diff options
Diffstat (limited to 'docs/htmldocs/samba-pdc-howto.html')
| -rw-r--r-- | docs/htmldocs/samba-pdc-howto.html | 2554 |
1 files changed, 1008 insertions, 1546 deletions
diff --git a/docs/htmldocs/samba-pdc-howto.html b/docs/htmldocs/samba-pdc-howto.html index 760e2e73b8..a2bca689ef 100644 --- a/docs/htmldocs/samba-pdc-howto.html +++ b/docs/htmldocs/samba-pdc-howto.html @@ -1,7 +1,7 @@ <HTML ><HEAD ><TITLE ->The Samba 2.2 PDC FAQ</TITLE +>The Samba 2.2 PDC HowTo </TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD @@ -15,15 +15,15 @@ ALINK="#0000FF" ><DIV CLASS="BOOK" ><A -NAME="SAMBA-PDC-FAQ" +NAME="SAMBA-PDC-HOWTO" ></A ><DIV CLASS="TITLEPAGE" ><H1 CLASS="TITLE" ><A -NAME="SAMBA-PDC-FAQ" ->The Samba 2.2 PDC FAQ</A +NAME="SAMBA-PDC-HOWTO" +>The Samba 2.2 PDC HowTo</A ></H1 ><H3 CLASS="AUTHOR" @@ -40,50 +40,42 @@ CLASS="ORGNAME" ><HR></DIV ><HR><H1 ><A -NAME="AEN12" +NAME="AEN10" ></A ></H1 ><P >Comments, corrections and additions to <TT CLASS="EMAIL" ><<A -HREF="mailto:D.Bannon@latrobe.edu.au" ->D.Bannon@latrobe.edu.au</A +HREF="mailto:dbannon@samba.org" +>dbannon@samba.org</A >></TT ></P ><P ->This is the FAQ for Samba 2.2 as an NTDomain controller. - This document is derived from the origional FAQ that was built and - maintained by Gerald Carter - from the early days of Samba NTDomain development up until recently. - It is now being updated as significent changes are made to 2.2.0.</P -><P ->Please note it does not apply to Samba2.2alpha0, Samba2.2alpha1, Samba 2.0.7, TNG nor HEAD branch. +> This document explains how to setup Samba as a Primary Domain Controller and + applies to version 2.2.0. + Before + using these functions make sure you understand what the controller can and cannot do. + Please read the sections below in the Introduction. + As 2.2.0 is incrementally updated + this document will change or become out of date very quickly, make sure you are + reading the most current version. </P ><P ->I'll repeat, it does not apply to the current snapshot [ftp mirror]:/pub/samba/alpha/samba-2.2.0-alpha1.tar.gz, only to the to the current cvs.</P +>Please note this document does not apply to Samba2.2alpha0, Samba2.2alpha1, + Samba 2.0.7, TNG nor HEAD branch.</P +><P +>It does apply to the current (post November 27th) cvs.</P ><P -> Also available is a Samba 2.2 PDC <A -HREF="samba-pdc-howto.html" +> Also available is an updated version of Jerry Carter's NTDom <A +HREF="samba-pdc-faq.html" TARGET="_top" ->HowTo</A -> that takes you, step - by step, over the process of setting up a very basic Samba 2.2 Primary Domain Controller +> FAQ</A +> that will answer lots of + the special 'tuning' questions that are not covered here. Over the next couple of weeks + some of the items here will be moved to the FAQ. </P ><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->Please read the Introduction for the current <A -HREF="#AEN27" -> state of play</A ->.</P -></BLOCKQUOTE -></DIV -><DIV CLASS="TOC" ><DL ><DT @@ -92,263 +84,147 @@ CLASS="TOC" ></DT ><DT >1. <A -HREF="#AEN25" +HREF="#AEN20" >Introduction</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN27" ->State of Play</A +HREF="#AEN28" +>What can we do ?</A ></DT ><DT ><A HREF="#AEN44" ->Introduction</A +>What can't we do ?</A ></DT ></DL ></DD ><DT >2. <A -HREF="#AEN49" ->General Information</A +HREF="#AEN55" +>Installing</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN51" ->What can we do ?</A +HREF="#AEN59" +>Start Up Script</A ></DT -><DD -><DL ><DT ><A -HREF="#AEN53" ->What can Samba Primary Domain Controller (PDC) do ?</A +HREF="#AEN66" +>Config File</A ></DT +><DD +><DL ><DT ><A -HREF="#AEN86" ->Can I have a Windows 2000 client logon to a Samba controlled domain?</A +HREF="#AEN68" +>A sample conf file</A ></DT ><DT ><A -HREF="#AEN89" ->What's the status of print spool (spoolss) support in the NTDOM code?</A +HREF="#AEN79" +>PDC Config Parameters</A ></DT ></DL ></DD ><DT ><A -HREF="#AEN92" ->CVS</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN95" ->What are the different Samba branches available in CVS ?</A +HREF="#AEN115" +>Special directories</A ></DT -><DT -><A -HREF="#AEN118" ->What are the CVS commands ?</A -></DT -></DL -></DD ></DL ></DD ><DT >3. <A -HREF="#AEN149" ->Establishing Connections</A +HREF="#AEN126" +>User and Machine Accounts</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN151" -></A +HREF="#AEN128" +>Logon Accounts</A ></DT -><DD -><DL ><DT ><A -HREF="#AEN153" ->How do I get my NT4 or W2000 Workstation to login to the Samba controlled Domain?</A +HREF="#MACHINEACCOUNT" +>Machine Accounts</A ></DT ><DT ><A -HREF="#AEN158" ->What is a 'machine account' ?</A +HREF="#AEN163" +>Joining the Domain</A ></DT ><DT ><A -HREF="#AEN165" ->"The machine account for this computer either does not exist or is not accessable."</A +HREF="#AEN211" +>User Accounts</A ></DT ><DT ><A -HREF="#AEN171" ->How do I create machine accounts manually ?</A -></DT -><DT -><A -HREF="#AEN184" ->I cannot include a '$' in a machine name.</A -></DT -><DT -><A -HREF="#AEN190" ->I get told "You already have a connection to the Domain...." when creating a - machine account.</A -></DT -><DT -><A -HREF="#AEN194" ->I get told "Cannot join domain, the credentials supplied conflict - with an existing set.."</A -></DT -><DT -><A -HREF="#AEN198" ->"The system can not log you on (C000019B)...."</A +HREF="#AEN223" +>Domain Admin Accounts</A ></DT ></DL ></DD -></DL -></DD ><DT >4. <A -HREF="#AEN202" ->User Account Management</A +HREF="#AEN231" +>Profiles, Policies and Logon Scripts</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN204" ->Domain Admins</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN206" ->How do I configure an account as a domain administrator?</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN210" +HREF="#AEN233" >Profiles</A ></DT -><DD -><DL ><DT ><A -HREF="#AEN212" ->Why is it bad to set "logon path = \\%N\%U\profile" in smb.conf? ?