along a different path through the filtering system than the standard CUPS +way...</P +><P +>Once you installed a printer inside CUPS with one of the +recommended methods (the lpadmin command, the web browser interface or one of +the available GUI wizards), you can use <B +CLASS="COMMAND" +>cupsaddsmb</B +> to share the +printer via Samba. <B +CLASS="COMMAND" +>cupsaddsmb</B +> prepares the driver files for +comfortable client download and installation upon their first contact with +this printer share.</P +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN2147" +>13.7.1. <B +CLASS="COMMAND" +>cupsaddsmb</B +></A +></H3 +><P +>The <B +CLASS="COMMAND" +>cupsaddsmb</B +> command copies the needed files +for convenient Windows client installations from the previously prepared CUPS +data directory to your [print$] share. Additionally, the PPD +associated with this printer is copied from <TT +CLASS="FILENAME" +>/etc/cups/ppd/</TT +> to +[print$].</P +><P +><PRE +CLASS="PROGRAMLISTING" +><SAMP +CLASS="PROMPT" +>root# </SAMP +> <B +CLASS="COMMAND" +>cupsaddsmb -U root infotec_IS2027</B +> +Password for root required to access localhost via SAMBA: <KBD +CLASS="USERINPUT" +>[type in password 'secret']</KBD +></PRE +></P +><P +>To share all printers and drivers, use the <VAR +CLASS="PARAMETER" +>-a</VAR +> +parameter instead of a printer name.</P +><P +>Probably you want to see what's going on. Use the +<VAR +CLASS="PARAMETER" +>-v</VAR +> parameter to get a more verbose output:</P +><P +>Probably you want to see what's going on. Use the +<VAR +CLASS="PARAMETER" +>-v</VAR +> parameter to get a more verbose output:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>Note: The following line shave been wrapped so that information is not lost. + +<SAMP +CLASS="PROMPT" +>root# </SAMP +> cupsaddsmb -v -U root infotec_IS2027 + Password for root required to access localhost via SAMBA: + Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir W32X86;put + /var/spool/cups/tmp/3cd1cc66376c0 W32X86/infotec_IS2027.PPD;put /usr/share/cups/drivers/ + ADOBEPS5.DLL W32X86/ADOBEPS5.DLL;put /usr/share/cups/drivers/ADOBEPSU.DLLr + W32X86/ADOBEPSU.DLL;put /usr/share/cups/drivers/ADOBEPSU.HLP W32X86/ADOBEPSU.HLP' + added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0 + added interface ip=192.168.182.1 bcast=192.168.182.255 nmask=255.255.255.0 + added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0 + Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs] + NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86 + putting file /var/spool/cups/tmp/3cd1cc66376c0 as \W32X86/infotec_IS2027.PPD (17394.6 kb/s) + (average 17395.2 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS5.DLL as \W32X86/ADOBEPS5.DLL (10877.4 kb/s) + (average 11343.0 kb/s) + putting file /usr/share/cups/drivers/ADOBEPSU.DLL as \W32X86/ADOBEPSU.DLL (5095.2 kb/s) + (average 9260.4 kb/s) + putting file /usr/share/cups/drivers/ADOBEPSU.HLP as \W32X86/ADOBEPSU.HLP (8828.7 kb/s) + (average 9247.1 kb/s) + + Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir WIN40;put + /var/spool/cups/tmp/3cd1cc66376c0 WIN40/infotec_IS2027.PPD;put + /usr/share/cups/drivers/ADFONTS.MFM WIN40/ADFONTS.MFM;put + /usr/share/cups/drivers/ADOBEPS4.DRV WIN40/ADOBEPS4.DRV;put + /usr/share/cups/drivers/ADOBEPS4.HLP WIN40/ADOBEPS4.HLP;put + /usr/share/cups/drivers/DEFPRTR2.PPD WIN40/DEFPRTR2.PPD;put + /usr/share/cups/drivers/ICONLIB.DLL WIN40/ICONLIB.DLL;put + /usr/share/cups/drivers/PSMON.DLL WIN40/PSMON.DLL;' + added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0 + added interface ip=192.168.182.1 bcast=192.168.182.255 nmask=255.255.255.0 + added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0 + Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs] + NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40 + putting file /var/spool/cups/tmp/3cd1cc66376c0 as \WIN40/infotec_IS2027.PPD (26091.5 kb/s) + (average 26092.8 kb/s) + putting file /usr/share/cups/drivers/ADFONTS.MFM as \WIN40/ADFONTS.MFM (11241.6 kb/s) + (average 11812.9 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS4.DRV as \WIN40/ADOBEPS4.DRV (16640.6 kb/s) + (average 14679.3 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS4.HLP as \WIN40/ADOBEPS4.HLP (11285.6 kb/s) + (average 14281.5 kb/s) + putting file /usr/share/cups/drivers/DEFPRTR2.PPD as \WIN40/DEFPRTR2.PPD (823.5 kb/s) + (average 12944.0 kb/s) + putting file /usr/share/cups/drivers/ICONLIB.DLL as \WIN40/ICONLIB.DLL (19226.2 kb/s) + (average 13169.7 kb/s) + putting file /usr/share/cups/drivers/PSMON.DLL as \WIN40/PSMON.DLL (18666.1 kb/s) + (average 13266.7 kb/s) + + Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows NT x86" + "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:ADOBEPSU.HLP:NULL:RAW:NULL"' + cmd = adddriver "Windows NT x86" "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL: + ADOBEPSU.HLP:NULL:RAW:NULL" + Printer Driver infotec_IS2027 successfully installed. + + Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows 4.0" + "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW: + ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"' + cmd = adddriver "Windows 4.0" "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL: + ADOBEPS4.HLP:PSMON.DLL:RAW:ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL" + Printer Driver infotec_IS2027 successfully installed. + + Running command: rpcclient localhost -N -U'root%secret' + -c 'setdriver infotec_IS2027 infotec_IS2027' + cmd = setdriver infotec_IS2027 infotec_IS2027 + Succesfully set infotec_IS2027 to driver infotec_IS2027. + + <SAMP +CLASS="PROMPT" +>root# </SAMP +></PRE +></P +><P +>If you look closely, you'll discover your root password was transfered unencrypted over +the wire, so beware! Also, if you look further her, you'll discover error messages like +<CODE +CLASS="CONSTANT" +>NT_STATUS_OBJECT_NAME_COLLISION</CODE +> in between. They occur, because +the directories <TT +CLASS="FILENAME" +>WIN40</TT +> and <TT +CLASS="FILENAME" +>W32X86</TT +> already +existed in the [print$] driver download share (from a previous driver +installation). They are harmless here.</P +><P +>Now your printer is prepared for the clients to use. From +a client, browse to the CUPS/Samba server, open the "Printers" +share, right-click on this printer and select "Install..." or +"Connect..." (depending on the Windows version you use). Now their +should be a new printer in your client's local "Printers" folder, +named (in my case) "infotec_IS2027 on kdebitshop"</P +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>NOTE: </I +></SPAN +> +<B +CLASS="COMMAND" +>cupsaddsmb</B +> will only reliably work i +with CUPS version 1.1.15 or higher +and Samba from 2.2.4. If it doesn't work, or if the automatic printer +driver download to the clients doesn't succeed, you can still manually +install the CUPS printer PPD on top of the Adobe PostScript driver on +clients and then point the client's printer queue to the Samba printer +share for connection, should you desire to use the CUPS networked +PostScript RIP functions.</P +></DIV +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN2176" +>13.8. The CUPS Filter Chains</A ></H2 ><P >The following diagrams reveal how CUPS handles print jobs.</P @@ -10993,8 +11677,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2083" ->15.4. CUPS Print Drivers and Devices</A +NAME="AEN2215" +>13.9. CUPS Print Drivers and Devices</A ></H2 ><P >CUPS ships with good support for HP LaserJet type printers. You can install @@ -11023,8 +11707,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2090" ->15.4.1. Further printing steps</A +NAME="AEN2222" +>13.9.1. Further printing steps</A ></H3 ><P >Always also consult the database on linuxprinting.org for all recommendations @@ -11079,7 +11763,8 @@ at "/some/path/on/your/filesystem/somewhere/my-name-for-my-printer.ppd"</P ><P ><PRE CLASS="PROGRAMLISTING" -> "lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -P /some/path/on/your/filesystem/somewhere/my-name-for-my-printer.ppd"</PRE +> "lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E \ + -P /some/path/on/your/filesystem/somewhere/my-name-for-my-printer.ppd"</PRE ></P ><P >Note, that for all the "Foomatic-PPDs" from Linuxprinting.org, you also need @@ -11347,8 +12032,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2160" ->15.5. Limiting the number of pages users can print</A +NAME="AEN2292" +>13.10. Limiting the number of pages users can print</A ></H2 ><P >The feature you want is dependent on the real print subsystem you're using. @@ -11365,7 +12050,8 @@ and are spanning any time period you want.</P assuming an existing printer named "quotaprinter":</P ><PRE CLASS="PROGRAMLISTING" -> lpadmin -p quotaprinter -o job-quota-period=604800 -o job-k-limit=1024 -o job-page-limit=100</PRE +> lpadmin -p quotaprinter -o job-quota-period=604800 -o job-k-limit=1024 \ + -o job-page-limit=100</PRE ><P >This would limit every single user to print 100 pages or 1024 KB of data (whichever comes first) within the last 604.800 seconds ( = 1 week).</P @@ -11404,7 +12090,7 @@ BORDER="0" ><TBODY ><TR ><TD ->>it guarantees to not write an PJL-header</TD +>it guarantees to not write an PJL-header</TD ></TR ><TR ><TD @@ -11429,28 +12115,56 @@ current with CUPS 1.1.16).</P ><P >These are the items CUPS logs in the "page_log" for every single *page* of a job:</P ><P -><PRE -CLASS="PROGRAMLISTING" -> * Printer name - * User name - * Job ID - * Time of printing - * the page number - * the number of copies - * a billing info string (optional)</PRE +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Printer name</TD +></TR +><TR +><TD +>User name</TD +></TR +><TR +><TD +>Job ID</TD +></TR +><TR +><TD +>Time of printing</TD +></TR +><TR +><TD +>the page number</TD +></TR +><TR +><TD +>the number of copies</TD +></TR +><TR +><TD +>a billing info string (optional)</TD +></TR +></TBODY +></TABLE +><P +></P ></P ><P >Here is an extract of my CUPS server's page_log file to illustrate the format and included items:</P ><P -><PRE -CLASS="PROGRAMLISTING" +><SAMP +CLASS="COMPUTEROUTPUT" > infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 1 2 #marketing infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 2 2 #marketing infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 3 2 #marketing infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 4 2 #marketing infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 5 2 #marketing - infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 6 2 #marketing</PRE + infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 6 2 #marketing</SAMP ></P ><P >This was Job ID "40", printed on "infotec_IS2027" by user "kurt", a 6-page job @@ -11513,7 +12227,7 @@ BORDER="0" ><TD >page counting will go into the "backends" (these talk directly to the printer and will increase the count in sync with the - actual printing process -- a jam at the 5th sheet will lead to a stop in the counting)</TD + actual printing process -- a jam at the 5th sheet will lead to a stop in the counting)</TD ></TR ><TR ><TD @@ -11546,14 +12260,16 @@ Windows NT/2k/XP Printer Driver for SAMBA (tar.gz, 192k)". The filename to download is "cups-samba-1.1.16.tar.gz". Upon untar-/unzip-ping it will reveal the files:</P ><P -><PRE -CLASS="PROGRAMLISTING" -> cups-samba.install - cups-samba.license - cups-samba.readme - cups-samba.remove - cups-samba.ss</PRE -></P +> <SAMP +CLASS="COMPUTEROUTPUT" +> cups-samba.install + cups-samba.license + cups-samba.readme + cups-samba.remove + cups-samba.ss + </SAMP +> + </P ><P >These have been packaged with the ESP meta packager software "EPM". The *.install and *.remove files are simple shell script, which untars the @@ -11563,18 +12279,20 @@ CLASS="FILENAME" >/usr/share/cups/drivers/</TT >. Its contents are 3 files:</P ><P -><PRE -CLASS="PROGRAMLISTING" -> cupsdrvr.dll - cupsui.dll - cups.hlp</PRE -></P +> <SAMP +CLASS="COMPUTEROUTPUT" +> cupsdrvr.dll + cupsui.dll + cups.hlp + </SAMP +> + </P ><DIV -CLASS="NOTE" +CLASS="CAUTION" ><P ></P ><TABLE -CLASS="NOTE" +CLASS="CAUTION" WIDTH="100%" BORDER="0" ><TR @@ -11583,14 +12301,14 @@ WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/caution.gif" HSPACE="5" -ALT="Note"></TD +ALT="Caution"></TD ><TD ALIGN="LEFT" VALIGN="TOP" ><P ->ATTENTION: due to a bug one CUPS release puts the <TT +>Due to a bug one CUPS release puts the <TT CLASS="FILENAME" >cups.hlp</TT > @@ -11604,10 +12322,12 @@ CLASS="FILENAME" >. To work around this, copy/move the file after running the "./cups-samba.install" script manually to the right place:</P ><P -><PRE -CLASS="PROGRAMLISTING" -> cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/</PRE -></P +> <KBD +CLASS="USERINPUT" +> cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/ + </KBD +> + </P ></TD ></TR ></TABLE @@ -11676,8 +12396,9 @@ ALT="Note"></TD ALIGN="LEFT" VALIGN="TOP" ><P ->NOTE 1: Win 9x/ME clients won't work with this driver. For these you'd -still need to use the ADOBE*.* drivers as previously.</P +> Win 9x/ME clients won't work with this driver. For these you'd + still need to use the ADOBE*.* drivers as previously. + </P ></TD ></TR ></TABLE @@ -11703,10 +12424,11 @@ ALT="Note"></TD ALIGN="LEFT" VALIGN="TOP" ><P ->NOTE 2: It is not harming if you've still the ADOBE*.* driver files from -previous installations in the "/usr/share/cups/drivers/" directory. -The new cupsaddsmb (from 1.1.16) will automatically use the -"newest" installed driver (which here then is the CUPS drivers).</P +> It is not harming if you've still the ADOBE*.* driver files from + previous installations in the "/usr/share/cups/drivers/" directory. + The new cupsaddsmb (from 1.1.16) will automatically use the + "newest" installed driver (which here then is the CUPS drivers). + </P ></TD ></TR ></TABLE @@ -11732,22 +12454,24 @@ ALT="Note"></TD ALIGN="LEFT" VALIGN="TOP" ><P ->NOTE 3: Should your Win clients have had the old ADOBE*.* files and the -Adobe PostScript drivers installed, the download and installation -of the new CUPS PostScript driver for Windows NT/2k/XP will fail -at first.</P -><P ->It is not enough to "delete" the printer (as the driver files -will still be kept by the clients and re-used if you try to -re-install the printer). To really get rid of the Adobe driver -files on the clients, open the "Printers" folder (possibly via -"Start --> Settings --> Control Panel --> Printers"), right-click -onto the folder background and select "Server Properties". A -new dialog opens; select the "Drivers" tab; on the list select -the driver you want to delete and click on the "Delete" button. -(This will only work if there is no single printer left which -uses that particular driver -- you need to "delete" all printers -using this driver in the "Printers" folder first.)</P +> Should your Win clients have had the old ADOBE*.* files and the + Adobe PostScript drivers installed, the download and installation + of the new CUPS PostScript driver for Windows NT/2k/XP will fail + at first. + </P +><P +> It is not enough to "delete" the printer (as the driver files + will still be kept by the clients and re-used if you try to + re-install the printer). To really get rid of the Adobe driver + files on the clients, open the "Printers" folder (possibly via + "Start --> Settings --> Control Panel --> Printers"), right-click + onto the folder background and select "Server Properties". A + new dialog opens; select the "Drivers" tab; on the list select + the driver you want to delete and click on the "Delete" button. + (This will only work if there is no single printer left which + uses that particular driver -- you need to "delete" all printers + using this driver in the "Printers" folder first.) + </P ></TD ></TR ></TABLE @@ -11773,10 +12497,11 @@ ALT="Note"></TD ALIGN="LEFT" VALIGN="TOP" ><P ->Once you have successfully downloaded the CUPS PostScript driver -to a client, you can easily switch all printers to this one -by proceeding as described elsewhere in the "Samba HOWTO -Collection" to change a driver for an existing printer.</P +> Once you have successfully downloaded the CUPS PostScript driver + to a client, you can easily switch all printers to this one + by proceeding as described elsewhere in the "Samba HOWTO + Collection" to change a driver for an existing printer. + </P ></TD ></TR ></TABLE @@ -11870,8 +12595,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2249" ->15.6. Advanced Postscript Printing from MS Windows</A +NAME="AEN2388" +>13.11. Advanced Postscript Printing from MS Windows</A ></H2 ><P >Let the Windows Clients use a PostScript driver to deliver poistscript to @@ -11961,8 +12686,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2264" ->15.7. Auto-Deletion of CUPS spool files</A +NAME="AEN2403" +>13.12. Auto-Deletion of CUPS spool files</A ></H2 ><P >Samba print files pass thru two "spool" directories. One the incoming directory @@ -11975,11 +12700,27 @@ For CUPS it is normally "/var/spool/cups/", as set by the cupsd.conf directive it is most likely the Samba part.</P ><P >For the CUPS part, you may want to consult:</P -><PRE -CLASS="PROGRAMLISTING" -> http://localhost:631/sam.html#PreserveJobFiles and - http://localhost:631/sam.html#PreserveJobHistory and - http://localhost:631/sam.html#MaxJobs</PRE +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>http://localhost:631/sam.html#PreserveJobFiles</TD +></TR +><TR +><TD +>http://localhost:631/sam.html#PreserveJobHistory</TD +></TR +><TR +><TD +>http://localhost:631/sam.html#MaxJobs</TD +></TR +></TBODY +></TABLE +><P +></P ><P >There are the settings described for your CUPS daemon, which could lead to completed job files not being deleted.</P @@ -12074,10 +12815,10 @@ above.</P ><P >If you have more problems, post the output of these commands:</P ><P -><PRE -CLASS="PROGRAMLISTING" +><KBD +CLASS="USERINPUT" > grep -v ^# /etc/cups/cupsd.conf | grep -v ^$ - grep -v ^# /etc/samba/smb.conf | grep -v ^$ | grep -v "^;"</PRE + grep -v ^# /etc/samba/smb.conf | grep -v ^$ | grep -v "^;"</KBD ></P ><P >(adapt paths as needed). These commands sanitize the files @@ -12091,14 +12832,14 @@ CLASS="CHAPTER" ><A NAME="WINBIND" ></A ->Chapter 16. Unified Logons between Windows NT and UNIX using Winbind</H1 +>Chapter 14. Unified Logons between Windows NT and UNIX using Winbind</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN2326" ->16.1. Abstract</A +NAME="AEN2469" +>14.1. Abstract</A ></H2 ><P >Integration of UNIX and Microsoft Windows NT through @@ -12124,8 +12865,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2330" ->16.2. Introduction</A +NAME="AEN2473" +>14.2. Introduction</A ></H2 ><P >It is well known that UNIX and Microsoft Windows NT have @@ -12178,8 +12919,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2343" ->16.3. What Winbind Provides</A +NAME="AEN2486" +>14.3. What Winbind Provides</A ></H2 ><P >Winbind unifies UNIX and Windows NT account management by @@ -12220,8 +12961,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2350" ->16.3.1. Target Uses</A +NAME="AEN2493" +>14.3.1. Target Uses</A ></H3 ><P >Winbind is targeted at organizations that have an @@ -12244,8 +12985,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2354" ->16.4. How Winbind Works</A +NAME="AEN2497" +>14.4. How Winbind Works</A ></H2 ><P >The winbind system is designed around a client/server @@ -12264,8 +13005,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2359" ->16.4.1. Microsoft Remote Procedure Calls</A +NAME="AEN2502" +>14.4.1. Microsoft Remote Procedure Calls</A ></H3 ><P >Over the last few years, efforts have been underway @@ -12290,8 +13031,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2363" ->16.4.2. Microsoft Active Directory Services</A +NAME="AEN2506" +>14.4.2. Microsoft Active Directory Services</A ></H3 ><P > Since late 2001, Samba has gained the ability to @@ -12309,8 +13050,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2366" ->16.4.3. Name Service Switch</A +NAME="AEN2509" +>14.4.3. Name Service Switch</A ></H3 ><P >The Name Service Switch, or NSS, is a feature that is @@ -12389,8 +13130,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2382" ->16.4.4. Pluggable Authentication Modules</A +NAME="AEN2525" +>14.4.4. Pluggable Authentication Modules</A ></H3 ><P >Pluggable Authentication Modules, also known as PAM, @@ -12438,8 +13179,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2390" ->16.4.5. User and Group ID Allocation</A +NAME="AEN2533" +>14.4.5. User and Group ID Allocation</A ></H3 ><P >When a user or group is created under Windows NT @@ -12464,8 +13205,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2394" ->16.4.6. Result Caching</A +NAME="AEN2537" +>14.4.6. Result Caching</A ></H3 ><P >An active system can generate a lot of user and group @@ -12487,8 +13228,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2397" ->16.5. Installation and Configuration</A +NAME="AEN2540" +>14.5. Installation and Configuration</A ></H2 ><P >Many thanks to John Trostel <A @@ -12506,8 +13247,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2402" ->16.5.1. Introduction</A +NAME="AEN2545" +>14.5.1. Introduction</A ></H3 ><P >This HOWTO describes the procedures used to get winbind up and @@ -12565,8 +13306,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2415" ->16.5.2. Requirements</A +NAME="AEN2558" +>14.5.2. Requirements</A ></H3 ><P >If you have a samba configuration file that you are currently @@ -12635,8 +13376,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2429" ->16.5.3. Testing Things Out</A +NAME="AEN2572" +>14.5.3. Testing Things Out</A ></H3 ><P >Before starting, it is probably best to kill off all the SAMBA @@ -12680,8 +13421,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2440" ->16.5.3.1. Configure and compile SAMBA</A +NAME="AEN2583" +>14.5.3.1. Configure and compile SAMBA</A ></H4 ><P >The configuration and compilation of SAMBA is pretty straightforward. @@ -12746,8 +13487,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2459" ->16.5.3.2. Configure <TT +NAME="AEN2602" +>14.5.3.2. Configure <TT CLASS="FILENAME" >nsswitch.conf</TT > and the @@ -12851,8 +13592,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2492" ->16.5.3.3. Configure smb.conf</A +NAME="AEN2635" +>14.5.3.3. Configure smb.conf</A ></H4 ><P >Several parameters are needed in the smb.conf file to control @@ -12926,8 +13667,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2508" ->16.5.3.4. Join the SAMBA server to the PDC domain</A +NAME="AEN2651" +>14.5.3.4. Join the SAMBA server to the PDC domain</A ></H4 ><P >Enter the following command to make the SAMBA server join the @@ -12964,8 +13705,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2519" ->16.5.3.5. Start up the winbindd daemon and test it!