</A -></DT -><DT -><A -HREF="#AEN226" ->Why are all the users listed in the "domain admin users" using the same profile?</A -></DT -><DT -><A -HREF="#AEN229" ->The roaming profiles do not seem to be updating on the server.</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN237" +HREF="#AEN240" >Policies</A ></DT -><DD -><DL -><DT -><A -HREF="#AEN239" ->What are 'Policies' ?.</A -></DT -><DT -><A -HREF="#AEN246" ->I can't get system policies to work.</A -></DT -><DT -><A -HREF="#AEN260" ->What about Windows NT Policy Editor ?</A -></DT -><DT -><A -HREF="#AEN274" ->Can Win95 do Policies ?</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN280" ->Passwords</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN282" ->What is password sync and should I use it ?</A -></DT ><DT ><A -HREF="#AEN295" ->How do I get remote password (unix and SMB) changing working ?</A +HREF="#AEN251" +>Logon Scripts</A ></DT ></DL ></DD -></DL -></DD ><DT >5. <A -HREF="#AEN301" ->Miscellaneous</A +HREF="#AEN272" +>Passwords and Authentication</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN303" +HREF="#AEN278" ></A ></DT ><DD ><DL ><DT ><A -HREF="#AEN305" ->How do I get 'User Manager' and 'Server Manager'</A -></DT -><DT -><A -HREF="#AEN320" ->The time setting from a Samba server does not work.</A +HREF="#AEN280" +>Syncing Passwords</A ></DT ><DT ><A -HREF="#AEN324" ->"trust account xxx should be in DOMAIN_GROUP_RID_USERS"</A +HREF="#AEN286" +>Using PAM</A ></DT ><DT ><A -HREF="#AEN328" ->How do I get my samba server to become a member ( not PDC ) of an NT domain?</A +HREF="#AEN292" +>Authenticating other Samba Servers</A ></DT ></DL ></DD @@ -356,52 +232,32 @@ HREF="#AEN328" ></DD ><DT >6. <A -HREF="#AEN363" ->Troubleshooting and Bug Reporting</A -></DT -><DD -><DL -><DT -><A -HREF="#AEN365" ->Diagnostic tools</A +HREF="#AEN298" +>Background</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN367" ->What are some diagnostics tools I can use to debug the domain logon process and where can I - find them?</A -></DT -><DT -><A -HREF="#AEN375" ->How do I install 'Network Monitor' on an NT Workstation or a Windows 9x box?</A -></DT -></DL -></DD -><DT -><A -HREF="#AEN404" ->What other help can I get ?</A +HREF="#AEN300" +></A ></DT ><DD ><DL ><DT ><A -HREF="#AEN407" ->URLs and similar</A +HREF="#AEN302" +>History</A ></DT ><DT ><A -HREF="#AEN453" ->How do I get help from the mailing lists ?</A +HREF="#AEN310" +>The Future</A ></DT ><DT ><A -HREF="#AEN482" ->How do I get off the mailing lists ?</A +HREF="#AEN322" +>Getting further help</A ></DT ></DL ></DD @@ -413,693 +269,861 @@ HREF="#AEN482" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN25" +NAME="AEN20" >Chapter 1. Introduction</A ></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN27" ->State of Play</A -></H1 -><P -><I -CLASS="EMPHASIS" ->It should be noted that 2.2.0 in its pre-release form still has a few problems, - I'll try and keep this section current while things are still dynamic. - At the time of this update (November 13, 2000) the current state of play is :</I -></P -><P ->Comments here about W2K joining the domain apply only to Samba 2.2 from the CVS after November 27th. The - 'snapshot' release Samba2.2alpha1 does not work !!! See below on how to get a CVS tree.</P ><P ->Client Side creation of Machine accounts does work but is not complete. - Firstly, the <TT -CLASS="FILENAME" ->add user script</TT -> runs as the user who's - name was entered, not as root. Secondly, the machine name passed to the script (%U) - has an underscore at the end, not a '$'. One alternative is to use %m and add the $. - This method is documented in the <A -HREF="samba-pdc-howto.html" +>This document will show you one way of making Version 2.2.0 +of Samba perform some of the tasks of a +NT Primary Domain Controller. The facilities described are built into Samba as a result of +development work done over a number of years by a large number of people. These facilities +are only just beginning to be officially supported and although they do appear to work reliably, +if you use them then you take the risks upon your self. This document does not cover the +developmental versions of Samba, particularly +<A +HREF="http://www.samba-tng.org/" TARGET="_top" ->HowTo</A ->. - And thirdly, it does not work with NT4ws. - </P +><I +CLASS="CITETITLE" +>Samba-TNG</I +></A +> + </P ><P ->A W2K machine can join the domain. See the <A -HREF="samba-pdc-howto.html" +>Note that <A +HREF="http://bioserve.latrobe.edu.au/samba" TARGET="_top" ->HowTo</A +>Samba 2.0.7</A > - which explains the process. The methods - described are 'work arounds' and should be regarded as temporary. Although I (drb) - have tested these procedures a number of people have had difficulty so there - may be other issues at work. JFM is aware of these - problems and will attend to them when he can.</P -><P ->A Domain Admin account is required and at present it appears that only root - is a suitable candidate.</P -><P ->Much of the related code does work. For example, if an NT is removed from the - domain and then rejoins, the <TT -CLASS="FILENAME" ->Create a Computer Account in the Domain</TT -> dialog - will let you reset the smbpasswd. That is you don't need to do it from - the unix box. However, at the present, you do need to have root as an - administrator and use the root user name and password.</P -><P -><I -CLASS="EMPHASIS" ->Actually I'm - not sure that last paragraph is correct ....</I -></P + supports significently less of the NT Domain facilities compared with 2.2.0 + </P ><P -><B -CLASS="COMMAND" ->Policies</B -> do work on a W2K machine. MS says that recent builds of - W2K dont observe an NT policy but it appears it does in 'legacy' mode.