</A +NAME="AEN2662" +>14.5.3.5. Start up the winbindd daemon and test it!</A ></H4 ><P >Eventually, you will want to modify your smb startup script to @@ -13100,16 +13841,16 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2559" ->16.5.3.6. Fix the init.d startup scripts</A +NAME="AEN2702" +>14.5.3.6. Fix the init.d startup scripts</A ></H4 ><DIV CLASS="SECT4" ><H5 CLASS="SECT4" ><A -NAME="AEN2561" ->16.5.3.6.1. Linux</A +NAME="AEN2704" +>14.5.3.6.1. Linux</A ></H5 ><P >The <B @@ -13218,8 +13959,8 @@ CLASS="SECT4" ><HR><H5 CLASS="SECT4" ><A -NAME="AEN2581" ->16.5.3.6.2. Solaris</A +NAME="AEN2724" +>14.5.3.6.2. Solaris</A ></H5 ><P >On solaris, you need to modify the @@ -13302,8 +14043,8 @@ CLASS="SECT4" ><HR><H5 CLASS="SECT4" ><A -NAME="AEN2591" ->16.5.3.6.3. Restarting</A +NAME="AEN2734" +>14.5.3.6.3. Restarting</A ></H5 ><P >If you restart the <B @@ -13326,8 +14067,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2597" ->16.5.3.7. Configure Winbind and PAM</A +NAME="AEN2740" +>14.5.3.7. Configure Winbind and PAM</A ></H4 ><P >If you have made it this far, you know that winbindd and samba are working @@ -13384,8 +14125,8 @@ CLASS="SECT4" ><HR><H5 CLASS="SECT4" ><A -NAME="AEN2614" ->16.5.3.7.1. Linux/FreeBSD-specific PAM configuration</A +NAME="AEN2757" +>14.5.3.7.1. Linux/FreeBSD-specific PAM configuration</A ></H5 ><P >The <TT @@ -13513,8 +14254,8 @@ CLASS="SECT4" ><HR><H5 CLASS="SECT4" ><A -NAME="AEN2647" ->16.5.3.7.2. Solaris-specific configuration</A +NAME="AEN2790" +>14.5.3.7.2. Solaris-specific configuration</A ></H5 ><P >The /etc/pam.conf needs to be changed. I changed this file so that my Domain @@ -13600,8 +14341,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2654" ->16.6. Limitations</A +NAME="AEN2797" +>14.6. Limitations</A ></H2 ><P >Winbind has a number of limitations in its current @@ -13642,8 +14383,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2664" ->16.7. Conclusion</A +NAME="AEN2807" +>14.7. Conclusion</A ></H2 ><P >The winbind system, through the use of the Name Service @@ -13658,16 +14399,271 @@ NAME="AEN2664" CLASS="CHAPTER" ><HR><H1 ><A +NAME="ADVANCEDNETWORKMANAGEMENT" +></A +>Chapter 15. Advanced Network Manangement</H1 +><P +>This section attempts to document peripheral issues that are of great importance to network +administrators who want to improve network resource access control, to automate the user +environment, and to make their lives a little easier.</P +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN2822" +>15.1. Configuring Samba Share Access Controls</A +></H2 +><P +>This section deals with how to configure Samba per share access control restrictions. +By default samba sets no restrictions on the share itself. Restrictions on the share itself +can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can +connect to a share. In the absence of specific restrictions the default setting is to allow +the global user <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Everyone</I +></SPAN +> Full Control (ie: Full control, Change and Read).</P +><P +>At this time Samba does NOT provide a tool for configuring access control setting on the Share +itself. Samba does have the capacity to store and act on access control settings, but the only +way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for +Computer Management.</P +><P +>Samba stores the per share access control settings in a file called <TT +CLASS="FILENAME" +>share_info.tdb</TT +>. +The location of this file on your system will depend on how samba was compiled. The default location +for samba's tdb files is under <TT +CLASS="FILENAME" +>/usr/local/samba/var</TT +>. If the <TT +CLASS="FILENAME" +>tdbdump</TT +> +utility has been compiled and installed on your system then you can examine the contents of this file +by: <KBD +CLASS="USERINPUT" +>tdbdump share_info.tdb</KBD +>.</P +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN2832" +>15.1.1. Share Permissions Management</A +></H3 +><P +>The best tool for the task is platform dependant. Choose the best tool for your environmemt.</P +><DIV +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" +><A +NAME="AEN2835" +>15.1.1.1. Windows NT4 Workstation/Server</A +></H4 +><P +>The tool you need to use to manage share permissions on a Samba server is the NT Server Manager. +Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. +You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below.</P +><DIV +CLASS="PROCEDURE" +><P +><B +>Instructions</B +></P +><OL +TYPE="1" +><LI +><P +>Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu +select Computer, then click on the Shared Directories entry.</P +></LI +><LI +><P +> Now click on the share that you wish to manage, then click on the Properties tab, next click on + the Permissions tab. Now you can Add or change access control settings as you wish.</P +></LI +></OL +></DIV +></DIV +><DIV +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" +><A +NAME="AEN2844" +>15.1.1.2. Windows 200x/XP</A +></H4 +><P +>On MS Windows NT4/200x/XP system access control lists on the share itself are set using native +tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder, +then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows +<SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Everyone</I +></SPAN +> Full Control on the Share.</P +><P +>MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the +Microsoft Management Console (MMC). This tool is located by clicking on <TT +CLASS="FILENAME" +>Control Panel -> +Administrative Tools -> Computer Management</TT +>.</P +><DIV +CLASS="PROCEDURE" +><P +><B +>Instructions</B +></P +><OL +TYPE="1" +><LI +><P +> After launching the MMC with the Computer Management snap-in, click on the menu item 'Action', + select 'Connect to another computer'. If you are not logged onto a domain you will be prompted + to enter a domain login user identifier and a password. This will authenticate you to the domain. + If you where already logged in with administrative privilidge this step is not offered.</P +></LI +><LI +><P +>If the Samba server is not shown in the Select Computer box, then type in the name of the target +Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+] +next to 'Shared Folders' in the left panel.</P +></LI +><LI +><P +>Now in the right panel, double-click on the share you wish to set access control permissions on. +Then click on the tab 'Share Permissions'. It is now possible to add access control entities +to the shared folder. Do NOT forget to set what type of access (full control, change, read) you +wish to assign for each entry.</P +></LI +></OL +></DIV +><DIV +CLASS="WARNING" +><P +></P +><TABLE +CLASS="WARNING" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" +HSPACE="5" +ALT="Warning"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Be careful. If you take away all permissions from the Everyone user without removing this user +then effectively no user will be able to access the share. This is a result of what is known as +ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone +will have no access even if this user is given explicit full control access.</P +></TD +></TR +></TABLE +></DIV +></DIV +></DIV +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN2860" +>15.2. Remote Server Administration</A +></H2 +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>How do I get 'User Manager' and 'Server Manager'?</I +></SPAN +></P +><P +>Since I don't need to buy an NT4 Server, how do I get the 'User Manager for Domains', +the 'Server Manager'?</P +><P +>Microsoft distributes a version of these tools called nexus for installation on Windows 9x / Me +systems. The tools set includes:</P +><P +></P +><UL +><LI +><P +>Server Manager</P +></LI +><LI +><P +>User Manager for Domains</P +></LI +><LI +><P +>Event Viewer</P +></LI +></UL +><P +>Click here to download the archived file <A +HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" +TARGET="_top" +>ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A +></P +><P +>The Windows NT 4.0 version of the 'User Manager for +Domains' and 'Server Manager' are available from Microsoft via ftp +from <A +HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" +TARGET="_top" +>ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A +></P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN2877" +>15.3. Network Logon Script Magic</A +></H2 +><P +>This section needs work. Volunteer contributions most welcome. Please send your patches or updates +to <A +HREF="mailto:jht@samba.org" +TARGET="_top" +>John Terpstra</A +>.</P +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A NAME="POLICYMGMT" ></A ->Chapter 17. Policy Management - Hows and Whys</H1 +>Chapter 16. System and Account Policies</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN2678" ->17.1. System Policies</A +NAME="AEN2892" +>16.1. Creating and Managing System Policies</A ></H2 ><P >Under MS Windows platforms, particularly those following the release of MS Windows @@ -13699,7 +14695,7 @@ CLASS="EMPHASIS" > under the <TT CLASS="FILENAME" ->Start->Programs->Administrative Tools</TT +>Start -> Programs -> Administrative Tools</TT > menu item. For MS Windows NT4 and later clients this file must be called <TT CLASS="FILENAME" @@ -13714,11 +14710,11 @@ complex tools and methods. To Microsoft's credit though, the MMC does appear to be a step forward, but improved functionality comes at a great price.</P ><P >Before embarking on the configuration of network and system policies it is highly -advisable to read the documentation available from Microsoft's web site from +advisable to read the documentation available from Microsoft's web site regarding <A HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" TARGET="_top" ->Implementing Profiles and Policies in Windows NT 4.0</A +>Implementing Profiles and Policies in Windows NT 4.0 from http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp</A > available from Microsoft. There are a large number of documents in addition to this old one that should also be read and understood. Try searching on the Microsoft web site for "Group Policies".</P @@ -13730,8 +14726,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2692" ->17.1.1. Creating and Managing Windows 9x/Me Policies</A +NAME="AEN2906" +>16.1.1. Windows 9x/Me Policies</A ></H3 ><P >You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me. @@ -13739,25 +14735,25 @@ It can be found on the Original full product Win98 installation CD under <TT CLASS="FILENAME" >tools/reskit/netadmin/poledit</TT ->. You install this using the +>. Install this using the Add/Remove Programs facility and then click on the 'Have Disk' tab.</P ><P >Use the Group Policy Editor to create a policy file that specifies the location of user profiles and/or the <TT CLASS="FILENAME" >My Documents</TT -> etc. stuff. You then +> etc. stuff. Then save these settings in a file called <TT CLASS="FILENAME" >Config.POL</TT > that needs to -be placed in the root of the [NETLOGON] share. If your Win98 is configured to log onto +be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto the Samba Domain, it will automatically read this file and update the Win9x/Me registry -of the machine that is logging on.</P +of the machine as it logs on.</P ><P >Further details are covered in the Win98 Resource Kit documentation.</P ><P ->If you do not do it this way, then every so often Win9x/Me will check the +>If you do not take the right steps, then every so often Win9x/Me will check the integrity of the registry and will restore it's settings from the back-up copy of the registry it stores on each Win9x/Me machine. Hence, you will occasionally notice things changing back to the original settings.</P @@ -13780,8 +14776,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2704" ->17.1.2. Creating and Managing Windows NT4 Style Policy Files</A +NAME="AEN2918" +>16.1.2. Windows NT4 Style Policy Files</A ></H3 ><P >To create or edit <TT @@ -13845,16 +14841,17 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2719" ->17.1.2.1. Registry Tattoos</A +NAME="AEN2933" +>16.1.2.1. Registry Tattoos</A ></H4 ><P ->With NT4 style registry based policy changes, a large number of settings are not -automatically reversed as the user logs off. Since the settings that were in the -NTConfig.POL file were applied to the client machine registry and that apply to the -hive key HKEY_LOCAL_MACHINE are permanent until explicitly reveresd. This is known -as tattooing. It can have serious consequences down-stream and the administrator must -be extreemly careful not to lock out the ability to manage the machine at a later date.</P +> With NT4 style registry based policy changes, a large number of settings are not + automatically reversed as the user logs off. Since the settings that were in the + NTConfig.POL file were applied to the client machine registry and that apply to the + hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known + as tattooing. It can have serious consequences down-stream and the administrator must + be extremely careful not to lock out the ability to manage the machine at a later date. + </P ></DIV ></DIV ><DIV @@ -13862,8 +14859,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2722" ->17.1.3. Creating and Managing MS Windows 200x Policies</A +NAME="AEN2936" +>16.1.3. MS Windows 200x / XP Professional Policies</A ></H3 ><P >Windows NT4 System policies allows setting of registry parameters specific to @@ -13922,45 +14919,47 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2733" ->17.1.3.1. Administration of Win2K Policies</A +NAME="AEN2947" +>16.1.3.1. Administration of Win2K / XP Policies</A ></H4 +><DIV +CLASS="PROCEDURE" +><P +><B +>Instructions</B +></P ><P >Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console (MMC) snap-in as follows:</P -><P -></P -><UL +><OL +TYPE="1" ><LI ><P -> Go to the Windows 200x / XP menu <TT +>Go to the Windows 200x / XP menu <TT CLASS="FILENAME" ->Start->Programs->Adminsitrative Tools</TT +>Start->Programs->Administrative Tools</TT > - and select the MMC snap-in called "Active Directory Users and Computers" - </P + and select the MMC snap-in called "Active Directory Users and Computers"</P ><P -> </P +></P ></LI ><LI ><P -> Select the domain or organizational unit (OU) that you wish to manage, then right click - to open the context menu for that object, select the properties item. - </P +>Select the domain or organizational unit (OU) that you wish to manage, then right click +to open the context menu for that object, select the properties item.</P ></LI ><LI ><P -> Now left click on the Group Policy tab, then left click on the New tab. Type a name - for the new policy you will create. - </P +>Now left click on the Group Policy tab, then left click on the New tab. Type a name +for the new policy you will create.</P ></LI ><LI ><P -> Now left click on the Edit tab to commence the steps needed to create the GPO. - </P +>Now left click on the Edit tab to commence the steps needed to create the GPO.</P ></LI -></UL +></OL +></DIV ><P >All policy configuration options are controlled through the use of policy administrative templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP. @@ -14000,6 +14999,107 @@ use this powerful tool. Please refer to the resource kit manuals for specific us ></DIV ></DIV ></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN2965" +>16.2. Managing Account/User Policies</A +></H2 +><P +>Policies can define a specific user's settings or the settings for a group of users. The resulting +policy file contains the registry settings for all users, groups, and computers that will be using +the policy file. Separate policy files for each user, group, or computer are not not necessary.</P +><P +>If you create a policy that will be automatically downloaded from validating domain controllers, +you should name the file NTconfig.POL. As system administrator, you have the option of renaming the +policy file and, by modifying the Windows NT-based workstation, directing the computer to update +the policy from a manual path. You can do this by either manually changing the registry or by using +the System Policy Editor. This path can even be a local path such that each machine has its own policy file, +but if a change is necessary to all machines, this change must be made individually to each workstation.</P +><P +>When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain +controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then +applied to the user's part of the registry.</P +><P +>MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally, +acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory +itself. The key benefit of using AS GPOs is that they impose no registry <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>tatooing</I +></SPAN +> effect. +This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates.</P +><P +>Inaddition to user access controls that may be imposed or applied via system and/or group policies +in a manner that works in conjunction with user profiles, the user management environment under +MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied. +Common restrictions that are frequently used includes:</P +><P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Logon Hours</TD +></TR +><TR +><TD +>Password Aging</TD +></TR +><TR +><TD +>Permitted Logon from certain machines only</TD +></TR +><TR +><TD +>Account type (Local or Global)</TD +></TR +><TR +><TD +>User Rights</TD +></TR +></TBODY +></TABLE +><P +></P +></P +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN2980" +>16.2.1. With Windows NT4/200x</A +></H3 +><P +>The tools that may be used to configure these types of controls from the MS Windows environment are: +The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe). +Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate +"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN2983" +>16.2.2. With a Samba PDC</A +></H3 +><P +>With a Samba Domain Controller, the new tools for managing of user account and policy information includes: +<TT +CLASS="FILENAME" +>smbpasswd, pdbedit, smbgroupedit, net, rpcclient.</TT +>. The administrator should read the +man pages for these tools and become familiar with their use.