</P -></DIV +> This document does not replace the text files DOMAIN_CONTROL.txt, DOMAIN.txt (by + John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth Casson Leighton). Those documents provide + more detail and an insight to the development + cycle and should be considered 'further reading'. </P ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN44" ->Introduction</A -></H1 -><P ->This FAQ was origionally compiled by Jerry Carter (gc) chiefly dealing with the 'old head' - version of Samba and its NTDomain facilities. It is being rewritten by David Bannon (drb) - so that it addresses more accurately the Samba 2.2 planned for release late 2000. </P -><P ->This document probably still contains some material that does not apply to - Samba 2.2 but most (all?) of the really misleading stuff has been removed. Some - issues are not dealt with or are dealt with badly. Please send corrections and additions to - David Bannon at D.Bannon@latrobe.edu.au</P -><P ->Hopefully, as we all become familiar with the Samba 2.2 as a PDC this document will - become much more usefull.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN49" ->Chapter 2. General Information</A -></H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN51" +NAME="AEN28" >What can we do ?</A ></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN53" ->What can Samba Primary Domain Controller (PDC) do ?</A -></H2 -><P ->If you wish to have Samba act as a PDC for Windows NT 3.51.and 4.0 or W2000 client, then you - will need to obtain the 2.2.0 version, currently in pre-release. Release of a stable, - full featured Samba PDC is currently slated for version 3.0. </P -><P ->The following is a list of included features currently in Samba 2.2:</P ><P ></P ><UL ><LI ><P ->The ability to act as a limited PDC for Windows NT and W2000 clients. - This includes adding NT and W2K machines to the domain and authenticating users logging - into the domain.</P -></LI -><LI -><P ->Domain account can be viewed using the User Manager for - Domains ????</P -></LI -><LI -><P ->Viewing resources on the Samba PDC via the Server Manager for Domains - from the NT client. ??</P -></LI -><LI -><P ->Windows 95 clients will allow user level security to be set - but will not currently allow browsing of accounts.</P +>Permit 'domain logons' for Win95/98, NT4 and W2K workstations from one central + password database. WRT W2K, please see the section about adding machine + accounts and the Intro in the <A +HREF="samba-pdc-faq.html" +TARGET="_top" +>FAQ</A +>.</P ></LI ><LI ><P ->Machine account password updates.</P +>Grant Administrator privileges to particular domain users on an + NT or W2K workstation.</P ></LI ><LI ><P ->Changing of user passwords from an NT client.</P +>Apply policies from a domain policy file to NT and W2K (?) + workstation.</P ></LI ><LI ><P ->Partial support for Windows NT group and username mapping.</P +>Run the appropriate logon script when a user logs on to the domain + .</P ></LI ><LI ><P ->Support for a LDAP password database backend.</P +>Maintain a user's local profile on the server.</P ></LI ><LI ><P ->Printing.</P +>Validate a user using another system via smb (such as smb_pam) and + soon winbind (?).</P ></LI ></UL +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN44" +>What can't we do ?</A +></H1 ><P ></P -><P -><B ->These things are note expected to work in the forseeable future</B -></P ><UL ><LI ><P ->Trust relationships</P +> Become or work with a Backup Domain Controller (a BDC).</P ></LI ><LI ><P ->PDC and BDC integration</P +> Participate in any sort of trust relationship (with either Samba or NT + Servers).</P ></LI ><LI ><P ->Windows NT ACLs (on the Samba shares)</P +> Offer a list of domain users to User Manager for Domains + on the Security Tab etc).</P ></LI ><LI ><P ->Offer a list of domain users to User Manager for Domains - (or the Security Tab etc).</P +>Be a W2K type of Domain Controller. Samba PDC will behave like + an NT PDC, W2K workstations connect in legacy mode.</P ></LI ></UL ></DIV +></DIV ><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" +CLASS="CHAPTER" +><HR><H1 ><A -NAME="AEN86" ->Can I have a Windows 2000 client logon to a Samba controlled domain?</A -></H2 +NAME="AEN55" +>Chapter 2. Installing</A +></H1 ><P ->The 2.2 release branch of Samba supports Windows 2000 domain - clients in legacy mode, ie as if the PDC is a NTServer, not a - W2K server.</P -></DIV +>Installing consists of the usual download, configure, make and make + install process. These steps are well documented elsewhere. + The <A +HREF="samba-pdc-faq.html" +TARGET="_top" +>FAQ</A +> discusses getting pre-release versions via CVS. + Then you need to configure the server.</P ><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" ><A -NAME="AEN89" ->What's the status of print spool (spoolss) support in the NTDOM code?</A -></H2 +NAME="AEN59" +>Start Up Script</A +></H1 ><P ->The implementation of support for SPOOLSS pipe is complete and it will be available - in the 2.2.0 release. This means that Samba will support the automatic downloading of printer - drivers for Windows NT clients just as it currently does for Windows 9x clients.</P -></DIV +>Skip this section if you have a working Samba already. + Everyone has their own favourite startup script. Here is mine, offered with no warrantee + at all !</P +><PRE +CLASS="PROGRAMLISTING" +> + + #!/bin/sh + # Script to control Samba server, David Bannon, 14-6-96 + # + # + PATH=/bin:/usr/sbin:/usr/bin + export PATH + case "$1" in + 'start') + if [ -f /usr/local/samba/bin/smbd ] + then + /usr/local/samba/bin/smbd -D + /usr/local/samba/bin/nmbd -D + echo "Starting Samba Server" + fi + ;; + 'conf') + if [ -f /usr/local/samba/lib/smb.conf ] + then + vi /usr/local/samba/lib/smb.conf + fi + ;; + 'pw') + if [ -f /usr/local/samba/private/smbpasswd ] + then + vi /usr/local/samba/private/smbpasswd + fi + ;; + 'who') + /usr/local/samba/bin/smbstatus -b + ;; + 'restart') + psline=`/bin/ps x | grep smbd | grep -v grep` + + if [ "$psline" != "" ] + then + while [ "$psline" != "" ] + do + psline=`/bin/ps x | fgrep smbd | grep -v grep` + if [ "$psline" ] + then + set -- $psline + pid=$1 + /bin/kill -HUP $pid + echo "Stopped $pid line = $psline" + sleep 2 + fi + done + fi + echo "Stopped Samba servers" + ;; + 'stop') + psline=`/bin/ps x | grep smbd | grep -v grep` + + if [ "$psline" != "" ] + then + while [ "$psline" != "" ] + do + psline=`/bin/ps x | fgrep smbd | grep -v grep` + if [ "$psline" ] + then + set -- $psline + pid=$1 + /bin/kill -9 $pid + echo "Stopped $pid line = $psline" + sleep 2 + fi + done + fi + echo "Stopped Samba servers" + psline=`/bin/ps x | grep nmbd | grep -v grep` + if [ "$psline" ] + then + set -- $psline + pid=$1 + /bin/kill -9 $pid + echo "Stopped Name Server " + fi + echo "Stopped Name Servers" + ;; + *) + echo "usage: samba {start | restart |stop | conf | pw | who}" + ;; + esac + </PRE +><P +> Use this script, or some other one, you will need to ensure its used while the machine + is booting. (This typically involves <TT +CLASS="FILENAME" +>/etc/rc.d</TT +>, we'll be + assuming that there is a script called + samba in <TT +CLASS="FILENAME" +>/etc/rc.d/init.d</TT +> further down in this document.)</P ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN92" ->CVS</A +NAME="AEN66" +>Config File</A ></H1 +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN68" +>A sample conf file</A +></H2 ><P ->CVS is a programme (publically available) that the Samba developers use to - maintain the central source code. Non developers can get access to the source in - a read only capacity. Many flavours of unix now arrive with cvs installed.</P +>Here is a fairly minimal config file to do PDC. It will also make the server + become the browse master for the + specified domain (not necessary but usually desirable). You will need to change only + two parameters to make this + file work, <TT +CLASS="FILENAME" +>wins server</TT +> and <TT +CLASS="FILENAME" +>workgroup</TT +>, plus + you will need to put your own name (not mine!) in the <TT +CLASS="FILENAME" +>domain admin users</TT +> fields. + Some of the parameters are discussed further down this document.</P +><P +>Assuming you have used the default install directories, this file should appear as + <TT +CLASS="FILENAME" +>/usr/local/samba/lib/smb.conf</TT +>. It should not be + writable by anyone except root.</P +><DIV +CLASS="NOTE" +><BLOCKQUOTE +CLASS="NOTE" +><P +><B +>Note: </B +>The 'add user script' parameter is a work-around, watch for changes !</P +></BLOCKQUOTE +></DIV +><PRE +CLASS="PROGRAMLISTING" +> + + [global] + security = user + status = yes + workgroup = { Your domain name here } + wins server = { ip of a wins server if you have one } + encrypt passwords = yes + domain logons =yes + logon script = scripts\%U.bat + domain admin group = @adm + add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$ + guest account = ftp + share modes=no + os level=65 + [homes] + guest ok = no + read only = no + create mask = 0700 + directory mask = 0700 + oplocks = false + locking = no + [netlogon] + path = /usr/local/samba/netlogon + writeable = no + guest ok = no + </PRE +></DIV ><DIV CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN95" ->What are the different Samba branches available in CVS ?</A +NAME="AEN79" +>PDC Config Parameters</A ></H2 ><P ->You can find out more about obtaining Samba's via - anonymous CVS from - <A -HREF="http://pserver.samba.org/samba/cvs.html" -TARGET="_top" -> http://pserver.samba.org/samba/cvs.html"</A ->. </P -><P ></P ><DIV CLASS="VARIABLELIST" ><P ><B ->There are basically four branches to watch at the moment :</B +>There are a huge range of parameters that may appear in a smb.conf file. Some + that may be of interest to a PDC are :</B ></P ><DL ><DT ->HEAD</DT +>add user script</DT ><DD ><P ->Samba 3.0 ? This code boasts all the main development - work in Samba. Two things that most people are not aware of - which live in the HEAD branch code are winbind NSS module and - Tim Potter's VFS implementation. Due to its developmental - nature, its not really suitable for production work. - </P +>This parameter specifies a script (or program) that will be run + to add a user to the system. Here it is being used to add a machine, not a user. + This is probably not very nice and may change. But it does work !</P +><P +>For this example, I have a group called 'machines', entries can be added to + <TT +CLASS="FILENAME" +>/etc/passwd</TT +> using a programme called <TT +CLASS="FILENAME" +>/usr/adduser</TT +> and + the other parameters are chosen as suitable for a machine account. Works for + RH Linux, your system may require changes.</P ></DD ><DT ->SAMBA_2_0</DT +>domain admin group = @adm</DT ><DD ><P ->This branch contains the current stable release release. - At the moment it contains 2.0.7, a version that will do some - limited PDC stuff. If you are really going to do PDC things then - I (drb) suggest that you consider 2.2 instead. - </P +>This parameter specifies a unix group whose members will be granted + admin privileges on a NT workstation when + logged onto that workstation. See the section called <A +HREF="#AEN223" +> Domain Admin</A +> Accounts.</P ></DD ><DT ->SAMBA_2_2</DT +>domain admin users = user1 users2</DT ><DD ><P ->The next stable release, currently in a 'alpha' form. - It provides the Samba developers, testers and interested - people with an approximation of what is to come. This document - addresses only SAMBA_2_2. - </P +>It appears that this parameter does not funtion correctly at present. + Use the 'domain admin group' instread. This parameter specifies a unix user who will + be granted admin privileges + on a NT workstation when + logged onto that workstation. See the section called <A +HREF="#AEN223" +> Domain Admin</A +> Accounts.</P ></DD ><DT ->SAMBA_TNG</DT +>encrypt passwords = yes</DT ><DD ><P ->This branch is no longer maintained from the Samba sites. - Please see <A -HREF="http://www.samba-tng.org/" -TARGET="_top" -> http://www.samba-tng.org/</A ->. It has been requested - that questions about TNG are not posted to the regular Samba mailing - lists including samba-ntdom and samba-technical. - </P +>This parameter must be 'yes' to allow any of the recent service pack NTs to logon. There are some reg hacks that + turn off encrypted passwords on the NTws itself but if you are going to use the smbpasswd system (and you + should) you must use encrypted passwords.