</P +></DIV +></DIV ></DIV ><DIV CLASS="CHAPTER" @@ -14007,14 +15107,14 @@ CLASS="CHAPTER" ><A NAME="PROFILEMGMT" ></A ->Chapter 18. Profile Management</H1 +>Chapter 17. Desktop Profile Management</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN2761" ->18.1. Roaming Profiles</A +NAME="AEN2998" +>17.1. Roaming Profiles</A ></H2 ><DIV CLASS="WARNING" @@ -14043,45 +15143,63 @@ CLASS="emphasis" CLASS="EMPHASIS" >NOTE!</I ></SPAN -> Roaming profiles support is different for Win9X and WinNT.</P +> Roaming profiles support is different for Win9x / Me +and Windows NT4/200x.</P ></TD ></TR ></TABLE ></DIV ><P >Before discussing how to configure roaming profiles, it is useful to see how -Win9X and WinNT clients implement these features.</P +Windows 9x / Me and Windows NT4/200x clients implement these features.</P ><P ->Win9X clients send a NetUserGetInfo request to the server to get the user's +>Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's profiles location. However, the response does not have room for a separate -profiles location field, only the user's home share. This means that Win9X -profiles are restricted to being in the user's home directory.</P +profiles location field, only the user's home share. This means that Win9X/Me +profiles are restricted to being stored in the user's home directory.</P ><P ->WinNT clients send a NetSAMLogon RPC request, which contains many fields, -including a separate field for the location of the user's profiles. -This means that support for profiles is different for Win9X and WinNT.</P +>Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields, +including a separate field for the location of the user's profiles.</P ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2769" ->18.1.1. Windows NT Configuration</A +NAME="AEN3006" +>17.1.1. Samba Configuration for Profile Handling</A ></H3 ><P ->To support WinNT clients, in the [global] section of smb.conf set the +>This section documents how to configure Samba for MS Windows client profile support.</P +><DIV +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" +><A +NAME="AEN3009" +>17.1.1.1. NT4/200x User Profiles</A +></H4 +><P +>To support Windowns NT4/200x clients, in the [global] section of smb.conf set the following (for example):</P ><P ><PRE CLASS="PROGRAMLISTING" ->logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</PRE +> logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath + + This is typically implemented like: + + logon path = \\%L\Profiles\%u + + where: + %L translates to the name of the Samba server + %u translates to the user name</PRE ></P ><P ->The default for this option is \\%N\%U\profile, namely -\\sambaserver\username\profile. The \\N%\%U service is created -automatically by the [homes] service. -If you are using a samba server for the profiles, you _must_ make the -share specified in the logon path browseable.</P +>The default for this option is \\%N\%U\profile, namely \\sambaserver\username\profile. +The \\N%\%U service is created automatically by the [homes] service. If you are using +a samba server for the profiles, you _must_ make the share specified in the logon path +browseable. Please refer to the man page for smb.conf in respect of the different +symantics of %L and %N, as well as %U and %u.</P ><DIV CLASS="NOTE" ><P @@ -14118,79 +15236,52 @@ meta-service name as part of the profile share path.</P ></DIV ></DIV ><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" ><A -NAME="AEN2778" ->18.1.2. Windows 9X Configuration</A -></H3 +NAME="AEN3018" +>17.1.1.2. Windows 9x / Me User Profiles</A +></H4 ><P ->To support Win9X clients, you must use the "logon home" parameter. Samba has +>To support Windows 9x / Me clients, you must use the "logon home" parameter. Samba has now been fixed so that "net use /home" now works as well, and it, too, relies on the "logon home" parameter.</P ><P ->By using the logon home parameter, you are restricted to putting Win9X +>By using the logon home parameter, you are restricted to putting Win9x / Me profiles in the user's home directory. But wait! There is a trick you -can use. If you set the following in the [global] section of your -smb.conf file:</P +can use. If you set the following in the [global] section of your smb.conf file:</P ><P ><PRE CLASS="PROGRAMLISTING" ->logon home = \\%L\%U\.profiles</PRE +> logon home = \\%L\%U\.profiles</PRE ></P ><P ->then your Win9X clients will dutifully put their clients in a subdirectory +>then your Windows 9x / Me clients will dutifully put their clients in a subdirectory of your home directory called .profiles (thus making them hidden).</P ><P >Not only that, but 'net use/home' will also work, because of a feature in -Win9X. It removes any directory stuff off the end of the home directory area +Windows 9x / Me. It removes any directory stuff off the end of the home directory area and only uses the server and share portion. That is, it looks like you specified \\%L\%U for "logon home".</P ></DIV ><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" ><A -NAME="AEN2786" ->18.1.3. Win9X and WinNT Configuration</A -></H3 +NAME="AEN3026" +>17.1.1.3. Mixed Windows 9x / Me and Windows NT4/200x User Profiles</A +></H4 ><P >You can support profiles for both Win9X and WinNT clients by setting both the "logon home" and "logon path" parameters. For example:</P ><P ><PRE CLASS="PROGRAMLISTING" ->logon home = \\%L\%U\.profiles -logon path = \\%L\profiles\%U</PRE -></P -><DIV -CLASS="NOTE" -><P +> logon home = \\%L\%u\.profiles + logon path = \\%L\profiles\%u</PRE ></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->I have not checked what 'net use /home' does on NT when "logon home" is -set as above.</P -></TD -></TR -></TABLE ></DIV ></DIV ><DIV @@ -14198,9 +15289,17 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2793" ->18.1.4. Windows 9X Profile Setup</A +NAME="AEN3031" +>17.1.2. Windows Client Profile Configuration Information</A ></H3 +><DIV +CLASS="SECT3" +><H4 +CLASS="SECT3" +><A +NAME="AEN3033" +>17.1.2.1. Windows 9x / Me Profile Setup</A +></H4 ><P >When a user first logs in on Windows 9X, the file user.DAT is created, as are folders "Start Menu", "Desktop", "Programs" and "Nethood". @@ -14220,7 +15319,7 @@ and deny them write access to this file.</P TYPE="1" ><LI ><P -> On the Windows 95 machine, go to Control Panel | Passwords and +> On the Windows 9x / Me machine, go to Control Panel -> Passwords and select the User Profiles tab. Select the required level of roaming preferences. Press OK, but do _not_ allow the computer to reboot. @@ -14228,8 +15327,8 @@ TYPE="1" ></LI ><LI ><P -> On the Windows 95 machine, go to Control Panel | Network | - Client for Microsoft Networks | Preferences. Select 'Log on to +> On the Windows 9x / Me machine, go to Control Panel -> Network -> + Client for Microsoft Networks -> Preferences. Select 'Log on to NT Domain'. Then, ensure that the Primary Logon is 'Client for Microsoft Networks'. Press OK, and this time allow the computer to reboot. @@ -14237,12 +15336,12 @@ TYPE="1" ></LI ></OL ><P ->Under Windows 95, Profiles are downloaded from the Primary Logon. +>Under Windows 9x / Me Profiles are downloaded from the Primary Logon. If you have the Primary Logon as 'Client for Novell Networks', then the profiles and logon script will be downloaded from your Novell Server. If you have the Primary Logon as 'Windows Logon', then the profiles will be loaded from the local machine - a bit against the -concept of roaming profiles, if you ask me.</P +concept of roaming profiles, it would seem!</P ><P >You will now find that the Microsoft Networks Login box contains [user, password, domain] instead of just [user, password]. Type in @@ -14251,26 +15350,26 @@ but bear in mind that the user will be authenticated against this domain and profiles downloaded from it, if that domain logon server supports it), user name and user's password.</P ><P ->Once the user has been successfully validated, the Windows 95 machine +>Once the user has been successfully validated, the Windows 9x / Me machine will inform you that 'The user has not logged on before' and asks you if you wish to save the user's preferences? Select 'yes'.</P ><P ->Once the Windows 95 client comes up with the desktop, you should be able +>Once the Windows 9x / Me client comes up with the desktop, you should be able to examine the contents of the directory specified in the "logon path" on the samba server and verify that the "Desktop", "Start Menu", "Programs" and "Nethood" folders have been created.</P ><P >These folders will be cached locally on the client, and updated when -the user logs off (if you haven't made them read-only by then :-). +the user logs off (if you haven't made them read-only by then). You will find that if the user creates further folders or short-cuts, that the client will merge the profile contents downloaded with the contents of the profile directory already on the local client, taking the newest folders and short-cuts from each set.</P ><P >If you have made the folders / files read-only on the samba server, -then you will get errors from the w95 machine on logon and logout, as +then you will get errors from the Windows 9x / Me machine on logon and logout, as it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the w95 machine, check the Unix file +you have any errors reported by the Windows 9x / Me machine, check the Unix file permissions and ownership rights on the profile directory contents, on the samba server.</P ><P @@ -14298,9 +15397,9 @@ TYPE="1" > you will find an entry, for each user, of ProfilePath. Note the contents of this key (likely to be c:\windows\profiles\username), then delete the key ProfilePath for the required user. - </P -><P -> [Exit the registry editor]. + + [Exit the registry editor]. + </P ></LI ><LI @@ -14312,16 +15411,19 @@ CLASS="EMPHASIS" >WARNING</I ></SPAN > - before deleting the contents of the - directory listed in - the ProfilePath (this is likely to be c:\windows\profiles\username), - ask them if they have any important files stored on their desktop - or in their start menu. delete the contents of the directory - ProfilePath (making a backup if any of the files are needed). + directory listed in the ProfilePath (this is likely to be + <TT +CLASS="FILENAME" +>c:\windows\profiles\username)</TT +>, ask them if they + have any important files stored on their desktop or in their start menu. + Delete the contents of the directory ProfilePath (making a backup if any + of the files are needed). </P ><P -> This will have the effect of removing the local (read-only hidden - system file) user.DAT in their profile directory, as well as the - local "desktop", "nethood", "start menu" and "programs" folders. +> This will have the effect of removing the local (read-only hidden + system file) user.DAT in their profile directory, as well as the + local "desktop", "nethood", "start menu" and "programs" folders. </P ></LI ><LI @@ -14332,7 +15434,7 @@ CLASS="EMPHASIS" ></LI ><LI ><P -> log off the windows 95 client. +> log off the windows 9x / Me client. </P ></LI ><LI @@ -14345,39 +15447,42 @@ CLASS="EMPHASIS" ></OL ><P >If all else fails, increase samba's debug log levels to between 3 and 10, -and / or run a packet trace program such as tcpdump or netmon.exe, and -look for any error reports.</P +and / or run a packet trace program such as ethereal or netmon.exe, and +look for error messages.</P ><P ->If you have access to an NT server, then first set up roaming profiles -and / or netlogons on the NT server. Make a packet trace, or examine -the example packet traces provided with NT server, and see what the +>If you have access to an Windows NT4/200x server, then first set up roaming profiles +and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine +the example packet traces provided with Windows NT4/200x server, and see what the differences are with the equivalent samba trace.</P ></DIV ><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" ><A -NAME="AEN2829" ->18.1.5. Windows NT Workstation 4.0</A -></H3 +NAME="AEN3069" +>17.1.2.2. Windows NT4 Workstation</A +></H4 ><P >When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile location can be now specified through the "logon path" parameter.</P ><P >There is a parameter that is now available for use with NT Profiles: -"logon drive". This should be set to "h:" or any other drive, and +"logon drive". This should be set to <TT +CLASS="FILENAME" +>H:</TT +> or any other drive, and should be used in conjunction with the new "logon home" parameter.</P ><P ->The entry for the NT 4.0 profile is a _directory_ not a file. The NT +>The entry for the NT4 profile is a _directory_ not a file. The NT help on profiles mentions that a directory is also created with a .PDS extension. The user, while logging in, must have write permission to create the full profile path (and the folder with the .PDS extension for those situations where it might be created.)</P ><P ->In the profile directory, NT creates more folders than 95. It creates -"Application Data" and others, as well as "Desktop", "Nethood", +>In the profile directory, Windows NT4 creates more folders than Windows 9x / Me. +It creates "Application Data" and others, as well as "Desktop", "Nethood", "Start Menu" and "Programs". The profile itself is stored in a file NTuser.DAT. Nothing appears to be stored in the .PDS directory, and its purpose is currently unknown.</P @@ -14392,26 +15497,262 @@ turns a profile into a mandatory one.</P NTuser.DAT or, for a mandatory profile, NTuser.MAN.</P ></DIV ><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" ><A -NAME="AEN2837" ->18.1.6. Windows NT/200x Server</A -></H3 +NAME="AEN3078" +>17.1.2.3. Windows 2000/XP Professional</A +></H4 ><P ->There is nothing to stop you specifying any path that you like for the -location of users' profiles. Therefore, you could specify that the -profile be stored on a samba server, or any other SMB server, as long as -that SMB server supports encrypted passwords.</P +>You must first convert the profile from a local profile to a domain +profile on the MS Windows workstation as follows:</P +><P +></P +><UL +><LI +><P +> Log on as the LOCAL workstation administrator. + </P +></LI +><LI +><P +> Right click on the 'My Computer' Icon, select 'Properties' + </P +></LI +><LI +><P +> Click on the 'User Profiles' tab + </P +></LI +><LI +><P +> Select the profile you wish to convert (click on it once) + </P +></LI +><LI +><P +> Click on the button 'Copy To' + </P +></LI +><LI +><P +> In the "Permitted to use" box, click on the 'Change' button. + </P +></LI +><LI +><P +> Click on the 'Look in" area that lists the machine name, when you click + here it will open up a selection box. Click on the domain to which the + profile must be accessible. + </P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="90%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>You will need to log on if a logon box opens up. Eg: In the connect + as: MIDEARTH\root, password: mypassword.</P +></TD +></TR +></TABLE +></DIV +></LI +><LI +><P +> To make the profile capable of being used by anyone select 'Everyone' + </P +></LI +><LI +><P +> Click OK. The Selection box will close. + </P +></LI +><LI +><P +> Now click on the 'Ok' button to create the profile in the path you + nominated. + </P +></LI +></UL +><P +>Done. You now have a profile that can be editted using the samba-3.0.0 +<TT +CLASS="FILENAME" +>profiles</TT +> tool.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Under NT/2K the use of mandotory profiles forces the use of MS Exchange +storage of mail data. That keeps desktop profiles usable.</P +></TD +></TR +></TABLE +></DIV +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +></P +><UL +><LI +><P +>This is a security check new to Windows XP (or maybe only +Windows XP service pack 1). It can be disabled via a group policy in +Active Directory. The policy is:</P +><P +>"Computer Configuration\Administrative Templates\System\User +Profiles\Do not check for user ownership of Roaming Profile Folders"</P +><P +>...and it should be set to "Enabled". +Does the new version of samba have an Active Directory analogue? If so, +then you may be able to set the policy through this.</P +><P +>If you cannot set group policies in samba, then you may be able to set +the policy locally on each machine. If you want to try this, then do +the following (N.B. I don't know for sure that this will work in the +same way as a domain group policy):</P +></LI +><LI +><P +>On the XP workstation log in with an Administrator account.</P +></LI +><LI +><P +>Click: "Start", "Run"</P +></LI +><LI +><P +>Type: "mmc"</P +></LI +><LI +><P +>Click: "OK"</P +></LI +><LI +><P +>A Microsoft Management Console should appear.</P +></LI +><LI +><P +>Click: File, "Add/Remove Snap-in...", "Add"</P +></LI +><LI +><P +>Double-Click: "Group Policy"</P +></LI +><LI +><P +>Click: "Finish", "Close"</P +></LI +><LI +><P +>Click: "OK"</P +></LI +><LI +><P +>In the "Console Root" window:</P +></LI +><LI +><P +>Expand: "Local Computer Policy", "Computer Configuration",</P +></LI +><LI +><P +>"Administrative Templates", "System", "User Profiles"</P +></LI +><LI +><P +>Double-Click: "Do not check for user ownership of Roaming Profile</P +></LI +><LI +><P +>Folders"</P +></LI +><LI +><P +>Select: "Enabled"</P +></LI +><LI +><P +>Click: OK"</P +></LI +><LI +><P +>Close the whole console. You do not need to save the settings (this + refers to the console settings rather than the policies you have + changed).</P +></LI +><LI +><P +>Reboot</P +></LI +></UL +></TD +></TR +></TABLE +></DIV +></DIV ></DIV ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2840" ->18.1.7. Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A +NAME="AEN3151" +>17.1.3. Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A ></H3 ><P >Sharing of desktop profiles between Windows versions is NOT recommended. @@ -14448,11 +15789,25 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2847" ->18.1.8. Windows NT 4</A +NAME="AEN3158" +>17.1.4. Profile Migration from Windows NT4/200x Server to Samba</A ></H3 ><P ->Unfortunately, the Resource Kit info is Win NT4 or 200x specific.</P +>There is nothing to stop you specifying any path that you like for the +location of users' profiles. Therefore, you could specify that the +profile be stored on a samba server, or any other SMB server, as long as +that SMB server supports encrypted passwords.</P +><DIV +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" +><A +NAME="AEN3161" +>17.1.4.1. Windows NT4 Profile Management Tools</A +></H4 +><P +>Unfortunately, the Resource Kit information is specific to the version of MS Windows +NT4/200x. The correct resource kit is required for each platform.</P ><P >Here is a quick guide:</P ><P @@ -14503,7 +15858,7 @@ domain is not a member of a trust relationship with your NT4 PDC.</P ><LI ><P >In the box labelled 'Copy Profile to' add your new path, eg: -<TT + <TT CLASS="FILENAME" >c:\temp\foobar</TT ></P @@ -14515,7 +15870,7 @@ CLASS="FILENAME" ><LI ><P >Click on the group 'Everyone' and then click OK. This closes the -'chose user' box.</P + 'chose user' box.</P ></LI ><LI ><P @@ -14524,13 +15879,14 @@ CLASS="FILENAME" ></UL ><P >Follow the above for every profile you need to migrate.</P +></DIV ><DIV CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2870" ->18.1.8.1. Side bar Notes</A +NAME="AEN3184" +>17.1.4.2. Side bar Notes</A ></H4 ><P >You should obtain the SID of your NT4 domain. You can use smbpasswd to do @@ -14545,21 +15901,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2874" ->18.1.8.2. Mandatory profiles</A -></H4 -><P ->The above method can be used to create mandatory profiles also. To convert -a group profile into a mandatory profile simply locate the NTUser.DAT file -in the copied profile and rename it to NTUser.MAN.</P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN2877" ->18.1.8.3. moveuser.exe</A +NAME="AEN3188" +>17.1.4.3. moveuser.exe</A ></H4 ><P >The W2K professional resource kit has moveuser.exe. moveuser.exe changes @@ -14571,8 +15914,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2880" ->18.1.8.4. Get SID</A +NAME="AEN3191" +>17.1.4.4. Get SID</A ></H4 ><P >You can identify the SID by using GetSID.exe from the Windows NT Server 4.0 @@ -14589,56 +15932,475 @@ the user with the GetSID.exe utility.) Inside of the appropriate user's subkey, you will see a string value named ProfileImagePath.</P ></DIV ></DIV +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3196" +>17.2. Mandatory profiles</A +></H2 +><P +>A Mandatory Profile is a profile that the user does NOT have the ability to overwrite. +During the user's session it may be possible to change the desktop environment, but +as the user logs out all changes made will be lost. If it is desired to NOT allow the +user any ability to change the desktop environment then this must be done through +policy settings. See previous chapter.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Under NO circumstances should the profile directory (or it's contents) be made read-only +as this may render the profile un-usable.</P +></TD +></TR +></TABLE +></DIV +><P +>For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles +also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT +file in the copied profile and rename it to NTUser.MAN.</P +><P +>For MS Windows 9x / Me it is the User.DAT file that must be renamed to User.MAN to +affect a mandatory profile.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3203" +>17.3. Creating/Managing Group Profiles</A +></H2 +><P +>Most organisations are arranged into departments. There is a nice benenfit in +this fact since usually most users in a department will require the same desktop +applications and the same desktop layout. MS Windows NT4/200x/XP will allow the +use of Group Profiles. A Group Profile is a profile that is created firstly using +a template (example) user. Then using the profile migration tool (see above) the +profile is assigned access rights for the user group that needs to be given access +to the group profile.</P +><P +>The next step is rather important. PLEASE NOTE: Instead of assigning a group profile +to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned +the now modified profile.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> Be careful with group profiles, if the user who is a member of a group also + has a personal profile, then the result will be a fusion (merge) of the two. + </P +></TD +></TR +></TABLE +></DIV +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3209" +>17.4. Default Profile for Windows Users</A +></H2 +><P +>MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom +a profile does not already exist. Armed with a knowledge of where the default profile +is located on the Windows workstation, and knowing which registry keys affect the path +from which the default profile is created, it is possible to modify the default profile +to one that has been optimised for the site. This has significant administrative +advantages.</P +><P +></P +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3213" +>17.4.1. MS Windows 9x/Me</A +></H3 +><P +>To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System +Policy Editor or change the registry directly.</P +><P +>To enable default per user profiles in Windows 9x / Me, launch the System Policy Editor, then +select File -> Open Registry, then click on the Local Computer icon, click on Windows 98 System, +select User Profiles, click on the enable box. Do not forget to save the registry changes.</P +><P +>To modify the registry directly, launch the Registry Editor (regedit.exe), select the hive +<TT +CLASS="FILENAME" +>HKEY_LOCAL_MACHINE\Network\Logon</TT +>. Now add a DWORD type key with the name +"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0.</P +><DIV +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" +><A +NAME="AEN3219" +>17.4.1.1. How User Profiles Are Handled in Windows 9x / Me?</A +></H4 +><P +>When a user logs on to a Windows 9x / Me machine, the local profile path, +<TT +CLASS="FILENAME" +>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</TT +>, is checked +for an existing entry for that user:</P +><P +>If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached +version of the user profile. Windows 9x / Me also checks the user's home directory (or other +specified directory if the location has been modified) on the server for the User Profile. +If a profile exists in both locations, the newer of the two is used. If the User Profile exists +on the server, but does not exist on the local machine, the profile on the server is downloaded +and used. If the User Profile only exists on the local machine, that copy is used.</P +><P +>If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me +machine is used and is copied to a newly created folder for the logged on user. At log off, any +changes that the user made are written to the user's local profile. If the user has a roaming +profile, the changes are written to the user's profile on the server.</P +></DIV +></DIV ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2885" ->18.1.9. Windows 2000/XP</A +NAME="AEN3225" +>17.4.2. MS Windows NT4 Workstation</A ></H3 ><P ->You must first convert the profile from a local profile to a domain -profile on the MS Windows workstation as follows:</P +>On MS Windows NT4 the default user profile is obtained from the location +<TT +CLASS="FILENAME" +>%SystemRoot%\Profiles</TT +> which in a default installation will translate to +<TT +CLASS="FILENAME" +>C:\WinNT\Profiles</TT +>. Under this directory on a clean install there will be +three (3) directories: <TT +CLASS="FILENAME" +>Administrator, All Users, Default User</TT +>.</P +><P +>The <TT +CLASS="FILENAME" +>All Users</TT +> directory contains menu settings that are common across all +system users. The <TT +CLASS="FILENAME" +>Default User</TT +> directory contains menu entries that are +customisable per user depending on the profile settings chosen/created.</P +><P +>When a new user first logs onto an MS Windows NT4 machine a new profile is created from:</P ><P ></P -><UL -><LI +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>All Users settings</TD +></TR +><TR +><TD +>Default User settings (contains the default NTUser.DAT file)</TD +></TR +></TBODY +></TABLE ><P ->Log on as the LOCAL workstation administrator.</P -></LI -><LI +></P ><P ->Right click on the 'My Computer' Icon, select 'Properties'</P -></LI +>When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain +the following steps are followed in respect of profile handling:</P +><P +></P +><OL +TYPE="1" ><LI ><P ->Click on the 'User Profiles' tab</P +> The users' account information which is obtained during the logon process contains + the location of the users' desktop profile. The profile path may be local to the + machine or it may be located on a network share. If there exists a profile at the location + of the path from the user account, then this profile is copied to the location + <TT +CLASS="FILENAME" +>%SystemRoot%\Profiles\%USERNAME%</TT +>. This profile then inherits the + settings in the <TT +CLASS="FILENAME" +>All Users</TT +> profile in the <TT +CLASS="FILENAME" +>%SystemRoot%\Profiles</TT +> + location. + </P ></LI ><LI ><P ->Select the profile you wish to convert (click on it once)</P +> If the user account has a profile path, but at it's location a profile does not exist, + then a new profile is created in the <TT +CLASS="FILENAME" +>%SystemRoot%\Profiles\%USERNAME%</TT +> + directory from reading the <TT +CLASS="FILENAME" +>Default User</TT +> profile. + </P ></LI ><LI ><P ->Click on the button 'Copy To'</P +> If the NETLOGON share on the authenticating server (logon server) contains a policy file + (<TT +CLASS="FILENAME" +>NTConfig.POL</TT +>) then it's contents are applied to the <TT +CLASS="FILENAME" +>NTUser.DAT</TT +> + which is applied to the <TT +CLASS="FILENAME" +>HKEY_CURRENT_USER</TT +> part of the registry. + </P ></LI ><LI ><P ->In the "Permitted to use" box, click on the 'Change' button.</P +> When the user logs out, if the profile is set to be a roaming profile it will be written + out to the location of the profile. The <TT +CLASS="FILENAME" +>NTuser.DAT</TT +> file is then + re-created from the contents of the <TT +CLASS="FILENAME" +>HKEY_CURRENT_USER</TT +> contents. + Thus, should there not exist in the NETLOGON share an <TT +CLASS="FILENAME" +>NTConfig.POL</TT +> at the + next logon, the effect of the provious <TT +CLASS="FILENAME" +>NTConfig.POL</TT +> will still be held + in the profile. The effect of this is known as <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>tatooing</I +></SPAN +>. + </P ></LI -><LI +></OL +><P +>MS Windows NT4 profiles may be <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Local</I +></SPAN +> or <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Roaming</I +></SPAN +>. A Local profile +will stored in the <TT +CLASS="FILENAME" +>%SystemRoot%\Profiles\%USERNAME%</TT +> location. A roaming profile will +also remain stored in the same way, unless the following registry key is created:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\ + "DeleteRoamingCache"=dword:00000001</PRE +> + +In which case, the local copy (in <TT +CLASS="FILENAME" +>%SystemRoot%\Profiles\%USERNAME%</TT +>) will be +deleted on logout.</P +><P +>Under MS Windows NT4 default locations for common resources (like <TT +CLASS="FILENAME" +>My Documents</TT +> +may be redirected to a network share by modifying the following registry keys. These changes may be affected +via use of the System Policy Editor (to do so may require that you create your owns template extension +for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first +creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings.</P +><P +>The Registry Hive key that affects the behaviour of folders that are part of the default user profile +are controlled by entries on Windows NT4 is:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> HKEY_CURRENT_USER + \Software + \Microsoft + \Windows + \CurrentVersion + \Explorer + \User Shell Folders\</PRE +></P +><P +>The above hive key contains a list of automatically managed folders. The default entries are:</P +><P +> <PRE +CLASS="PROGRAMLISTING" +> Name Default Value + -------------- ----------------------------------------- + AppData %USERPROFILE%\Application Data + Desktop %USERPROFILE%\Desktop + Favorites %USERPROFILE%\Favorites + NetHood %USERPROFILE%\NetHood + PrintHood %USERPROFILE%\PrintHood + Programs %USERPROFILE%\Start Menu\Programs + Recent %USERPROFILE%\Recent + SendTo %USERPROFILE%\SendTo + Start Menu %USERPROFILE%\Start Menu + Startup %USERPROFILE%\Start Menu\Programs\Startup + </PRE +> + </P +><P +>The registry key that contains the location of the default profile settings is: + +<PRE +CLASS="PROGRAMLISTING" +> HKEY_LOCAL_MACHINE + \SOFTWARE + \Microsoft + \Windows + \CurrentVersion + \Explorer + \User Shell Folders</PRE +> + +The default entries are: + +<PRE +CLASS="PROGRAMLISTING" +> Common Desktop %SystemRoot%\Profiles\All Users\Desktop + Common Programs %SystemRoot%\Profiles\All Users\Programs + Common Start Menu %SystemRoot%\Profiles\All Users\Start Menu + Common Startu p %SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup</PRE +></P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3279" +>17.4.3. MS Windows 200x/XP</A +></H3 +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" ><P ->Click on the 'Look in" area that lists the machine name, when you click -here it will open up a selection box. Click on the domain to which the -profile must be accessible.</P +> MS Windows XP Home Edition does use default per user profiles, but can not participate + in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile + only from itself. While there are benefits in doing this the beauty of those MS Windows + clients that CAN participate in domain logon processes allows the administrator to create + a global default profile and to enforce it through the use of Group Policy Objects (GPOs). + </P +></TD +></TR +></TABLE +></DIV +><P +>When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from +<TT +CLASS="FILENAME" +>C:\Documents and Settings\Default User</TT +>. The administrator can modify (or change +the contents of this location and MS Windows 200x/XP will gladly user it. This is far from the optimum +arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client +workstation. </P +><P +>When MS Windows 200x/XP participate in a domain security context, and if the default user +profile is not found, then the client will search for a default profile in the NETLOGON share +of the authenticating server. ie: In MS Windows parlance: +<TT +CLASS="FILENAME" +>%LOGONSERVER%\NETLOGON\Default User</TT +> and if one exits there it will copy this +to the workstation to the <TT +CLASS="FILENAME" +>C:\Documents and Settings\</TT +> under the Windows +login name of the user.</P ><DIV CLASS="NOTE" ><P ></P ><TABLE CLASS="NOTE" -WIDTH="90%" +WIDTH="100%" BORDER="0" ><TR ><TD @@ -14653,30 +16415,210 @@ ALT="Note"></TD ALIGN="LEFT" VALIGN="TOP" ><P ->You will need to log on if a logon box opens up. Eg: In the connect -as: MIDEARTH\root, password: mypassword.</P +> This path translates, in Samba parlance, to the smb.conf [NETLOGON] share. The directory + should be created at the root of this share and msut be called <TT +CLASS="FILENAME" +>Default Profile</TT +>. + </P ></TD ></TR ></TABLE ></DIV -></LI +><P +>If a default profile does not exist in this location then MS Windows 200x/XP will use the local +default profile.</P +><P +>On loging out, the users' desktop profile will be stored to the location specified in the registry +settings that pertain to the user. If no specific policies have been created, or passed to the client +during the login process (as Samba does automatically), then the user's profile will be written to +the local machine only under the path <TT +CLASS="FILENAME" +>C:\Documents and Settings\%USERNAME%</TT +>.</P +><P +>Those wishing to modify the default behaviour can do so through up to three methods:</P +><P +></P +><UL ><LI ><P ->To make the profile capable of being used by anyone select 'Everyone'</P +> Modify the registry keys on the local machine manually and place the new default profile in the + NETLOGON share root - NOT recommended as it is maintenance intensive. + </P ></LI ><LI ><P ->Click OK. The Selection box will close.</P +> Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file + in the root of the NETLOGON share along with the new default profile. + </P ></LI ><LI ><P ->Now click on the 'Ok' button to create the profile in the path you -nominated.</P +> Create a GPO that enforces this through Active Directory, and place the new default profile + in the NETLOGON share. + </P ></LI ></UL ><P ->Done. You now have a profile that can be editted using the samba-3.0.0 -profiles tool.</P +>The Registry Hive key that affects the behaviour of folders that are part of the default user profile +are controlled by entries on Windows 200x/XP is:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> HKEY_CURRENT_USER + \Software + \Microsoft + \Windows + \CurrentVersion + \Explorer + \User Shell Folders\</PRE +></P +><P +>The above hive key contains a list of automatically managed folders. The default entries are:</P +><P +> <PRE +CLASS="PROGRAMLISTING" +> Name Default Value + -------------- ----------------------------------------- + AppData %USERPROFILE%\Application Data + Cache %USERPROFILE%\Local Settings\Temporary Internet Files + Cookies %USERPROFILE%\Cookies + Desktop %USERPROFILE%\Desktop + Favorites %USERPROFILE%\Favorites + History %USERPROFILE%\Local Settings\History + Local AppData %USERPROFILE%\Local Settings\Application Data + Local Settings %USERPROFILE%\Local Settings + My Pictures %USERPROFILE%\My Documents\My Pictures + NetHood %USERPROFILE%\NetHood + Personal %USERPROFILE%\My Documents + PrintHood %USERPROFILE%\PrintHood + Programs %USERPROFILE%\Start Menu\Programs + Recent %USERPROFILE%\Recent + SendTo %USERPROFILE%\SendTo + Start Menu %USERPROFILE%\Start Menu + Startup %USERPROFILE%\Start Menu\Programs\Startup + Templates %USERPROFILE%\Templates + </PRE +> + </P +><P +>There is also an entry called "Default" that has no value set. The default entry is of type REG_SZ, all +the others are of type REG_EXPAND_SZ.</P +><P +>It makes a huge difference to the speed of handling roaming user profiles if all the folders are +stored on a dedicated location on a network server. This means that it will NOT be necessary to +write Outlook PST file over the network for every login and logout.</P +><P +>To set this to a network location you could use the following examples: + +<PRE +CLASS="PROGRAMLISTING" +> %LOGONSERVER%\%USERNAME%\Default Folders</PRE +> + +This would store the folders in the user's home directory under a directory called "Default Folders" + +You could also use: + +<PRE +CLASS="PROGRAMLISTING" +> \\SambaServer\FolderShare\%USERNAME%</PRE +> + +in which case the default folders will be stored in the server named <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>SambaServer</I +></SPAN +> +in the share called <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>FolderShare</I +></SPAN +> under a directory that has the name of the MS Windows +user as seen by the Linux/Unix file system.</P +><P +>Please note that once you have created a default profile share, you MUST migrate a user's profile +(default or custom) to it.</P +><P +>MS Windows 200x/XP profiles may be <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Local</I +></SPAN +> or <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Roaming</I +></SPAN +>. +A roaming profile will be cached locally unless the following registry key is created:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\ + "DeleteRoamingCache"=dword:00000001</PRE +> + +In which case, the local cache copy will be deleted on logout.</P +></DIV +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A +NAME="PAM" +></A +>Chapter 18. PAM Configuration for Centrally Managed Authentication</H1 +><DIV +CLASS="SECT1" +><H2 +CLASS="SECT1" +><A +NAME="AEN3332" +>18.1. Samba and PAM</A +></H2 +><P +>A number of Unix systems (eg: Sun Solaris), as well as the +xxxxBSD family and Linux, now utilize the Pluggable Authentication +Modules (PAM) facility to provide all authentication, +authorization and resource control services. Prior to the +introduction of PAM, a decision to use an alternative to +the system password database (<TT +CLASS="FILENAME" +>/etc/passwd</TT +>) +would require the provision of alternatives for all programs that provide +security services. Such a choice would involve provision of +alternatives to such programs as: <B +CLASS="COMMAND" +>login</B +>, +<B +CLASS="COMMAND" +>passwd</B +>, <B +CLASS="COMMAND" +>chown</B +>, etc.</P +><P +>PAM provides a mechanism that disconnects these security programs +from the underlying authentication/authorization infrastructure. +PAM is configured either through one file <TT +CLASS="FILENAME" +>/etc/pam.conf</TT +> (Solaris), +or by editing individual files that are located in <TT +CLASS="FILENAME" +>/etc/pam.d</TT +>.</P ><DIV CLASS="NOTE" ><P @@ -14698,12 +16640,183 @@ ALT="Note"></TD ALIGN="LEFT" VALIGN="TOP" ><P ->Under NT/2K the use of mandotory profiles forces the use of MS Exchange -storage of mail data. That keeps desktop profiles usable.</P +> If the PAM authentication module (loadable link library file) is located in the + default location then it is not necessary to specify the path. In the case of + Linux, the default location is <TT +CLASS="FILENAME" +>/lib/security</TT +>. If the module + is located other than default then the path may be specified as: + + <PRE +CLASS="PROGRAMLISTING" +> auth required /other_path/pam_strange_module.so + </PRE +> + </P ></TD ></TR ></TABLE ></DIV +><P +>The following is an example <TT +CLASS="FILENAME" +>/etc/pam.d/login</TT +> configuration file. +This example had all options been uncommented is probably not usable +as it stacks many conditions before allowing successful completion +of the login process. Essentially all conditions can be disabled +by commenting them out except the calls to <TT +CLASS="FILENAME" +>pam_pwdb.so</TT +>.