</P +></DD +><DT +>logon script = scripts\%U.bat</DT +><DD +><P +>This will make samba look for a logon script named after the user + (eg joeblow.bat). + See the section further on called <A +HREF="#AEN251" +>Logon Scripts</A +></P +><DIV +CLASS="NOTE" +><BLOCKQUOTE +CLASS="NOTE" +><P +><B +>Note: </B +>Note that the slash is like this '\', not like this '/'. + NT is happy with both, win95 is not !</P +></BLOCKQUOTE +></DIV +></DD +><DT +>logon path</DT +><DD +><P +>Lets you specify where you would like users profiles kept. The default, that is in the users + home directory, does encourage a bit of fiddling.</P ></DD ></DL ></DIV ></DIV +></DIV ><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" ><A -NAME="AEN118" ->What are the CVS commands ?</A -></H2 +NAME="AEN115" +>Special directories</A +></H1 +><P +>You need to create a couple of special files and directories. Its nice + to have some of the binaries handy too, so I create links to them. Assuming + you have used the default samba location and have not + changed the locations mentioned in the sample config file, do the following :</P +><PRE +CLASS="PROGRAMLISTING" +> + + mkdir /usr/local/samba/netlogon + mkdir /usr/local/samba/netlogon/scripts + mkdir /usr/local/samba/private + touch /usr/local/samba/private/smbpasswd + chmod go-rwx /usr/local/samba/private/smbpasswd + cd /usr/local/sbin + ln -s /usr/local/samba/bin/smbpasswd + ln -s /usr/local/samba/bin/smbclient + ln -s /etc/rc.d/init.d/samba</PRE +><P +>Make sure permissions are appropriate !</P ><P ->See <A -HREF="http://pserver.samba.org/samba/cvs.html" +>OK, if you have used the scripts above and have a path to where the links are do this to start up + the Samba Server :</P +><P +><B +CLASS="COMMAND" +>samba start</B +></P +><P +>Instead, you might like to reboot the machine to make sure that you + got the init stuff right. Any way, a quick look in the logs + <TT +CLASS="FILENAME" +>/usr/local/samba/var/log.smbd</TT +> and <TT +CLASS="FILENAME" +> /usr/local/samba/var/log/nmbd</TT +> + will give you an idea of what's happening. Assuming all is well, lets create + some accounts...</P +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A +NAME="AEN126" +>Chapter 3. User and Machine Accounts</A +></H1 +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN128" +>Logon Accounts</A +></H1 +><P +><I +CLASS="EMPHASIS" +>This section is very nearly out of date already !</I +> It + appears that while you are reading it, Jean Francois Micou is making it + redundant ! Jean Francois is adding facilities to add users + (via User Manager) and machines (when joining the domain) and it looks like these facilities will + make it into the official release of 2.2.</P +><P +>Every user and NTws (and other samba servers) that will be on the domain + must have its own passwd entry in both <TT +CLASS="FILENAME" +>/etc/passwd</TT +> and + <TT +CLASS="FILENAME" +>/usr/local/samba/private/smbpasswd</TT +> . + The <TT +CLASS="FILENAME" +>/etc/passwd</TT +> entry is really + only to reserve a user ID. The NT encrypted password is stored in + <TT +CLASS="FILENAME" +>/usr/local/samba/private/smbpasswd</TT +>. + (Note that win95/98 machines don't need an account as they don't do + any security aware things.)</P +><P +>Samba 2.2 will now create these entries for us. Carefull set up is required + and there may well be some changes to this system before its released. + </P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="MACHINEACCOUNT" +>Machine Accounts</A +></H1 +><DIV +CLASS="NOTE" +><BLOCKQUOTE +CLASS="NOTE" +><P +><B +>Note: </B +>There is an entry in the ntdom <A +HREF="samba-pdc-faq.html" TARGET="_top" -> http://pserver.samba.org/samba/cvs.html</A +>FAQ</A +> explaining how to create + machine entries manually.</P +></BLOCKQUOTE +></DIV +><P ></P +><DIV +CLASS="VARIABLELIST" ><P +><B +><I +CLASS="EMPHASIS" +>At present</I +> to have the machine accounts created when a machine joins + the domain a number of conditions must be met :</B ></P +><DL +><DT +>Only root can do it !</DT +><DD +><P +>There must be an entry in <TT +CLASS="FILENAME" +>/usr/local/samba/private/smbpasswd</TT +> + for root and root must be mentioned in <TT +CLASS="FILENAME" +>domain admins</TT +>. This may + be fixed some time in the future so any 'domain admin' can do it. If you don't + like having root as a windows logon account, make the machine + entries manually (both of them).</P +></DD +><DT +>Use the <TT +CLASS="FILENAME" +>add user script</TT +></DT +><DD +><P +>Again, this looks a bit like a 'work around'. Use a suitable + command line to add a machine account <A +HREF="#AEN68" +>see above</A +>, + and pass it %m$, that is %m to get machine name plus the '$'. Now, this + means you cannot use the <TT +CLASS="FILENAME" +>add user script</TT +> to really add users .... </P +></DD +><DT +>Only for W2K</DT +><DD ><P +>This automatic creation of machine accounts does not work for + NT4ws at present. Watch this space.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN163" +>Joining the Domain</A +></H1 +><P +>You must have either added the machine account entries manually (NT4 ws) + or set up the automatic system (W2K), <A +HREF="#MACHINEACCOUNT" +>see Machine Accounts</A +> + before proceeding.</P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT ><B ->To get the Samba 2.2 version, tag SAMBA_2_2 you would do :</B +CLASS="COMMAND" +>Windows NT</B +></DT +><DD +><P ></P ><UL ><LI ><P -> For example : <B +> (<I +CLASS="EMPHASIS" +>this step may not be necessary some time in the near future</I +>). + On the samba server that is the PDC, add a machine account manually + as per the instructions in the <A +HREF="samba-pdc-faq.html" +TARGET="_top" +>FAQ</A +> + Then give the command <B CLASS="COMMAND" ->cd /usr/local/src/</B -></P +>smbpasswd -a -m {machine}</B +> substituting in the + client machine name.