</P +><P +><PRE +CLASS="PROGRAMLISTING" +> #%PAM-1.0 + # The PAM configuration file for the `login' service + # + auth required pam_securetty.so + auth required pam_nologin.so + # auth required pam_dialup.so + # auth optional pam_mail.so + auth required pam_pwdb.so shadow md5 + # account requisite pam_time.so + account required pam_pwdb.so + session required pam_pwdb.so + # session optional pam_lastlog.so + # password required pam_cracklib.so retry=3 + password required pam_pwdb.so shadow md5</PRE +></P +><P +>PAM allows use of replacable modules. Those available on a +sample system include:</P +><P +><SAMP +CLASS="PROMPT" +>$</SAMP +><KBD +CLASS="USERINPUT" +>/bin/ls /lib/security</KBD +> +<PRE +CLASS="PROGRAMLISTING" +> pam_access.so pam_ftp.so pam_limits.so + pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so + pam_cracklib.so pam_group.so pam_listfile.so + pam_nologin.so pam_rootok.so pam_tally.so + pam_deny.so pam_issue.so pam_mail.so + pam_permit.so pam_securetty.so pam_time.so + pam_dialup.so pam_lastlog.so pam_mkhomedir.so + pam_pwdb.so pam_shells.so pam_unix.so + pam_env.so pam_ldap.so pam_motd.so + pam_radius.so pam_smbpass.so pam_unix_acct.so + pam_wheel.so pam_unix_auth.so pam_unix_passwd.so + pam_userdb.so pam_warn.so pam_unix_session.so</PRE +></P +><P +>The following example for the login program replaces the use of +the <TT +CLASS="FILENAME" +>pam_pwdb.so</TT +> module which uses the system +password database (<TT +CLASS="FILENAME" +>/etc/passwd</TT +>, +<TT +CLASS="FILENAME" +>/etc/shadow</TT +>, <TT +CLASS="FILENAME" +>/etc/group</TT +>) with +the module <TT +CLASS="FILENAME" +>pam_smbpass.so</TT +> which uses the Samba +database which contains the Microsoft MD4 encrypted password +hashes. This database is stored in either +<TT +CLASS="FILENAME" +>/usr/local/samba/private/smbpasswd</TT +>, +<TT +CLASS="FILENAME" +>/etc/samba/smbpasswd</TT +>, or in +<TT +CLASS="FILENAME" +>/etc/samba.d/smbpasswd</TT +>, depending on the +Samba implementation for your Unix/Linux system. The +<TT +CLASS="FILENAME" +>pam_smbpass.so</TT +> module is provided by +Samba version 2.2.1 or later. It can be compiled by specifying the +<B +CLASS="COMMAND" +>--with-pam_smbpass</B +> options when running Samba's +<TT +CLASS="FILENAME" +>configure</TT +> script. For more information +on the <TT +CLASS="FILENAME" +>pam_smbpass</TT +> module, see the documentation +in the <TT +CLASS="FILENAME" +>source/pam_smbpass</TT +> directory of the Samba +source distribution.</P +><P +><PRE +CLASS="PROGRAMLISTING" +> #%PAM-1.0 + # The PAM configuration file for the `login' service + # + auth required pam_smbpass.so nodelay + account required pam_smbpass.so nodelay + session required pam_smbpass.so nodelay + password required pam_smbpass.so nodelay</PRE +></P +><P +>The following is the PAM configuration file for a particular +Linux system. The default condition uses <TT +CLASS="FILENAME" +>pam_pwdb.so</TT +>.</P +><P +><PRE +CLASS="PROGRAMLISTING" +> #%PAM-1.0 + # The PAM configuration file for the `samba' service + # + auth required pam_pwdb.so nullok nodelay shadow audit + account required pam_pwdb.so audit nodelay + session required pam_pwdb.so nodelay + password required pam_pwdb.so shadow md5</PRE +></P +><P +>In the following example the decision has been made to use the +smbpasswd database even for basic samba authentication. Such a +decision could also be made for the passwd program and would +thus allow the smbpasswd passwords to be changed using the passwd +program.</P +><P +><PRE +CLASS="PROGRAMLISTING" +> #%PAM-1.0 + # The PAM configuration file for the `samba' service + # + auth required pam_smbpass.so nodelay + account required pam_pwdb.so audit nodelay + session required pam_pwdb.so nodelay + password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE +></P ><DIV CLASS="NOTE" ><P @@ -14725,105 +16838,558 @@ ALT="Note"></TD ALIGN="LEFT" VALIGN="TOP" ><P +>PAM allows stacking of authentication mechanisms. It is +also possible to pass information obtained within one PAM module through +to the next module in the PAM stack. Please refer to the documentation for +your particular system implementation for details regarding the specific +capabilities of PAM in this environment. Some Linux implmentations also +provide the <TT +CLASS="FILENAME" +>pam_stack.so</TT +> module that allows all +authentication to be configured in a single central file. The +<TT +CLASS="FILENAME" +>pam_stack.so</TT +> method has some very devoted followers +on the basis that it allows for easier administration. As with all issues in +life though, every decision makes trade-offs, so you may want examine the +PAM documentation for further helpful information.</P +></TD +></TR +></TABLE +></DIV +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3383" +>18.2. Distributed Authentication</A +></H2 +><P +>The astute administrator will realize from this that the +combination of <TT +CLASS="FILENAME" +>pam_smbpass.so</TT +>, +<B +CLASS="COMMAND" +>winbindd</B +>, and a distributed +passdb backend, such as ldap, will allow the establishment of a +centrally managed, distributed +user/password database that can also be used by all +PAM (eg: Linux) aware programs and applications. This arrangement +can have particularly potent advantages compared with the +use of Microsoft Active Directory Service (ADS) in so far as +reduction of wide area network authentication traffic.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3388" +>18.3. PAM Configuration in smb.conf</A +></H2 +><P +>There is an option in smb.conf called <A +HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS" +TARGET="_top" +>obey pam restrictions</A +>. +The following is from the on-line help for this option in SWAT;</P +><P +>When Samba is configured to enable PAM support (i.e. +<CODE +CLASS="CONSTANT" +>--with-pam</CODE +>), this parameter will +control whether or not Samba should obey PAM's account +and session management directives. The default behavior +is to use PAM for clear text authentication only and to +ignore any account or session management. Note that Samba always +ignores PAM for authentication in the case of +<A +HREF="smb.conf.5.html#ENCRYPTPASSWORDS" +TARGET="_top" +>encrypt passwords = yes</A +>. +The reason is that PAM modules cannot support the challenge/response +authentication mechanism needed in the presence of SMB +password encryption. </P +><P +>Default: <B +CLASS="COMMAND" +>obey pam restrictions = no</B ></P -><UL -><LI +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A +NAME="VFS" +></A +>Chapter 19. Stackable VFS modules</H1 +><DIV +CLASS="SECT1" +><H2 +CLASS="SECT1" +><A +NAME="AEN3423" +>19.1. Introduction and configuration</A +></H2 ><P ->This is a security check new to Windows XP (or maybe only -Windows XP service pack 1). It can be disabled via a group policy in -Active Directory. The policy is:</P +>Since samba 3.0, samba supports stackable VFS(Virtual File System) modules. +Samba passes each request to access the unix file system thru the loaded VFS modules. +This chapter covers all the modules that come with the samba source and references to +some external modules.</P ><P ->"Computer Configuration\Administrative Templates\System\User -Profiles\Do not check for user ownership of Roaming Profile Folders"</P +>You may have problems to compile these modules, as shared libraries are +compiled and linked in different ways on different systems. +They currently have been tested against GNU/linux and IRIX.</P ><P ->...and it should be set to "Enabled". -Does the new version of samba have an Active Directory analogue? If so, -then you may be able to set the policy through this.</P +>To use the VFS modules, create a share similar to the one below. The +important parameter is the <B +CLASS="COMMAND" +>vfs object</B +> parameter which must point to +the exact pathname of the shared library objects. For example, to log all access +to files and use a recycle bin: + +<PRE +CLASS="PROGRAMLISTING" +> [audit] + comment = Audited /data directory + path = /data + vfs object = /path/to/audit.so /path/to/recycle.so + writeable = yes + browseable = yes</PRE +></P ><P ->If you cannot set group policies in samba, then you may be able to set -the policy locally on each machine. If you want to try this, then do -the following (N.B. I don't know for sure that this will work in the -same way as a domain group policy):</P -></LI -><LI +>The modules are used in the order they are specified.</P ><P ->On the XP workstation log in with an Administrator account.</P -></LI -><LI +>Further documentation on writing VFS modules for Samba can be found in +the Samba Developers Guide.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3432" +>19.2. Included modules</A +></H2 +><DIV +CLASS="SECT2" +><H3 +CLASS="SECT2" +><A +NAME="AEN3434" +>19.2.1. audit</A +></H3 ><P ->Click: "Start", "Run"</P -></LI -><LI +>A simple module to audit file access to the syslog +facility. The following operations are logged: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>share</TD +></TR +><TR +><TD +>connect/disconnect</TD +></TR +><TR +><TD +>directory opens/create/remove</TD +></TR +><TR +><TD +>file open/close/rename/unlink/chmod</TD +></TR +></TBODY +></TABLE ><P ->Type: "mmc"</P -></LI -><LI +></P +></P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3442" +>19.2.2. extd_audit</A +></H3 ><P ->Click: "OK"</P -></LI -><LI +>This module is identical with the <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>audit</I +></SPAN +> module above except +that it sends audit logs to both syslog as well as the smbd log file/s. The +loglevel for this module is set in the smb.conf file. At loglevel = 0, only file +and directory deletions and directory and file creations are logged. At loglevel = 1 +file opens are renames and permission changes are logged , while at loglevel = 2 file +open and close calls are logged also.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3446" +>19.2.3. recycle</A +></H3 ><P ->A Microsoft Management Console should appear.</P -></LI -><LI +>A recycle-bin like modules. When used any unlink call +will be intercepted and files moved to the recycle +directory instead of beeing deleted.</P ><P ->Click: File, "Add/Remove Snap-in...", "Add"</P -></LI -><LI +>Supported options: +<P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>vfs_recycle_bin:repository</DT +><DD ><P ->Double-Click: "Group Policy"</P -></LI -><LI +>FIXME</P +></DD +><DT +>vfs_recycle_bin:keeptree</DT +><DD ><P ->Click: "Finish", "Close"</P -></LI -><LI +>FIXME</P +></DD +><DT +>vfs_recycle_bin:versions</DT +><DD ><P ->Click: "OK"</P -></LI -><LI +>FIXME</P +></DD +><DT +>vfs_recycle_bin:touch</DT +><DD ><P ->In the "Console Root" window:</P -></LI -><LI +>FIXME</P +></DD +><DT +>vfs_recycle_bin:maxsize</DT +><DD ><P ->Expand: "Local Computer Policy", "Computer Configuration",</P -></LI -><LI +>FIXME</P +></DD +><DT +>vfs_recycle_bin:exclude</DT +><DD ><P ->"Administrative Templates", "System", "User Profiles"</P -></LI -><LI +>FIXME</P +></DD +><DT +>vfs_recycle_bin:exclude_dir</DT +><DD ><P ->Double-Click: "Do not check for user ownership of Roaming Profile</P -></LI -><LI +>FIXME</P +></DD +><DT +>vfs_recycle_bin:noversions</DT +><DD ><P ->Folders"</P -></LI -><LI +>FIXME</P +></DD +></DL +></DIV +></P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3483" +>19.2.4. netatalk</A +></H3 ><P ->Select: "Enabled"</P -></LI +>A netatalk module, that will ease co-existence of samba and +netatalk file sharing services.</P +><P +>Advantages compared to the old netatalk module: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>it doesn't care about creating of .AppleDouble forks, just keeps ones in sync</TD +></TR +><TR +><TD +>if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</TD +></TR +></TBODY +></TABLE +><P +></P +></P +></DIV +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3490" +>19.3. VFS modules available elsewhere</A +></H2 +><P +>This section contains a listing of various other VFS modules that +have been posted but don't currently reside in the Samba CVS +tree for one reason ot another (e.g. it is easy for the maintainer +to have his or her own CVS tree).</P +><P +>No statemets about the stability or functionality any module +should be implied due to its presence here.</P +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3494" +>19.3.1. DatabaseFS</A +></H3 +><P +>URL: <A +HREF="http://www.css.tayloru.edu/~elorimer/databasefs/index.php" +TARGET="_top" +>http://www.css.tayloru.edu/~elorimer/databasefs/index.php</A +></P +><P +>By <A +HREF="mailto:elorimer@css.tayloru.edu" +TARGET="_top" +>Eric Lorimer</A +>.</P +><P +>I have created a VFS module which implements a fairly complete read-only +filesystem. It presents information from a database as a filesystem in +a modular and generic way to allow different databases to be used +(originally designed for organizing MP3s under directories such as +"Artists," "Song Keywords," etc... I have since applied it to a student +roster database very easily). The directory structure is stored in the +database itself and the module makes no assumptions about the database +structure beyond the table it requires to run.</P +><P +>Any feedback would be appreciated: comments, suggestions, patches, +etc... If nothing else, hopefully it might prove useful for someone +else who wishes to create a virtual filesystem.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3502" +>19.3.2. vscan</A +></H3 +><P +>URL: <A +HREF="http://www.openantivirus.org/" +TARGET="_top" +>http://www.openantivirus.org/</A +></P +><P +>samba-vscan is a proof-of-concept module for Samba, which +uses the VFS (virtual file system) features of Samba 2.2.x/3.0 +alphaX. Of couse, Samba has to be compiled with VFS support. +samba-vscan supports various virus scanners and is maintained +by Rainer Link.</P +></DIV +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A +NAME="MSDFS" +></A +>Chapter 20. Hosting a Microsoft Distributed File System tree on Samba</H1 +><DIV +CLASS="SECT1" +><H2 +CLASS="SECT1" +><A +NAME="AEN3518" +>20.1. Instructions</A +></H2 +><P +>The Distributed File System (or Dfs) provides a means of + separating the logical view of files and directories that users + see from the actual physical locations of these resources on the + network. It allows for higher availability, smoother storage expansion, + load balancing etc. For more information about Dfs, refer to <A +HREF="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp" +TARGET="_top" +> Microsoft documentation</A +>. </P +><P +>This document explains how to host a Dfs tree on a Unix + machine (for Dfs-aware clients to browse) using Samba.</P +><P +>To enable SMB-based DFS for Samba, configure it with the + <VAR +CLASS="PARAMETER" +>--with-msdfs</VAR +> option. Once built, a + Samba server can be made a Dfs server by setting the global + boolean <A +HREF="smb.conf.5.html#HOSTMSDFS" +TARGET="_top" +><VAR +CLASS="PARAMETER" +> host msdfs</VAR +></A +> parameter in the <TT +CLASS="FILENAME" +>smb.conf + </TT +> file. You designate a share as a Dfs root using the share + level boolean <A +HREF="smb.conf.5.html#MSDFSROOT" +TARGET="_top" +><VAR +CLASS="PARAMETER" +> msdfs root</VAR +></A +> parameter. A Dfs root directory on + Samba hosts Dfs links in the form of symbolic links that point + to other servers. For example, a symbolic link + <TT +CLASS="FILENAME" +>junction->msdfs:storage1\share1</TT +> in + the share directory acts as the Dfs junction. When Dfs-aware + clients attempt to access the junction link, they are redirected + to the storage location (in this case, \\storage1\share1).</P +><P +>Dfs trees on Samba work with all Dfs-aware clients ranging + from Windows 95 to 2000.</P +><P +>Here's an example of setting up a Dfs tree on a Samba + server.</P +><P +><PRE +CLASS="PROGRAMLISTING" +># The smb.conf file: +[global] + netbios name = SAMBA + host msdfs = yes + +[dfs] + path = /export/dfsroot + msdfs root = yes + </PRE +></P +><P +>In the /export/dfsroot directory we set up our dfs links to + other servers on the network.</P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>cd /export/dfsroot</KBD +></P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>chown root /export/dfsroot</KBD +></P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>chmod 755 /export/dfsroot</KBD +></P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>ln -s msdfs:storageA\\shareA linka</KBD +></P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>ln -s msdfs:serverB\\share,serverC\\share linkb</KBD +></P +><P +>You should set up the permissions and ownership of + the directory acting as the Dfs root such that only designated + users can create, delete or modify the msdfs links. Also note + that symlink names should be all lowercase. This limitation exists + to have Samba avoid trying all the case combinations to get at + the link name. Finally set up the symbolic links to point to the + network shares you want, and start Samba.</P +><P +>Users on Dfs-aware clients can now browse the Dfs tree + on the Samba server at \\samba\dfs. Accessing + links linka or linkb (which appear as directories to the client) + takes users directly to the appropriate shares on the network.</P +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3553" +>20.1.1. Notes</A +></H3 +><P +></P +><UL ><LI ><P ->Click: OK"</P +>Windows clients need to be rebooted + if a previously mounted non-dfs share is made a dfs + root or vice versa. A better way is to introduce a + new share and make it the dfs root.</P ></LI ><LI ><P ->Close the whole console. You do not need to save the settings (this -refers to the console settings rather than the policies you have -changed).</P +>Currently there's a restriction that msdfs + symlink names should all be lowercase.</P ></LI ><LI ><P ->Reboot</P +>For security purposes, the directory + acting as the root of the Dfs tree should have ownership + and permissions set so that only designated users can + modify the symbolic links in the directory.</P ></LI ></UL -></TD -></TR -></TABLE -></DIV ></DIV ></DIV ></DIV @@ -14833,7 +17399,7 @@ CLASS="CHAPTER" ><A NAME="INTEGRATE-MS-NETWORKS" ></A ->Chapter 19. Integrating MS Windows networks with Samba</H1 +>Chapter 21. Integrating MS Windows networks with Samba</H1 ><P >This section deals with NetBIOS over TCP/IP name to IP address resolution. If you your MS Windows clients are NOT configured to use NetBIOS over TCP/IP then this @@ -14914,8 +17480,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2975" ->19.1. Name Resolution in a pure Unix/Linux world</A +NAME="AEN3580" +>21.1. Name Resolution in a pure Unix/Linux world</A ></H2 ><P >The key configuration files covered in this section are:</P @@ -14956,8 +17522,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2991" ->19.1.1. <TT +NAME="AEN3596" +>21.1.1. <TT CLASS="FILENAME" >/etc/hosts</TT ></A @@ -15037,8 +17603,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3007" ->19.1.2. <TT +NAME="AEN3612" +>21.1.2. <TT CLASS="FILENAME" >/etc/resolv.conf</TT ></A @@ -15075,8 +17641,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3018" ->19.1.3. <TT +NAME="AEN3623" +>21.1.3. <TT CLASS="FILENAME" >/etc/host.conf</TT ></A @@ -15104,8 +17670,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3026" ->19.1.4. <TT +NAME="AEN3631" +>21.1.4. <TT CLASS="FILENAME" >/etc/nsswitch.conf</TT ></A @@ -15173,8 +17739,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3038" ->19.2. Name resolution as used within MS Windows networking</A +NAME="AEN3643" +>21.2. Name resolution as used within MS Windows networking</A ></H2 ><P >MS Windows networking is predicated about the name each machine @@ -15258,8 +17824,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3050" ->19.2.1. The NetBIOS Name Cache</A +NAME="AEN3655" +>21.2.1. The NetBIOS Name Cache</A ></H3 ><P >All MS Windows machines employ an in memory buffer in which is @@ -15285,8 +17851,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3055" ->19.2.2. The LMHOSTS file</A +NAME="AEN3660" +>21.2.2. The LMHOSTS file</A ></H3 ><P >This file is usually located in MS Windows NT 4.0 or @@ -15388,8 +17954,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3063" ->19.2.3. HOSTS file</A +NAME="AEN3668" +>21.2.3. HOSTS file</A ></H3 ><P >This file is usually located in MS Windows NT 4.0 or 2000 in @@ -15410,8 +17976,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3068" ->19.2.4. DNS Lookup</A +NAME="AEN3673" +>21.2.4. DNS Lookup</A ></H3 ><P >This capability is configured in the TCP/IP setup area in the network @@ -15430,8 +17996,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3071" ->19.2.5. WINS Lookup</A +NAME="AEN3676" +>21.2.5. WINS Lookup</A ></H3 ><P >A WINS (Windows Internet Name Server) service is the equivaent of the @@ -15473,18 +18039,21 @@ CLASS="CHAPTER" ><A NAME="IMPROVED-BROWSING" ></A ->Chapter 20. Improved browsing in samba</H1 +>Chapter 22. Improved browsing in samba</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3090" ->20.1. Overview of browsing</A +NAME="AEN3695" +>22.1. Overview of browsing</A ></H2 ><P >SMB networking provides a mechanism by which clients can access a list -of machines in a network, a so-called "browse list". This list +of machines in a network, a so-called <B +CLASS="COMMAND" +>browse list</B +>. This list contains machines that are ready to offer file and/or print services to other machines within the network. Thus it does not include machines which aren't currently able to do server tasks. The browse @@ -15492,7 +18061,7 @@ list is heavily used by all SMB clients. Configuration of SMB browsing has been problematic for some Samba users, hence this document.