</P ></LI ><LI ><P -> <B +> Logon to the NTws in question as a local admin, go to the + <B CLASS="COMMAND" ->cvs -d :pserver:cvs@pserver.samba.org:/cvsroot - login</B -></P +>Control Panel, Network IdentificationTag</B +>.</P ></LI ><LI ><P -> When prompted enter a password of <B +> Press the <B CLASS="COMMAND" ->cvs</B -></P +>Change</B +> button.</P ></LI ><LI ><P -> <B -CLASS="COMMAND" ->cvs -d :pserver:cvs@pserver.samba.org:/cvsroot - co -r SAMBA_2_2 samba</B -></P +> Enter the Domain name (from the 'Workgroup' parameter, smb.conf) + in the Domain Field.</P ></LI -></UL -><P -></P +><LI ><P +> Press OK and after a few seconds you will get a 'Welcome to Whatever Domain'. + Allow to reboot.</P +></LI +></UL +></DD +><DT ><B ->Then to update that directory at some later time,</B +CLASS="COMMAND" +>Windows 2000</B +></DT +><DD +><P ></P ><UL ><LI ><P -> <B +>Logon to the W2k machine as Administrator, go to the Control + Panel and double click on <B CLASS="COMMAND" ->cd /usr/local/src/samba</B -></P +>Network and Dialup Connections</B +>. + </P ></LI ><LI ><P -> <B +>Pull down the <B CLASS="COMMAND" ->cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login</B -></P +>Advanced</B +> menu and choose + <B +CLASS="COMMAND" +>Network Identification</B +>. Press <B +CLASS="COMMAND" +>Properties + </B +>. </P ></LI ><LI ><P -> When prompted enter a password of 'cvs'.</P +>Choose <B +CLASS="COMMAND" +>Domain</B +> and enter the domain name. Press 'OK'.</P ></LI ><LI ><P -> <B -CLASS="COMMAND" ->cvs update -d -P</B -></P +>Now enter a user name and password for a Domain Admin + <I +CLASS="EMPHASIS" +>(Who must be root until a pre-release bug is fixed)</I +> and press + 'OK'.</P +></LI +><LI +><P +>Wait for the confirmation, reboot when prompted.</P ></LI ></UL -></DIV +><P +>To remove a W2K machine from the domain, follow the first two steps then + choose <B +CLASS="COMMAND" +>Workgroup</B +>, enter a work group name (or just WORKGROUP) and follow + the prompts.</P +></DD +></DL ></DIV ></DIV ><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="AEN149" ->Chapter 3. Establishing Connections</A -></H1 -><DIV CLASS="SECT1" -><H1 +><HR><H1 CLASS="SECT1" ><A -NAME="AEN151" -></A +NAME="AEN211" +>User Accounts</A ></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN153" ->How do I get my NT4 or W2000 Workstation to login to the Samba controlled Domain?</A -></H2 ><P ->There is a comprehensive Samba PDC <A -HREF="samba-pdc-howto.html" -TARGET="_top" ->HowTo</A +><I +CLASS="EMPHASIS" +>Again, doing it manually (cos' the auto way is not working pre-release). + </I > - accessable from the samba web site - under 'Documentation'. Its currently located at <A -HREF="http://bioserve.latrobe.edu.au/samba" -TARGET="_top" -> http://bioserve.latrobe.edu.au/samba</A ->. Read it.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN158" ->What is a 'machine account' ?</A -></H2 -><P ->Every NT, W2K or Samba machine that joins a Samba controlled domain must be known to - the Samba PDC. There are two entries required, one in (typically) <TT + In our simple case every domain user should have an account on the PDC. The + account may have a null shell if they are not allowed to log on to the unix + prompt. Again they need an entry in both the <TT CLASS="FILENAME" >/etc/passwd</TT -> - and the other in (typically) <TT +> and + <TT CLASS="FILENAME" >/usr/local/samba/private/smbpasswd</TT ->. Under - some circumstances these entries are made <A -HREF="#AEN171" ->manually</A ->, the - <A -HREF="samba-pdc-howto.html" -TARGET="_top" ->HowTo</A -> discusses ways of creating them automatically.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN165" ->"The machine account for this computer either does not exist or is not accessable."</A -></H2 -><P ->When I try to join the domain I get the message "The machine account for this computer - either does not exist or is not accessable". Whats wrong ?</P -><P ->This problem is caused by the PDC not having a suitable machine account. - If you are using the <B -CLASS="COMMAND" ->add user script =</B -> method to create accounts - then this would indicate that it has not worked. Ensure the domain admin user - system is working.</P -><P ->Alternatively if you are creating account entries manually then they have not been created - correctly. Make sure that you have the entry correct for the machine account in smbpasswd - file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, - make sure that the account name is the machine netbios name with a '$' appended to it - ( ie. computer_name$ ). There must be an entry in both /etc/passwd and - the smbpasswd file. Some people have reported that - inconsistent subnet masks between the Samba server and the NT client have caused this problem. - Make sure that these are consistent for both client and server.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN171" ->How do I create machine accounts manually ?</A -></H2 -><P ->This was the only option until recently, now in version 2.2 better means are available. - You might still need to do it manually for a couple of reasons. A machine account - consists of two entries (assuming a standard install and /etc/passwd use), - one in /etc/passwd and the other in /usr/local/samba/private/smbpasswd. The /etc/passwd - entry will list the machine name with a $ appended, won't have a passwd, will have a null - shell and no home directory. For example a machine called 'doppy' would have an /etc/passwd - entry like this :</P -><P -><B -CLASS="COMMAND" ->doppy$:x:505:501:NTMachine:/dev/null:/bin/false</B -></P -><P ->On a linux system for example, you would typically add it like this :</P +>. Again a password is + not necessary in <TT +CLASS="FILENAME" +>/etc/passwd</TT +> but the location + of the home directory is honoured. + To make an entry for a user called Joe Blow you would typically do the following :</P ><P ><B CLASS="COMMAND" ->adduser -g machines -c NTMachine -d /dev/null -s /bin/false -n - doppy$</B +>adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow</B ></P ><P ->Then you need to add that entry to smbpasswd, assuming you have a suitable - path to the <B -CLASS="COMMAND" ->smbpasswd</B -> programme, do this :</P -><P ><B CLASS="COMMAND" ->smbpasswd -a -m doppy$</B +>smbpasswd -a joeblow</B ></P ><P ->The entry will be created with a well known password, so any machine that - says its doppy could join the domain as long as it gets in first. So don't create - the accounts any earlier than you need them.</P +>And you will prompted to enter a password for Joe. Ideally he will be + hovering over your shoulder and will, when asked, type in a password of + his choice. There are a number of scripts and systems to ease the migration of users + from somewhere to samba. Better start looking !</P ></DIV ><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN184" ->I cannot include a '$' in a machine name.</A -></H2 -><P ->A 'machine name' in (typically) <TT -CLASS="FILENAME" ->/etc/passwd</TT -> consists - of the machine name with a '$' appended. FreeBSD (and other BSD systems ?) - won't create a user with a '$' in their name.</P -><P ->The problem is only in the program used to make the entry, once made, it works - perfectly. So create a user without the '$' and use <B -CLASS="COMMAND" ->vipw</B -> to edit - the entry, adding the '$'. Or create the whole entry with vipw if you like, - make sure you use a unique uid !</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" ><A -NAME="AEN190" ->I get told "You already have a connection to the Domain...." when creating a - machine account.</A -></H2 +NAME="AEN223" +>Domain Admin Accounts</A +></H1 ><P ->This happens if you try to create a machine account from the machine itself - and use a user name that does not work (for whatever reason) and then try - another (possibly valid) user name. - Exit out of the network applet to close the initial connection and try again.</P +>Certain operations demand that the logged on user has Administrator + privileges, typically installing software and + doing maintenance tasks. It is very simple to appoint some users as Domain Admins, + most likely yourself. Make + sure you trust the appointee !</P ><P ->Further, if the machine is a already a 'member of a workgroup' that is the - same name as the domain you are joining (bad idea) you will get this message. - Change the workgroup name to something else, it does not matter what, reboot, - and try again.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN194" ->I get told "Cannot join domain, the credentials supplied conflict - with an existing set.."</A -></H2 +>Samba 2.2 recognizes particular users as being + domain admins and tells the NTws when it thinks that it has got one logged on. + In the smb.conf file we declare + that the <TT +CLASS="FILENAME" +>Domain Admin group = @adm</TT +>. + Any user who is a menber of the unix group 'adm' is treated as a Domain Admin by a NTws when + logged onto the Domain. They will have full Administrator rights + including the rights to change permissions on files and run the system + utilities such as Disk Administrator. Add users to the group by editing <TT +CLASS="FILENAME" +> /etc/group/</TT +>. You do not need to use the 'adm' group, choose any one you like.</P ><P ->This is the same basic problem as mentioned above, <A -HREF="#AEN190" -> "You already have a connection..."</A +>Further, and this is very new, they will be allowed to create a + new machine account when first connecting a new NT or W2K machine to + the domain. <I +CLASS="EMPHASIS" +>However, at present, ie pre-release, only a Domain Admin who + also happens to be root can do so. </I ></P ></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN198" ->"The system can not log you on (C000019B)...."</A -></H2 -><P ->I joined the domain successfully but after upgrading to a newer version of the - Samba code I get the message, "The system can not log you on (C000019B), Please try a - gain or consult your system administrator" when attempting to logon.</P -><P ->This occurs when the domain SID stored in private/WORKGROUP.SID is changed. - For example, you remove the file and smbd automatically creates a new one. - Or you are swapping back and forth between versions 2.0.7, TNG and the HEAD branch - code (not recommended). The only way to correct the problem is to restore the - original domain SID or remove the domain client from the domain and rejoin.</P -></DIV -></DIV ></DIV ><DIV CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN202" ->Chapter 4. User Account Management</A +NAME="AEN231" +>Chapter 4. Profiles, Policies and Logon Scripts</A ></H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN204" ->Domain Admins</A -></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN206" ->How do I configure an account as a domain administrator?</A -></H2 -><P ->See the NTDom <A -HREF="samba-pdc-howto.html" -TARGET="_top" ->HowTo</A ->.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN210" +NAME="AEN233" >Profiles</A ></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN212" ->Why is it bad to set "logon path = \\%N\%U\profile" in smb.conf? ?</A -></H2 -><P ->Sometimes Windows clients will maintain a connection to the \\homes\ ( or [%U] ) share - even after the user has logged out. Consider the following scenario.</P ><P -></P -><UL -><LI -><P -> user1 logs into the Windows NT machine. Therefore the - [homes] share is set to \\server\user1.</P -></LI -><LI -><P -> user1 works for a while and then logs out. </P -></LI -><LI -><P -> user2 logs into the same Windows NT machine.</P -></LI -></UL -><P ->However, since the NT box has maintained a connection to [homes] which was - previously set to \\server\user1, when the operating system attempts to - get the profile and if it can read users1's profile, will get it otherwise it - will return an error. You get the picture.