</P ><P ->MS Windows 2000 and later, as with Samba-3 and later, can be +>MS Windows 2000 and later, as with Samba 3 and later, can be configured to not use NetBIOS over TCP/IP. When configured this way it is imperative that name resolution (using DNS/LDAP/ADS) be correctly configured and operative. Browsing will NOT work if name resolution @@ -15508,8 +18077,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3095" ->20.2. Browsing support in samba</A +NAME="AEN3701" +>22.2. Browsing support in samba</A ></H2 ><P >Samba facilitates browsing. The browsing is supported by nmbd @@ -15528,45 +18097,91 @@ workgroup that has the same name as an NT Domain: on each wide area network, you must only ever have one domain master browser per workgroup, regardless of whether it is NT, Samba or any other type of domain master that is providing this service.</P +><DIV +CLASS="NOTE" ><P ->[Note that nmbd can be configured as a WINS server, but it is not +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Nmbd can be configured as a WINS server, but it is not necessary to specifically use samba as your WINS server. MS Windows NT4, Server or Advanced Server 2000 or 2003 can be configured as your WINS server. In a mixed NT/2000/2003 server and samba environment on a Wide Area Network, it is recommended that you use the Microsoft WINS server capabilities. In a samba-only environment, it is recommended that you use one and only one Samba server as your WINS server.</P +></TD +></TR +></TABLE +></DIV ><P >To get browsing to work you need to run nmbd as usual, but will need -to use the "workgroup" option in smb.conf to control what workgroup -Samba becomes a part of.</P +to use the <B +CLASS="COMMAND" +>workgroup</B +> option in <TT +CLASS="FILENAME" +>smb.conf</TT +> +to control what workgroup Samba becomes a part of.</P ><P >Samba also has a useful option for a Samba server to offer itself for browsing on another subnet. It is recommended that this option is only used for 'unusual' purposes: announcements over the internet, for -example. See "remote announce" in the smb.conf man page. </P +example. See <B +CLASS="COMMAND" +>remote announce</B +> in the +<TT +CLASS="FILENAME" +>smb.conf</TT +> man page. </P ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3103" ->20.3. Problem resolution</A +NAME="AEN3714" +>22.3. Problem resolution</A ></H2 ><P >If something doesn't work then hopefully the log.nmb file will help you track down the problem. Try a debug level of 2 or 3 for finding problems. Also note that the current browse list usually gets stored -in text form in a file called browse.dat.</P +in text form in a file called <TT +CLASS="FILENAME" +>browse.dat</TT +>.</P ><P >Note that if it doesn't work for you, then you should still be able to -type the server name as \\SERVER in filemanager then hit enter and -filemanager should display the list of available shares.</P +type the server name as <TT +CLASS="FILENAME" +>\\SERVER</TT +> in filemanager then +hit enter and filemanager should display the list of available shares.</P ><P >Some people find browsing fails because they don't have the global -"guest account" set to a valid account. Remember that the IPC$ -connection that lists the shares is done as guest, and thus you must +<B +CLASS="COMMAND" +>guest account</B +> set to a valid account. Remember that the +IPC$ connection that lists the shares is done as guest, and thus you must have a valid guest account.</P ><P ><SPAN @@ -15582,13 +18197,6 @@ server resources.</I ></SPAN ></P ><P ->Also, a lot of people are getting bitten by the problem of too many -parameters on the command line of nmbd in inetd.conf. This trick is to -not use spaces between the option and the parameter (eg: -d2 instead -of -d 2), and to not use the -B and -N options. New versions of nmbd -are now far more likely to correctly find your broadcast and network -address, so in most cases these aren't needed.</P -><P >The other big problem people have is that their broadcast address, netmask or IP address is wrong (specified with the "interfaces" option in smb.conf)</P @@ -15598,8 +18206,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3112" ->20.4. Browsing across subnets</A +NAME="AEN3725" +>22.4. Browsing across subnets</A ></H2 ><P >Since the release of Samba 1.9.17(alpha1) Samba has been @@ -15629,8 +18237,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3117" ->20.4.1. How does cross subnet browsing work ?</A +NAME="AEN3730" +>22.4.1. How does cross subnet browsing work ?</A ></H3 ><P >Cross subnet browsing is a complicated dance, containing multiple @@ -15840,8 +18448,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3152" ->20.5. Setting up a WINS server</A +NAME="AEN3765" +>22.5. Setting up a WINS server</A ></H2 ><P >Either a Samba machine or a Windows NT Server machine may be set up @@ -15859,17 +18467,17 @@ yes. If you have any older versions of Samba on your network it is strongly suggested you upgrade to a recent version, or at the very least set the parameter to 'no' on all these machines.</P ><P ->Machines with "<B +>Machines with <B CLASS="COMMAND" >wins support = yes</B ->" will keep a list of +> will keep a list of all NetBIOS names registered with them, acting as a DNS for NetBIOS names.</P ><P >You should set up only ONE wins server. Do NOT set the -"<B +<B CLASS="COMMAND" >wins support = yes</B ->" option on more than one Samba +> option on more than one Samba server.</P ><P >To set up a Windows NT Server as a WINS server you need to set up @@ -15880,8 +18488,11 @@ refuse to document these replication protocols Samba cannot currently participate in these replications. It is possible in the future that a Samba->Samba WINS replication protocol may be defined, in which case more than one Samba machine could be set up as a WINS server -but currently only one Samba server should have the "wins support = yes" -parameter set.</P +but currently only one Samba server should have the +<B +CLASS="COMMAND" +>wins support = yes</B +> parameter set.</P ><P >After the WINS server has been configured you must ensure that all machines participating on the network are configured with the address @@ -15902,14 +18513,14 @@ machine or its IP address.</P ><P >Note that this line MUST NOT BE SET in the smb.conf file of the Samba server acting as the WINS server itself. If you set both the -"<B +<B CLASS="COMMAND" >wins support = yes</B ->" option and the -"<B +> option and the +<B CLASS="COMMAND" >wins server = <name></B ->" option then +> option then nmbd will fail to start.</P ><P >There are two possible scenarios for setting up cross subnet browsing. @@ -15923,8 +18534,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3171" ->20.6. Setting up Browsing in a WORKGROUP</A +NAME="AEN3785" +>22.6. Setting up Browsing in a WORKGROUP</A ></H2 ><P >To set up cross subnet browsing on a network containing machines @@ -15985,15 +18596,31 @@ os level = 65</PRE or they will war with each other over which is to be the local master browser.</P ><P ->The "local master" parameter allows Samba to act as a local master -browser. The "preferred master" causes nmbd to force a browser -election on startup and the "os level" parameter sets Samba high -enough so that it should win any browser elections.</P +>The <B +CLASS="COMMAND" +>local master</B +> parameter allows Samba to act as a +local master browser. The <B +CLASS="COMMAND" +>preferred master</B +> causes nmbd +to force a browser election on startup and the <B +CLASS="COMMAND" +>os level</B +> +parameter sets Samba high enough so that it should win any browser elections.</P ><P >If you have an NT machine on the subnet that you wish to be the local master browser then you can disable Samba from becoming a local master browser by setting the following -options in the [global] section of the smb.conf file :</P +options in the <B +CLASS="COMMAND" +>[global]</B +> section of the +<TT +CLASS="FILENAME" +>smb.conf</TT +> file :</P ><P ><PRE CLASS="PROGRAMLISTING" @@ -16008,8 +18635,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3189" ->20.7. Setting up Browsing in a DOMAIN</A +NAME="AEN3808" +>22.7. Setting up Browsing in a DOMAIN</A ></H2 ><P >If you are adding Samba servers to a Windows NT Domain then @@ -16017,13 +18644,23 @@ you must not set up a Samba server as a domain master browser. By default, a Windows NT Primary Domain Controller for a Domain name is also the Domain master browser for that name, and many things will break if a Samba server registers the Domain master -browser NetBIOS name (DOMAIN<1B>) with WINS instead of the PDC.</P +browser NetBIOS name (<VAR +CLASS="REPLACEABLE" +>DOMAIN</VAR +><1B>) +with WINS instead of the PDC.</P ><P >For subnets other than the one containing the Windows NT PDC you may set up Samba servers as local master browsers as described. To make a Samba server a local master browser set -the following options in the [global] section of the smb.conf -file :</P +the following options in the <B +CLASS="COMMAND" +>[global]</B +> section +of the <TT +CLASS="FILENAME" +>smb.conf</TT +> file :</P ><P ><PRE CLASS="PROGRAMLISTING" @@ -16034,17 +18671,30 @@ os level = 65</PRE ></P ><P >If you wish to have a Samba server fight the election with machines -on the same subnet you may set the "os level" parameter to lower -levels. By doing this you can tune the order of machines that +on the same subnet you may set the <B +CLASS="COMMAND" +>os level</B +> parameter +to lower levels. By doing this you can tune the order of machines that will become local master browsers if they are running. For -more details on this see the section "FORCING SAMBA TO BE THE MASTER" +more details on this see the section <A +HREF="#BROWSE-FORCE-MASTER" +>Forcing samba to be the master browser</A +> below.</P ><P >If you have Windows NT machines that are members of the domain on all subnets, and you are sure they will always be running then you can disable Samba from taking part in browser elections and ever becoming a local master browser by setting following options -in the [global] section of the smb.conf file :</P +in the <B +CLASS="COMMAND" +>[global]</B +> section of the <TT +CLASS="FILENAME" +>smb.conf</TT +> +file :</P ><P ><B CLASS="COMMAND" @@ -16059,37 +18709,64 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3199" ->20.8. Forcing samba to be the master</A +NAME="BROWSE-FORCE-MASTER" +>22.8. Forcing samba to be the master</A ></H2 ><P ->Who becomes the "master browser" is determined by an election process -using broadcasts. Each election packet contains a number of parameters +>Who becomes the <B +CLASS="COMMAND" +>master browser</B +> is determined by an election +process using broadcasts. Each election packet contains a number of parameters which determine what precedence (bias) a host should have in the election. By default Samba uses a very low precedence and thus loses elections to just about anyone else.</P ><P ->If you want Samba to win elections then just set the "os level" global -option in smb.conf to a higher number. It defaults to 0. Using 34 +>If you want Samba to win elections then just set the <B +CLASS="COMMAND" +>os level</B +> global +option in <TT +CLASS="FILENAME" +>smb.conf</TT +> to a higher number. It defaults to 0. Using 34 would make it win all elections over every other system (except other samba systems!)</P ><P ->A "os level" of 2 would make it beat WfWg and Win95, but not MS Windows +>A <B +CLASS="COMMAND" +>os level</B +> of 2 would make it beat WfWg and Win95, but not MS Windows NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32.</P ><P >The maximum os level is 255</P ><P >If you want samba to force an election on startup, then set the -"preferred master" global option in smb.conf to "yes". Samba will +<B +CLASS="COMMAND" +>preferred master</B +> global option in <TT +CLASS="FILENAME" +>smb.conf</TT +> to "yes". Samba will then have a slight advantage over other potential master browsers that are not preferred master browsers. Use this parameter with care, as if you have two hosts (whether they are windows 95 or NT or -samba) on the same local subnet both set with "preferred master" to +samba) on the same local subnet both set with <B +CLASS="COMMAND" +>preferred master</B +> to "yes", then periodically and continually they will force an election in order to become the local master browser.</P ><P ->If you want samba to be a "domain master browser", then it is -recommended that you also set "preferred master" to "yes", because +>If you want samba to be a <B +CLASS="COMMAND" +>domain master browser</B +>, then it is +recommended that you also set <B +CLASS="COMMAND" +>preferred master</B +> to "yes", because samba will not become a domain master browser for the whole of your LAN or WAN if it is not also a local master browser on its own broadcast isolated subnet.</P @@ -16107,14 +18784,20 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3208" ->20.9. Making samba the domain master</A +NAME="AEN3843" +>22.9. Making samba the domain master</A ></H2 ><P >The domain master is responsible for collating the browse lists of multiple subnets so that browsing can occur between subnets. You can -make samba act as the domain master by setting "domain master = yes" -in smb.conf. By default it will not be a domain master.</P +make samba act as the domain master by setting <B +CLASS="COMMAND" +>domain master = yes</B +> +in <TT +CLASS="FILENAME" +>smb.conf</TT +>. By default it will not be a domain master.</P ><P >Note that you should NOT set Samba to be the domain master for a workgroup that has the same name as an NT Domain.</P @@ -16125,8 +18808,14 @@ master browsers on other subnets and then contact them to synchronise browse lists.</P ><P >If you want samba to be the domain master then I suggest you also set -the "os level" high enough to make sure it wins elections, and set -"preferred master" to "yes", to get samba to force an election on +the <B +CLASS="COMMAND" +>os level</B +> high enough to make sure it wins elections, and set +<B +CLASS="COMMAND" +>preferred master</B +> to "yes", to get samba to force an election on startup.</P ><P >Note that all your servers (including samba) and clients should be @@ -16180,8 +18869,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3226" ->20.10. Note about broadcast addresses</A +NAME="AEN3865" +>22.10. Note about broadcast addresses</A ></H2 ><P >If your network uses a "0" based broadcast address (for example if it @@ -16194,457 +18883,19 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3229" ->20.11. Multiple interfaces</A +NAME="AEN3868" +>22.11. Multiple interfaces</A ></H2 ><P >Samba now supports machines with multiple network interfaces. If you -have multiple interfaces then you will need to use the "interfaces" -option in smb.conf to configure them. See smb.conf(5) for details.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="MSDFS" -></A ->Chapter 21. Hosting a Microsoft Distributed File System tree on Samba</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN3243" ->21.1. Instructions</A -></H2 -><P ->The Distributed File System (or Dfs) provides a means of - separating the logical view of files and directories that users - see from the actual physical locations of these resources on the - network. It allows for higher availability, smoother storage expansion, - load balancing etc. For more information about Dfs, refer to <A -HREF="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp" -TARGET="_top" -> Microsoft documentation</A ->. </P -><P ->This document explains how to host a Dfs tree on a Unix - machine (for Dfs-aware clients to browse) using Samba.</P -><P ->To enable SMB-based DFS for Samba, configure it with the - <VAR -CLASS="PARAMETER" ->--with-msdfs</VAR -> option. Once built, a - Samba server can be made a Dfs server by setting the global - boolean <A -HREF="smb.conf.5.html#HOSTMSDFS" -TARGET="_top" -><VAR -CLASS="PARAMETER" -> host msdfs</VAR -></A -> parameter in the <TT -CLASS="FILENAME" ->smb.conf - </TT -> file. You designate a share as a Dfs root using the share - level boolean <A -HREF="smb.conf.5.html#MSDFSROOT" -TARGET="_top" -><VAR -CLASS="PARAMETER" -> msdfs root</VAR -></A -> parameter. A Dfs root directory on - Samba hosts Dfs links in the form of symbolic links that point - to other servers. For example, a symbolic link - <TT -CLASS="FILENAME" ->junction->msdfs:storage1\share1</TT -> in - the share directory acts as the Dfs junction. When Dfs-aware - clients attempt to access the junction link, they are redirected - to the storage location (in this case, \\storage1\share1).</P -><P ->Dfs trees on Samba work with all Dfs-aware clients ranging - from Windows 95 to 2000.</P -><P ->Here's an example of setting up a Dfs tree on a Samba - server.</P -><P -><PRE -CLASS="PROGRAMLISTING" -># The smb.conf file: -[global] - netbios name = SAMBA - host msdfs = yes - -[dfs] - path = /export/dfsroot - msdfs root = yes - </PRE -></P -><P ->In the /export/dfsroot directory we set up our dfs links to - other servers on the network.</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->cd /export/dfsroot</KBD -></P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->chown root /export/dfsroot</KBD -></P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->chmod 755 /export/dfsroot</KBD -></P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->ln -s msdfs:storageA\\shareA linka</KBD -></P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->ln -s msdfs:serverB\\share,serverC\\share linkb</KBD -></P -><P ->You should set up the permissions and ownership of - the directory acting as the Dfs root such that only designated - users can create, delete or modify the msdfs links. Also note - that symlink names should be all lowercase. This limitation exists - to have Samba avoid trying all the case combinations to get at - the link name. Finally set up the symbolic links to point to the - network shares you want, and start Samba.</P -><P ->Users on Dfs-aware clients can now browse the Dfs tree - on the Samba server at \\samba\dfs. Accessing - links linka or linkb (which appear as directories to the client) - takes users directly to the appropriate shares on the network.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3278" ->21.1.1. Notes</A -></H3 -><P -></P -><UL -><LI -><P ->Windows clients need to be rebooted - if a previously mounted non-dfs share is made a dfs - root or vice versa. A better way is to introduce a - new share and make it the dfs root.</P -></LI -><LI -><P ->Currently there's a restriction that msdfs - symlink names should all be lowercase.</P -></LI -><LI -><P ->For security purposes, the directory - acting as the root of the Dfs tree should have ownership - and permissions set so that only designated users can - modify the symbolic links in the directory.</P -></LI -></UL -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="VFS" -></A ->Chapter 22. Stackable VFS modules</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN3302" ->22.1. Introduction and configuration</A -></H2 -><P ->Since samba 3.0, samba supports stackable VFS(Virtual File System) modules. -Samba passes each request to access the unix file system thru the loaded VFS modules. -This chapter covers all the modules that come with the samba source and references to -some external modules.</P -><P ->You may have problems to compile these modules, as shared libraries are -compiled and linked in different ways on different systems. -They currently have been tested against GNU/linux and IRIX.</P -><P ->To use the VFS modules, create a share similar to the one below. The -important parameter is the <B +have multiple interfaces then you will need to use the <B CLASS="COMMAND" ->vfs object</B -> parameter which must point to -the exact pathname of the shared library objects. For example, to log all access -to files and use a recycle bin: - -<PRE -CLASS="PROGRAMLISTING" -> [audit] - comment = Audited /data directory - path = /data - vfs object = /path/to/audit.so /path/to/recycle.so - writeable = yes - browseable = yes</PRE -></P -><P ->The modules are used in the order they are specified.</P -><P ->Further documentation on writing VFS modules for Samba can be found in -the Samba Developers Guide.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3311" ->22.2. Included modules</A -></H2 -><DIV -CLASS="SECT2" -><H3 -CLASS="SECT2" -><A -NAME="AEN3313" ->22.2.1. audit</A -></H3 -><P ->A simple module to audit file access to the syslog -facility. The following operations are logged: -<P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->share</TD -></TR -><TR -><TD ->connect/disconnect</TD -></TR -><TR -><TD ->directory opens/create/remove</TD -></TR -><TR -><TD ->file open/close/rename/unlink/chmod</TD -></TR -></TBODY -></TABLE -><P -></P -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3321" ->22.2.2. recycle</A -></H3 -><P ->A recycle-bin like modules. When used any unlink call -will be intercepted and files moved to the recycle -directory instead of beeing deleted.</P -><P ->Supported options: -<P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->vfs_recycle_bin:repository</DT -><DD -><P ->FIXME</P -></DD -><DT ->vfs_recycle_bin:keeptree</DT -><DD -><P ->FIXME</P -></DD -><DT ->vfs_recycle_bin:versions</DT -><DD -><P ->FIXME</P -></DD -><DT ->vfs_recycle_bin:touch</DT -><DD -><P ->FIXME</P -></DD -><DT ->vfs_recycle_bin:maxsize</DT -><DD -><P ->FIXME</P -></DD -><DT ->vfs_recycle_bin:exclude</DT -><DD -><P ->FIXME</P -></DD -><DT ->vfs_recycle_bin:exclude_dir</DT -><DD -><P ->FIXME</P -></DD -><DT ->vfs_recycle_bin:noversions</DT -><DD -><P ->FIXME</P -></DD -></DL -></DIV -></P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3358" ->22.2.3. netatalk</A -></H3 -><P ->A netatalk module, that will ease co-existence of samba and -netatalk file sharing services.</P -><P ->Advantages compared to the old netatalk module: -<P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->it doesn't care about creating of .AppleDouble forks, just keeps ones in sync</TD -></TR -><TR -><TD ->if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</TD -></TR -></TBODY -></TABLE -><P -></P -></P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3365" ->22.3. VFS modules available elsewhere</A -></H2 -><P ->This section contains a listing of various other VFS modules that -have been posted but don't currently reside in the Samba CVS -tree for one reason ot another (e.g. it is easy for the maintainer -to have his or her own CVS tree).</P -><P ->No statemets about the stability or functionality any module -should be implied due to its presence here.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3369" ->22.3.1. DatabaseFS</A -></H3 -><P ->URL: <A -HREF="http://www.css.tayloru.edu/~elorimer/databasefs/index.php" -TARGET="_top" ->http://www.css.tayloru.edu/~elorimer/databasefs/index.php</A -></P -><P ->By <A -HREF="mailto:elorimer@css.tayloru.edu" -TARGET="_top" ->Eric Lorimer</A ->.</P -><P ->I have created a VFS module which implements a fairly complete read-only -filesystem. It presents information from a database as a filesystem in -a modular and generic way to allow different databases to be used -(originally designed for organizing MP3s under directories such as -"Artists," "Song Keywords," etc... I have since applied it to a student -roster database very easily). The directory structure is stored in the -database itself and the module makes no assumptions about the database -structure beyond the table it requires to run.</P -><P ->Any feedback would be appreciated: comments, suggestions, patches, -etc... If nothing else, hopefully it might prove useful for someone -else who wishes to create a virtual filesystem.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3377" ->22.3.2. vscan</A -></H3 -><P ->URL: <A -HREF="http://www.openantivirus.org/" -TARGET="_top" ->http://www.openantivirus.org/</A -></P -><P ->samba-vscan is a proof-of-concept module for Samba, which -uses the VFS (virtual file system) features of Samba 2.2.x/3.0 -alphaX. Of couse, Samba has to be compiled with VFS support. -samba-vscan supports various virus scanners and is maintained -by Rainer Link.</P -></DIV +>interfaces</B +> +option in smb.conf to configure them. See <TT +CLASS="FILENAME" +>smb.conf(5)</TT +> for details.</P ></DIV ></DIV ><DIV @@ -16659,7 +18910,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3391" +NAME="AEN3884" >23.1. Introduction</A ></H2 ><P @@ -16672,7 +18923,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3394" +NAME="AEN3887" >23.2. Using host based protection</A ></H2 ><P @@ -16704,7 +18955,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3401" +NAME="AEN3894" >23.3. Using interface protection</A ></H2 ><P @@ -16740,7 +18991,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3410" +NAME="AEN3903" >23.4. Using a firewall</A ></H2 ><P @@ -16770,7 +19021,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3417" +NAME="AEN3910" >23.5. Using a IPC$ share deny</A ></H2 ><P @@ -16809,7 +19060,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3426" +NAME="AEN3919" >23.6. Upgrading Samba</A ></H2 ><P @@ -16831,7 +19082,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3440" +NAME="AEN3933" >24.1. What are charsets and unicode?</A ></H2 ><P @@ -16881,7 +19132,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3449" +NAME="AEN3942" >24.2. Samba and charsets</A ></H2 ><P @@ -16958,100 +19209,186 @@ CLASS="TOC" ></DT ><DT >25. <A +HREF="#SWAT" +>SWAT - The Samba Web Admininistration Tool</A +></DT +><DD +><DL +><DT +>25.1. <A +HREF="#AEN3976" +>SWAT Features and Benefits</A +></DT +><DD +><DL +><DT +>25.1.1. <A +HREF="#AEN3979" +>The SWAT Home Page</A +></DT +><DT +>25.1.2. <A +HREF="#AEN3982" +>Global Settings</A +></DT +><DT +>25.1.3. <A +HREF="#AEN3985" +>The SWAT Wizard</A +></DT +><DT +>25.1.4. <A +HREF="#AEN3988" +>Share Settings</A +></DT +><DT +>25.1.5. <A +HREF="#AEN3991" +>Printing Settings</A +></DT +><DT +>25.1.6. <A +HREF="#AEN3994" +>The Status Page</A +></DT +><DT +>25.1.7. <A +HREF="#AEN3997" +>The Password Change Page</A +></DT +></DL +></DD +></DL +></DD +><DT +>26. <A +HREF="#NT4MIGRATION" +>Migration from NT4 PDC to Samba-3 PDC</A +></DT +><DD +><DL +><DT +>26.1. <A +HREF="#AEN4012" +>Planning and Getting Started</A +></DT +><DD +><DL +><DT +>26.1.1. <A +HREF="#AEN4015" +>Objectives</A +></DT +><DT +>26.1.2. <A +HREF="#AEN4018" +>Steps In Migration Process</A +></DT +></DL +></DD +><DT +>26.2. <A +HREF="#AEN4021" +>Managing Samba-3 Domain Control</A +></DT +></DL +></DD +><DT +>27. <A HREF="#SPEED" >Samba performance issues</A ></DT ><DD ><DL ><DT ->25.1. <A -HREF="#AEN3486" +>27.1. <A +HREF="#AEN4041" >Comparisons</A ></DT ><DT ->25.2. <A -HREF="#AEN3492" +>27.2. <A +HREF="#AEN4047" >Socket options</A ></DT ><DT ->25.3. <A -HREF="#AEN3499" +>27.3. <A +HREF="#AEN4054" >Read size</A ></DT ><DT ->25.4. <A -HREF="#AEN3504" +>27.4. <A +HREF="#AEN4059" >Max xmit</A ></DT ><DT ->25.5. <A -HREF="#AEN3509" +>27.5. <A +HREF="#AEN4064" >Log level</A ></DT ><DT ->25.6. <A -HREF="#AEN3512" +>27.6. <A +HREF="#AEN4067" >Read raw</A ></DT ><DT ->25.7. <A -HREF="#AEN3517" +>27.7. <A +HREF="#AEN4072" >Write raw</A ></DT ><DT ->25.8. <A -HREF="#AEN3521" +>27.8. <A +HREF="#AEN4076" >Slow Clients</A ></DT ><DT ->25.9. <A -HREF="#AEN3525" +>27.9. <A +HREF="#AEN4080" >Slow Logins</A ></DT ><DT ->25.10. <A -HREF="#AEN3528" +>27.10. <A +HREF="#AEN4083" >Client tuning</A ></DT ></DL ></DD ><DT ->26. <A +>28. <A HREF="#PORTABILITY" >Portability</A ></DT ><DD ><DL ><DT ->26.1. <A -HREF="#AEN3568" +>28.1. <A +HREF="#AEN4127" >HPUX</A ></DT ><DT ->26.2. <A -HREF="#AEN3574" +>28.2. <A +HREF="#AEN4133" >SCO Unix</A ></DT ><DT ->26.3. <A -HREF="#AEN3578" +>28.3. <A +HREF="#AEN4137" >DNIX</A ></DT ><DT ->26.4. <A -HREF="#AEN3607" +>28.4. <A +HREF="#AEN4166" >RedHat Linux Rembrandt-II</A ></DT ><DT ->26.5. <A -HREF="#AEN3613" +>28.5. <A +HREF="#AEN4172" >AIX</A ></DT ><DD ><DL ><DT ->26.5.1. <A -HREF="#AEN3615" +>28.5.1. <A +HREF="#AEN4174" >Sequential Read Ahead</A ></DT ></DL @@ -17059,156 +19396,161 @@ HREF="#AEN3615" ></DL ></DD ><DT ->27. <A +>29. <A HREF="#OTHER-CLIENTS" >Samba and other CIFS clients</A ></DT ><DD ><DL ><DT ->27.1. <A -HREF="#AEN3633" +>29.1. <A +HREF="#AEN4196" >Macintosh clients?</A ></DT ><DT ->27.2. <A -HREF="#AEN3642" +>29.2. <A +HREF="#AEN4205" >OS2 Client</A ></DT ><DD ><DL ><DT ->27.2.1. <A -HREF="#AEN3644" +>29.2.1. <A +HREF="#AEN4207" >How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></DT ><DT ->27.2.2. <A -HREF="#AEN3659" +>29.2.2. <A +HREF="#AEN4222" >How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></DT ><DT ->27.2.3. <A -HREF="#AEN3668" +>29.2.3. <A +HREF="#AEN4231" >Are there any other issues when OS/2 (any version) is used as a client?</A ></DT ><DT ->27.2.4. <A -HREF="#AEN3672" +>29.2.4. <A +HREF="#AEN4235" >How do I get printer driver download working for OS/2 clients?</A ></DT ></DL ></DD ><DT ->27.3. <A -HREF="#AEN3682" +>29.3. <A +HREF="#AEN4245" >Windows for Workgroups</A ></DT ><DD ><DL ><DT ->27.3.1. <A -HREF="#AEN3684" +>29.3.1. <A +HREF="#AEN4247" >Use latest TCP/IP stack from Microsoft</A ></DT ><DT ->27.3.2. <A -HREF="#AEN3689" +>29.3.2. <A +HREF="#AEN4252" >Delete .pwl files after password change</A ></DT ><DT ->27.3.3. <A -HREF="#AEN3694" +>29.3.3. <A +HREF="#AEN4257" >Configure WfW password handling</A ></DT ><DT ->27.3.4. <A -HREF="#AEN3698" +>29.3.4. <A +HREF="#AEN4261" >Case handling of passwords</A ></DT ><DT ->27.3.5. <A -HREF="#AEN3703" +>29.3.5. <A +HREF="#AEN4266" >Use TCP/IP as default protocol</A ></DT ></DL ></DD ><DT ->27.4. <A -HREF="#AEN3706" +>29.4. <A +HREF="#AEN4269" >Windows '95/'98</A ></DT ><DT ->27.5. <A -HREF="#AEN3722" +>29.5. <A +HREF="#AEN4285" >Windows 2000 Service Pack 2</A ></DT +><DT +>29.6. <A +HREF="#AEN4302" +>Windows NT 3.1</A +></DT ></DL ></DD ><DT ->28. <A +>30. <A HREF="#COMPILING" >How to compile SAMBA</A ></DT ><DD ><DL ><DT ->28.1. <A -HREF="#AEN3749" +>30.1. <A +HREF="#AEN4323" >Access Samba source code via CVS</A ></DT ><DD ><DL ><DT ->28.1.1. <A -HREF="#AEN3751" +>30.1.1. <A +HREF="#AEN4325" >Introduction</A ></DT ><DT ->28.1.2. <A -HREF="#AEN3756" +>30.1.2. <A +HREF="#AEN4330" >CVS Access to samba.org</A ></DT ></DL ></DD ><DT ->28.2. <A -HREF="#AEN3792" +>30.2. <A +HREF="#AEN4366" >Accessing the samba sources via rsync and ftp</A ></DT ><DT ->28.3. <A -HREF="#AEN3798" +>30.3. <A +HREF="#AEN4372" >Building the Binaries</A ></DT ><DD ><DL ><DT ->28.3.1. <A -HREF="#AEN3826" +>30.3.1. <A +HREF="#AEN4400" >Compiling samba with Active Directory support</A ></DT ></DL ></DD ><DT ->28.4. <A -HREF="#AEN3855" +>30.4. <A +HREF="#AEN4429" >Starting the smbd and nmbd</A ></DT ><DD ><DL ><DT ->28.4.1. <A -HREF="#AEN3865" +>30.4.1. <A +HREF="#AEN4439" >Starting from inetd.conf</A ></DT ><DT ->28.4.2. <A -HREF="#AEN3894" +>30.4.2. <A +HREF="#AEN4469" >Alternative: starting it as a daemon</A ></DT ></DL @@ -17216,128 +19558,69 @@ HREF="#AEN3894" ></DL ></DD ><DT ->29. <A +>31. <A HREF="#BUGREPORT" >Reporting Bugs</A ></DT ><DD ><DL ><DT ->29.1. <A -HREF="#AEN3917" +>31.1. <A +HREF="#AEN4500" >Introduction</A ></DT ><DT ->29.2. <A -HREF="#AEN3927" +>31.2. <A +HREF="#AEN4510" >General info</A ></DT ><DT ->29.3. <A -HREF="#AEN3933" +>31.3. <A +HREF="#AEN4516" >Debug levels</A ></DT ><DT ->29.4. <A -HREF="#AEN3950" +>31.4. <A +HREF="#AEN4536" >Internal errors</A ></DT ><DT ->29.5. <A -HREF="#AEN3960" +>31.5. <A +HREF="#AEN4550" >Attaching to a running process</A ></DT ><DT ->29.6. <A -HREF="#AEN3963" +>31.6. <A +HREF="#AEN4558" >Patches</A ></DT ></DL ></DD ><DT ->30. <A +>32. <A HREF="#DIAGNOSIS" >The samba checklist</A ></DT ><DD ><DL ><DT ->30.1. <A -HREF="#AEN3986" +>32.1. <A +HREF="#AEN4581" >Introduction</A ></DT ><DT ->30.2. <A -HREF="#AEN3991" +>32.2. <A +HREF="#AEN4586" >Assumptions</A ></DT ><DT ->30.3. <A -HREF="#AEN4001" ->Tests</A -></DT -><DD -><DL -><DT ->30.3.1. <A -HREF="#AEN4003" ->Test 1</A -></DT -><DT ->30.3.2. <A -HREF="#AEN4009" ->Test 2</A -></DT -><DT ->30.3.3. <A -HREF="#AEN4015" ->Test 3</A -></DT -><DT ->30.3.4. <A -HREF="#AEN4030" ->Test 4</A -></DT -><DT ->30.3.5. <A -HREF="#AEN4035" ->Test 5</A -></DT -><DT ->30.3.6. <A -HREF="#AEN4041" ->Test 6</A -></DT -><DT ->30.3.7. <A -HREF="#AEN4049" ->Test 7</A -></DT -><DT ->30.3.8. <A -HREF="#AEN4075" ->Test 8</A -></DT -><DT ->30.3.9. <A -HREF="#AEN4092" ->Test 9</A +>32.3. <A +HREF="#AEN4596" +>The tests</A ></DT ><DT ->30.3.10. <A -HREF="#AEN4100" ->Test 10</A -></DT -><DT ->30.3.11. <A -HREF="#AEN4106" ->Test 11</A -></DT -></DL -></DD -><DT ->30.4. <A -HREF="#AEN4111" +>32.4. <A +HREF="#AEN4697" >Still having troubles?</A ></DT ></DL @@ -17349,16 +19632,169 @@ HREF="#AEN4111" CLASS="CHAPTER" ><HR><H1 ><A +NAME="SWAT" +></A +>Chapter 25. SWAT - The Samba Web Admininistration Tool</H1 +><P +>This is a rough guide to SWAT.</P +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3976" +>25.1. SWAT Features and Benefits</A +></H2 +><P +>You must use at least the following ...</P +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3979" +>25.1.1. The SWAT Home Page</A +></H3 +><P +>Blah blah here.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3982" +>25.1.2. Global Settings</A +></H3 +><P +>Document steps right here!</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3985" +>25.1.3. The SWAT Wizard</A +></H3 +><P +>Lots of blah blah here.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3988" +>25.1.4. Share Settings</A +></H3 +><P +>Document steps right here!</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3991" +>25.1.5. Printing Settings</A +></H3 +><P +>Document steps right here!</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3994" +>25.1.6. The Status Page</A +></H3 +><P +>Document steps right here!</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3997" +>25.1.7. The Password Change Page</A +></H3 +><P +>Document steps right here!</P +></DIV +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A +NAME="NT4MIGRATION" +></A +>Chapter 26. Migration from NT4 PDC to Samba-3 PDC</H1 +><P +>This is a rough guide to assist those wishing to migrate from NT4 domain control to +Samba-3 based domain control.</P +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN4012" +>26.1. Planning and Getting Started</A +></H2 +><P +>You must use at least the following ...</P +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN4015" +>26.1.1. Objectives</A +></H3 +><P +>Blah blah objectives here.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN4018" +>26.1.2. Steps In Migration Process</A +></H3 +><P +>Document steps right here!</P +></DIV +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN4021" +>26.2. Managing Samba-3 Domain Control</A +></H2 +><P +>Lots of blah blah here.</P +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A NAME="SPEED" ></A ->Chapter 25. Samba performance issues</H1 +>Chapter 27. Samba performance issues</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3486" ->25.1. Comparisons</A +NAME="AEN4041" +>27.1. Comparisons</A ></H2 ><P >The Samba server uses TCP to talk to the client. Thus if you are @@ -17388,8 +19824,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3492" ->25.2. Socket options</A +NAME="AEN4047" +>27.2. Socket options</A ></H2 ><P >There are a number of socket options that can greatly affect the @@ -17416,8 +19852,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3499" ->25.3. Read size</A +NAME="AEN4054" +>27.3. Read size</A ></H2 ><P >The option "read size" affects the overlap of disk reads/writes with @@ -17442,8 +19878,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3504" ->25.4. Max xmit</A +NAME="AEN4059" +>27.4. Max xmit</A ></H2 ><P >At startup the client and server negotiate a "maximum transmit" size, @@ -17465,8 +19901,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3509" ->25.5. Log level</A +NAME="AEN4064" +>27.5. Log level</A ></H2 ><P >If you set the log level (also known as "debug level") higher than 2 @@ -17479,8 +19915,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3512" ->25.6. Read raw</A +NAME="AEN4067" +>27.6. Read raw</A ></H2 ><P >The "read raw" operation is designed to be an optimised, low-latency @@ -17501,8 +19937,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3517" ->25.7. Write raw</A +NAME="AEN4072" +>27.7. Write raw</A ></H2 ><P >The "write raw" operation is designed to be an optimised, low-latency @@ -17518,8 +19954,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3521" ->25.8. Slow Clients</A +NAME="AEN4076" +>27.8. Slow Clients</A ></H2 ><P >One person has reported that setting the protocol to COREPLUS rather @@ -17535,8 +19971,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3525" ->25.9. Slow Logins</A +NAME="AEN4080" +>27.9. Slow Logins</A ></H2 ><P >Slow logins are almost always due to the password checking time. Using @@ -17548,8 +19984,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3528" ->25.10. Client tuning</A +NAME="AEN4083" +>27.10. Client tuning</A ></H2 ><P >Often a speed problem can be traced to the client. The client (for @@ -17656,7 +20092,7 @@ CLASS="CHAPTER" ><A NAME="PORTABILITY" ></A ->Chapter 26. Portability</H1 +>Chapter 28. Portability</H1 ><P >Samba works on a wide range of platforms but the interface all the platforms provide is not always compatible. This chapter contains @@ -17666,8 +20102,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3568" ->26.1. HPUX</A +NAME="AEN4127" +>28.1. HPUX</A ></H2 ><P >HP's implementation of supplementary groups is, er, non-standard (for @@ -17696,8 +20132,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3574" ->26.2. SCO Unix</A +NAME="AEN4133" +>28.2. SCO Unix</A ></H2 ><P > @@ -17713,8 +20149,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3578" ->26.3. DNIX</A +NAME="AEN4137" +>28.3. DNIX</A ></H2 ><P >DNIX has a problem with seteuid() and setegid(). These routines are @@ -17820,8 +20256,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3607" ->26.4. RedHat Linux Rembrandt-II</A +NAME="AEN4166" +>28.4. RedHat Linux Rembrandt-II</A ></H2 ><P >By default RedHat Rembrandt-II during installation adds an @@ -17844,16 +20280,16 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3613" ->26.5. AIX</A +NAME="AEN4172" +>28.5. AIX</A ></H2 ><DIV CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN3615" ->26.5.1. Sequential Read Ahead</A +NAME="AEN4174" +>28.5.1. Sequential Read Ahead</A ></H3 ><P >Disabling Sequential Read Ahead using "vmtune -r 0" improves @@ -17867,7 +20303,7 @@ CLASS="CHAPTER" ><A NAME="OTHER-CLIENTS" ></A ->Chapter 27. Samba and other CIFS clients</H1 +>Chapter 29. Samba and other CIFS clients</H1 ><P >This chapter contains client-specific information.</P ><DIV @@ -17875,8 +20311,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3633" ->27.1. Macintosh clients?</A +NAME="AEN4196" +>29.1. Macintosh clients?</A ></H2 ><P >Yes. <A @@ -17921,16 +20357,16 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3642" ->27.2. OS2 Client</A +NAME="AEN4205" +>29.2. OS2 Client</A ></H2 ><DIV CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN3644" ->27.2.1. How can I configure OS/2 Warp Connect or +NAME="AEN4207" +>29.2.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></H3 ><P @@ -17988,8 +20424,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3659" ->27.2.2. How can I configure OS/2 Warp 3 (not Connect), +NAME="AEN4222" +>29.2.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></H3 ><P @@ -18032,8 +20468,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3668" ->27.2.3. Are there any other issues when OS/2 (any version) +NAME="AEN4231" +>29.2.3. Are there any other issues when OS/2 (any version) is used as a client?</A ></H3 ><P @@ -18054,8 +20490,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3672" ->27.2.4. How do I get printer driver download working +NAME="AEN4235" +>29.2.4. How do I get printer driver download working for OS/2 clients?</A ></H3 ><P @@ -18101,16 +20537,16 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3682" ->27.3. Windows for Workgroups</A +NAME="AEN4245" +>29.3. Windows for Workgroups</A ></H2 ><DIV CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN3684" ->27.3.1. Use latest TCP/IP stack from Microsoft</A +NAME="AEN4247" +>29.3.1. Use latest TCP/IP stack from Microsoft</A ></H3 ><P >Use the latest TCP/IP stack from microsoft if you use Windows @@ -18131,8 +20567,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3689" ->27.3.2. Delete .pwl files after password change</A +NAME="AEN4252" +>29.3.2. Delete .pwl files after password change</A ></H3 ><P >WfWg does a lousy job with passwords. I find that if I change my @@ -18151,8 +20587,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3694" ->27.3.3. Configure WfW password handling</A +NAME="AEN4257" +>29.3.3. Configure WfW password handling</A ></H3 ><P >There is a program call admincfg.exe @@ -18170,8 +20606,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3698" ->27.3.4. Case handling of passwords</A +NAME="AEN4261" +>29.3.4. Case handling of passwords</A ></H3 ><P >Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <A @@ -18188,8 +20624,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3703" ->27.3.5. Use TCP/IP as default protocol</A +NAME="AEN4266" +>29.3.5. Use TCP/IP as default protocol</A ></H3 ><P >To support print queue reporting you may find @@ -18204,8 +20640,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3706" ->27.4. Windows '95/'98</A +NAME="AEN4269" +>29.4. Windows '95/'98</A ></H2 ><P >When using Windows 95 OEM SR2 the following updates are recommended where Samba @@ -18252,8 +20688,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3722" ->27.5. Windows 2000 Service Pack 2</A +NAME="AEN4285" +>29.5. Windows 2000 Service Pack 2</A ></H2 ><P > @@ -18319,15 +20755,49 @@ for the profile. This default ACL includes </P CLASS="COMMAND" >DOMAIN\user "Full Control"</B ></P +><DIV +CLASS="NOTE" ><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->NOTE : This bug does not occur when using winbind to -create accounts on the Samba host for Domain users.</I -></SPAN ></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>This bug does not occur when using winbind to +create accounts on the Samba host for Domain users.</P +></TD +></TR +></TABLE +></DIV +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN4302" +>29.6. Windows NT 3.1</A +></H2 +><P +>If you have problems communicating across routers with Windows +NT 3.1 workstations, read <A +HREF="http://support.microsoft.com/default.aspx?scid=kb;[LN];Q103765" +TARGET="_top" +>this Microsoft Knowledge Base article</A +>. </P ></DIV ></DIV ><DIV @@ -18336,7 +20806,7 @@ CLASS="CHAPTER" ><A NAME="COMPILING" ></A ->Chapter 28. How to compile SAMBA</H1 +>Chapter 30. How to compile SAMBA</H1 ><P >You can obtain the samba source from the <A HREF="http://samba.org/" @@ -18349,16 +20819,16 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3749" ->28.1. Access Samba source code via CVS</A +NAME="AEN4323" +>30.1. Access Samba source code via CVS</A ></H2 ><DIV CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN3751" ->28.1.1. Introduction</A +NAME="AEN4325" +>30.1.1. Introduction</A ></H3 ><P >Samba is developed in an open environment. Developers use CVS @@ -18379,8 +20849,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3756" ->28.1.2. CVS Access to samba.org</A +NAME="AEN4330" +>30.1.2. CVS Access to samba.org</A ></H3 ><P >The machine samba.org runs a publicly accessible CVS @@ -18392,8 +20862,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3759" ->28.1.2.1. Access via CVSweb</A +NAME="AEN4333" +>30.1.2.1. Access via CVSweb</A ></H4 ><P >You can access the source code via your @@ -18413,8 +20883,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3764" ->28.1.2.2. Access via cvs</A +NAME="AEN4338" +>30.1.2.2. Access via cvs</A ></H4 ><P >You can also access the source code via a @@ -18454,9 +20924,9 @@ TYPE="1" > Run the command </P ><P -> <B -CLASS="COMMAND" ->cvs -d :pserver:cvs@samba.org:/cvsroot login</B +> <KBD +CLASS="USERINPUT" +>cvs -d :pserver:cvs@samba.org:/cvsroot login</KBD > </P ><P @@ -18471,9 +20941,9 @@ CLASS="USERINPUT" > Run the command </P ><P -> <B -CLASS="COMMAND" ->cvs -d :pserver:cvs@samba.org:/cvsroot co samba</B +> <KBD +CLASS="USERINPUT" +>cvs -d :pserver:cvs@samba.org:/cvsroot co samba</KBD > </P ><P @@ -18488,12 +20958,12 @@ CLASS="PARAMETER" > and defining a tag name. A list of branch tag names can be found on the "Development" page of the samba web site. A common request is to obtain the - latest 2.2 release code. This could be done by using the following command. + latest 2.2 release code. This could be done by using the following userinput. </P ><P -> <B -CLASS="COMMAND" ->cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</B +> <KBD +CLASS="USERINPUT" +>cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</KBD > </P ></LI @@ -18503,9 +20973,9 @@ CLASS="COMMAND" the following command from within the samba directory: </P ><P -> <B -CLASS="COMMAND" ->cvs update -d -P</B +> <KBD +CLASS="USERINPUT" +>cvs update -d -P</KBD > </P ></LI @@ -18518,8 +20988,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3792" ->28.2. Accessing the samba sources via rsync and ftp</A +NAME="AEN4366" +>30.2. Accessing the samba sources via rsync and ftp</A ></H2 ><P > pserver.samba.org also exports unpacked copies of most parts of the CVS tree at <A @@ -18546,14 +21016,14 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3798" ->28.3. Building the Binaries</A +NAME="AEN4372" +>30.3. Building the Binaries</A ></H2 ><P ->To do this, first run the program <B -CLASS="COMMAND" +>To do this, first run the program <KBD +CLASS="USERINPUT" >./configure - </B + </KBD > in the source directory. This should automatically configure Samba for your operating system. If you have unusual needs then you may wish to run</P @@ -18632,8 +21102,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3826" ->28.3.1. Compiling samba with Active Directory support</A +NAME="AEN4400" +>30.3.1. Compiling samba with Active Directory support</A ></H3 ><P >In order to compile samba with ADS support, you need to have installed @@ -18682,8 +21152,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3838" ->28.3.1.1. Installing the required packages for Debian</A +NAME="AEN4412" +>30.3.1.1. Installing the required packages for Debian</A ></H4 ><P >On Debian you need to install the following packages:</P @@ -18713,8 +21183,8 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3845" ->28.3.1.2. Installing the required packages for RedHat</A +NAME="AEN4419" +>30.3.1.2. Installing the required packages for RedHat</A ></H4 ><P >On RedHat this means you should have at least: </P @@ -18755,22 +21225,22 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3855" ->28.4. Starting the smbd and nmbd</A +NAME="AEN4429" +>30.4. Starting the smbd and nmbd</A ></H2 ><P >You must choose to start smbd and nmbd either - as daemons or from <B -CLASS="COMMAND" ->inetd</B ->. Don't try + as daemons or from <SPAN +CLASS="APPLICATION" +>inetd</SPAN +>Don't try to do both! Either you can put them in <TT CLASS="FILENAME" > inetd.conf</TT > and have them started on demand - by <B -CLASS="COMMAND" ->inetd</B + by <SPAN +CLASS="APPLICATION" +>inetd</SPAN >, or you can start them as daemons either from the command line or in <TT CLASS="FILENAME" @@ -18780,13 +21250,13 @@ CLASS="FILENAME" the bit about what user you need to be in order to start Samba. In many cases you must be root.</P ><P ->The main advantage of starting <B -CLASS="COMMAND" ->smbd</B +>The main advantage of starting <SPAN +CLASS="APPLICATION" +>smbd</SPAN > - and <B -CLASS="COMMAND" ->nmbd</B + and <SPAN +CLASS="APPLICATION" +>nmbd</SPAN > using the recommended daemon method is that they will respond slightly more quickly to an initial connection request.</P @@ -18795,8 +21265,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3865" ->28.4.1. Starting from inetd.conf</A +NAME="AEN4439" +>30.4.1. Starting from inetd.conf</A ></H3 ><P >NOTE; The following will be different if @@ -18857,19 +21327,39 @@ CLASS="FILENAME" ><P >NOTE: On many systems you may need to use the "interfaces" option in smb.conf to specify the IP address - and netmask of your interfaces. Run <B -CLASS="COMMAND" ->ifconfig</B + and netmask of your interfaces. Run <SPAN +CLASS="APPLICATION" +>ifconfig</SPAN > as root if you don't know what the broadcast is for your - net. <B -CLASS="COMMAND" ->nmbd</B + net. <SPAN +CLASS="APPLICATION" +>nmbd</SPAN > tries to determine it at run - time, but fails on some unixes. See the section on "testing nmbd" - for a method of finding if you need to do this.</P + time, but fails on some unixes. + </P +><DIV +CLASS="WARNING" ><P ->!!!WARNING!!! Many unixes only accept around 5 +></P +><TABLE +CLASS="WARNING" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" +HSPACE="5" +ALT="Warning"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Many unixes only accept around 5 parameters on the command line in <TT CLASS="FILENAME" >inetd.conf</TT @@ -18880,14 +21370,18 @@ CLASS="FILENAME" CLASS="COMMAND" >inetd</B >.</P +></TD +></TR +></TABLE +></DIV ><P >Restart <B CLASS="COMMAND" >inetd</B >, perhaps just send - it a HUP. If you have installed an earlier version of <B -CLASS="COMMAND" -> nmbd</B + it a HUP. If you have installed an earlier version of <SPAN +CLASS="APPLICATION" +> nmbd</SPAN > then you may need to kill nmbd as well.</P ></DIV ><DIV @@ -18895,8 +21389,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3894" ->28.4.2. Alternative: starting it as a daemon</A +NAME="AEN4469" +>30.4.2. Alternative: starting it as a daemon</A ></H3 ><P >To start the server as a daemon you should create @@ -18938,13 +21432,37 @@ CLASS="COMMAND" CLASS="COMMAND" >smbd</B >.</P +><DIV +CLASS="NOTE" ><P ->NOTE: If you use the SVR4 style init system then +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>If you use the SVR4 style init system then you may like to look at the <TT CLASS="FILENAME" >examples/svr4-startup</TT > script to make Samba fit into that system.</P +></TD +></TR +></TABLE +></DIV ></DIV ></DIV ></DIV @@ -18954,18 +21472,18 @@ CLASS="CHAPTER" ><A NAME="BUGREPORT" ></A ->Chapter 29. Reporting Bugs</H1 +>Chapter 31. Reporting Bugs</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3917" ->29.1. Introduction</A +NAME="AEN4500" +>31.1. Introduction</A ></H2 ><P >The email address for bug reports for stable releases is <A -HREF="samba@samba.org" +HREF="mailto:samba@samba.org" TARGET="_top" >samba@samba.org</A >. @@ -19005,8 +21523,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3927" ->29.2. General info</A +NAME="AEN4510" +>31.2. General info</A ></H2 ><P >Before submitting a bug report check your config for silly @@ -19015,8 +21533,7 @@ you've misconfigured something and run testparm to test your config file for correct syntax.</P ><P >Have you run through the <A -HREF="Diagnosis.html" -TARGET="_top" +HREF="#DIAGNOSIS" >diagnosis</A >? This is very important.</P @@ -19030,8 +21547,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3933" ->29.3. Debug levels</A +NAME="AEN4516" +>31.3. Debug levels</A ></H2 ><P >If the bug has anything to do with Samba behaving incorrectly as a @@ -19061,9 +21578,15 @@ include = /usr/local/samba/lib/smb.conf.%m</PRE >then create a file <TT CLASS="FILENAME" ->/usr/local/samba/lib/smb.conf.machine</TT +>/usr/local/samba/lib/smb.conf.<VAR +CLASS="REPLACEABLE" +>machine</VAR +></TT > where -"machine" is the name of the client you wish to debug. In that file +<VAR +CLASS="REPLACEABLE" +>machine</VAR +> is the name of the client you wish to debug. In that file put any smb.conf commands you want, for example <B CLASS="COMMAND" @@ -19084,7 +21607,10 @@ CLASS="COMMAND" >debuglevel =</B > that has been used in older versions of Samba and is being retained for backwards -compatibility of smb.conf files.</P +compatibility of <TT +CLASS="FILENAME" +>smb.conf</TT +> files.</P ><P >As the <B CLASS="COMMAND" @@ -19100,14 +21626,14 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3950" ->29.4. Internal errors</A +NAME="AEN4536" +>31.4. Internal errors</A ></H2 ><P >If you get a "INTERNAL ERROR" message in your log files it means that Samba got an unexpected signal while running. It is probably a segmentation fault and almost certainly means a bug in Samba (unless -you have faulty hardware or system software)</P +you have faulty hardware or system software).</P ><P >If the message came from smbd then it will probably be accompanied by a message which details the last SMB message received by smbd. This @@ -19117,7 +21643,10 @@ include it in your bug report.</P >You should also detail how to reproduce the problem, if possible. Please make this reasonably detailed.</P ><P ->You may also find that a core file appeared in a "corefiles" +>You may also find that a core file appeared in a <TT +CLASS="FILENAME" +>corefiles</TT +> subdirectory of the directory where you keep your samba log files. This file is the most useful tool for tracking down the bug. To use it you do this:</P @@ -19128,11 +21657,20 @@ CLASS="COMMAND" ></P ><P >adding appropriate paths to smbd and core so gdb can find them. If you -don't have gdb then try "dbx". Then within the debugger use the -command "where" to give a stack trace of where the problem +don't have gdb then try <KBD +CLASS="USERINPUT" +>dbx</KBD +>. Then within the debugger use the +command <KBD +CLASS="USERINPUT" +>where</KBD +> to give a stack trace of where the problem occurred. Include this in your mail.</P ><P ->If you known any assembly language then do a "disass" of the routine +>If you known any assembly language then do a <KBD +CLASS="USERINPUT" +>disass</KBD +> of the routine where the problem occurred (if its in a library routine then disassemble the routine that called it) and try to work out exactly where the problem is by looking at the surrounding code. Even if you @@ -19144,15 +21682,30 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3960" ->29.5. Attaching to a running process</A +NAME="AEN4550" +>31.5. Attaching to a running process</A ></H2 ><P >Unfortunately some unixes (in particular some recent linux kernels) refuse to dump a core file if the task has changed uid (which smbd does often). To debug with this sort of system you could try to attach -to the running process using "gdb smbd PID" where you get PID from -smbstatus. Then use "c" to continue and try to cause the core dump +to the running process using <KBD +CLASS="USERINPUT" +>gdb smbd <VAR +CLASS="REPLACEABLE" +>PID</VAR +></KBD +> where you get <VAR +CLASS="REPLACEABLE" +>PID</VAR +> from +<SPAN +CLASS="APPLICATION" +>smbstatus</SPAN +>. Then use <KBD +CLASS="USERINPUT" +>c</KBD +> to continue and try to cause the core dump using the client. The debugger should catch the fault and tell you where it occurred.</P ></DIV @@ -19161,18 +21714,18 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3963" ->29.6. Patches</A +NAME="AEN4558" +>31.6. Patches</A ></H2 ><P >The best sort of bug report is one that includes a fix! If you send us -patches please use <B -CLASS="COMMAND" ->diff -u</B +patches please use <KBD +CLASS="USERINPUT" +>diff -u</KBD > format if your version of -diff supports it, otherwise use <B -CLASS="COMMAND" ->diff -c4</B +diff supports it, otherwise use <KBD +CLASS="USERINPUT" +>diff -c4</KBD >. Make sure your do the diff against a clean version of the source and let me know exactly what version you used. </P @@ -19184,14 +21737,14 @@ CLASS="CHAPTER" ><A NAME="DIAGNOSIS" ></A ->Chapter 30. The samba checklist</H1 +>Chapter 32. The samba checklist</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3986" ->30.1. Introduction</A +NAME="AEN4581" +>32.1. Introduction</A ></H2 ><P >This file contains a list of tests you can perform to validate your @@ -19212,8 +21765,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3991" ->30.2. Assumptions</A +NAME="AEN4586" +>32.2. Assumptions</A ></H2 ><P >In all of the tests it is assumed you have a Samba server called @@ -19250,17 +21803,18 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4001" ->30.3. Tests</A +NAME="AEN4596" +>32.3. The tests</A ></H2 ><DIV -CLASS="SECT2" -><H3 -CLASS="SECT2" -><A -NAME="AEN4003" ->30.3.1. Test 1</A -></H3 +CLASS="PROCEDURE" +><P +><B +>Diagnosing your samba server</B +></P +><OL +TYPE="1" +><LI ><P >In the directory in which you store your smb.conf file, run the command "testparm smb.conf". If it reports any errors then your smb.conf @@ -19274,15 +21828,8 @@ CLASS="FILENAME" CLASS="FILENAME" >/usr/local/samba/lib</TT ></P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4009" ->30.3.2. Test 2</A -></H3 +></LI +><LI ><P >Run the command "ping BIGSERVER" from the PC and "ping ACLIENT" from the unix box. If you don't get a valid response then your TCP/IP @@ -19300,15 +21847,8 @@ you do have correct entries for the remainder of these tests. </P software. You will need to relax the rules to let in the workstation in question, perhaps by allowing access from another subnet (on Linux this is done via the ipfwadm program.)</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4015" ->30.3.3. Test 3</A -></H3 +></LI +><LI ><P >Run the command "smbclient -L BIGSERVER" on the unix box. You should get a list of available shares back. </P @@ -19371,15 +21911,8 @@ to start smbd as a daemon, it can avoid a lot of frustration!</P and / or broadcast address settings are incorrect. Please check that the network interface IP Address / Broadcast Address / Subnet Mask settings are correct and that Samba has correctly noted these in the log.nmb file.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4030" ->30.3.4. Test 4</A -></H3 +></LI +><LI ><P >Run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the IP address of your Samba server back.</P @@ -19392,15 +21925,8 @@ to udp port 137.</P parameters on the command line. If this is the case then create a one-line script that contains the right parameters and run that from inetd.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4035" ->30.3.5. Test 5</A -></H3 +></LI +><LI ><P >run the command <B CLASS="COMMAND" @@ -19413,15 +21939,8 @@ got the name of the PC wrong. </P ><P >If ACLIENT doesn't resolve via DNS then use the IP address of the client in the above test.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4041" ->30.3.6. Test 6</A -></H3 +></LI +><LI ><P >Run the command <B CLASS="COMMAND" @@ -19447,15 +21966,8 @@ subnet.</P ><P >This test will probably fail if your subnet mask and broadcast address are not correct. (Refer to TEST 3 notes above).</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4049" ->30.3.7. Test 7</A -></H3 +></LI +><LI ><P >Run the command <B CLASS="COMMAND" @@ -19536,15 +22048,8 @@ when you type <B CLASS="COMMAND" >dir</B >.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4075" ->30.3.8. Test 8</A -></H3 +></LI +><LI ><P >On the PC type the command <B CLASS="COMMAND" @@ -19596,15 +22101,8 @@ name and password.</P it probably means that the host is not contactable via tcp services. Check to see if the host is running tcp wrappers, and if so add an entry in the hosts.allow file for your client (or subnet, etc.)</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4092" ->30.3.9. Test 9</A -></H3 +></LI +><LI ><P >Run the command <B CLASS="COMMAND" @@ -19630,15 +22128,8 @@ CLASS="FILENAME" >smb.conf</TT >. Turn it back on to fix.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4100" ->30.3.10. Test 10</A -></H3 +></LI +><LI ><P >Run the command <B CLASS="COMMAND" @@ -19656,15 +22147,8 @@ CLASS="COMMAND" >preferred master = yes</B > to ensure that an election is held at startup.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN4106" ->30.3.11. Test 11</A -></H3 +></LI +><LI ><P >From file manager try to browse the server. Your samba server should appear in the browse list of your local workgroup (or the one you @@ -19683,6 +22167,8 @@ CLASS="COMMAND" > in your smb.conf file, or enable encrypted passwords AFTER compiling in support for encrypted passwords (refer to the Makefile).</P +></LI +></OL ></DIV ></DIV ><DIV @@ -19690,8 +22176,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4111" ->30.4. Still having troubles?</A +NAME="AEN4697" +>32.4. Still having troubles?</A ></H2 ><P >Try the mailing list or newsgroup, or use the ethereal utility to @@ -19706,7 +22192,7 @@ out the samba web page at <A HREF="http://samba.org/samba" TARGET="_top" ->http://samba.org/samba</A +>http://samba.org/samba/</A ></P ><P >Also look at the other docs in the Samba package!</P |