</P -><P ->A better solution is to use a separate [profiles] share and set the - "logon path = \\%N\profiles\%U" </P +>NT Profiles should work if you have followed the setup so far. + A user's profile contains a whole lot of their personal settings, + the contents of their desktop, personal 'My Documents' and so on. + When they log off, all of the profile is copied to their directory + on the server and is downloaded again when they logon on again, possibly + on another client machine.</P +><P +>Sounds great but can be a bit of a bug bear sometimes. Users let + their profiles get too big and then complain about how long it takes + to log on each time. This sample setup only supports NT profiles, + rumor has it that it is also possible to do the same on Win95, my + users don't know and I'm not telling them.</P ><DIV CLASS="NOTE" ><BLOCKQUOTE @@ -1107,333 +1131,203 @@ CLASS="NOTE" ><P ><B >Note: </B ->Is this still a problem ????</P +>There is more info about Profiles (including for W95/98) + in the <A +HREF="samba-pdc-faq.html" +TARGET="_top" +>FAQ</A +>.</P ></BLOCKQUOTE ></DIV ></DIV ><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN226" ->Why are all the users listed in the "domain admin users" using the same profile?</A -></H2 -><P ->You are using a very very old development version of Samba. Upgrade.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN229" ->The roaming profiles do not seem to be updating on the server.</A -></H2 -><P ->There can be several reasons for this.</P -><P ->Make sure that the time on the client and the PDC are synchronized. You can accomplish - this by executing a <B -CLASS="COMMAND" ->net time \\server /set /yes</B -> replacing server with the - name of your PDC (or another synchronized SMB server). See <A -HREF="#AEN320" -> about Setting Time</A -></P -><P ->Make sure that the - logon path is writeable by the user and make sure that the connection to the logon - path location is by the current user. Sometimes Windows client do not drop the - connection immediately upon logoff.</P -><P ->Some people have reported that the logon path location should also be browseable. - I (GC) have yet to emperically verify this, but you can try.</P -></DIV -></DIV -><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN237" +NAME="AEN240" >Policies</A ></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN239" ->What are 'Policies' ?.</A -></H2 ><P ->When a user logs onto the domain via a client machine, the PDC sends - the client machine a list of things contained in the 'policy' (if it exists). - This list may do things like suppress a splach screen, format the dates the way you - like them or perhaps remove locally stored profiles.</P -><P ->On a samba PDC this list is obtained from a file called <B -CLASS="COMMAND" ->ntconfig.pol</B -> - and located in the <B -CLASS="COMMAND" ->[netlogon]</B ->share. The file is created with a policy editor - and must be readable by anyone and writeable by only root. See <A -HREF="#AEN260" -> below</A -> for how to get a suitable editor.</P -></DIV +>Policies are an easy way to make or enforce specific characteristics across your network. You create a ntconfig.pol + file and every time someone logs on with their NTws, the settings you put in ntconfig.pol are applied to the NTws. + Typical setting are things like making the date appear the way you want it (none of these 2 figure years here) or + maybe suppressing one of the splash screens. Perhaps you want to set the NTws so it does not keep users profiles + on the local machine. Cool. The only problem is making the ntconfig.pol file itself. You cannot use the policy editor + that comes with NTws.</P ><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN246" ->I can't get system policies to work.</A -></H2 -><P ->There are two possible reasons for system policies not functioning correctly. - Make sure that you have the following parameters set in smb.conf </P -><PRE -CLASS="PROGRAMLISTING" -> [netlogon] - .... - locking = no - public = no - browseable = yes - .... - </PRE +CLASS="NOTE" +><BLOCKQUOTE +CLASS="NOTE" ><P ->A policy file must be in the <B -CLASS="COMMAND" ->[netlogon]</B -> share and must be - readable by everyone and writeable by only root. The file must be created - by an NTServer <A -HREF="#AEN260" ->Policy Editor</A ->.</P +><B +>Note: </B +>See the <A +HREF="samba-pdc-faq.html" +TARGET="_top" +>FAQ</A +> for pointers on how to get a suitable Policy Editor.</P +></BLOCKQUOTE +></DIV ><P ->Last time I (drb) looked in the source, it was - looking for <TT -CLASS="FILENAME" ->ntconfig.pol</TT -> first then several other combinations of upper - and lower case. People have reported success using <TT -CLASS="FILENAME" ->NTconfig.pol</TT ->, +>The Policy Editor (and associated files) will create a <TT CLASS="FILENAME" ->NTconfig.POL</TT -> and <TT -CLASS="FILENAME" ->ntconfig.pol</TT ->. These are the case - settings that I (GC) use with the - filename <TT -CLASS="FILENAME" >ntconfig.pol</TT -></P -><PRE -CLASS="PROGRAMLISTING" -> case sensitive = no - case preserve = yes - default case = yes - </PRE -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN260" ->What about Windows NT Policy Editor ?</A -></H2 -><P ->To create or edit <B -CLASS="COMMAND" ->ntconfig.pol</B -> you must use the NT Server - Policy Editor, <B -CLASS="COMMAND" ->poledit.exe</B -> which is included with NT Server - but <I -CLASS="EMPHASIS" ->not NT Workstation</I ->. There is a Policy Editor on a NTws - but it is not suitable for creating <I -CLASS="EMPHASIS" ->Domain Policies</I ->. - Further, although the Windows 95 - Policy Editor can be installed on an NT Workstation/Server, it will not - work with NT policies because the registry key that are set by the policy templates. - However, the files from the NT Server will run happily enough on an NTws. - You need <TT -CLASS="FILENAME" ->poledit.exe, common.adm</TT -> and <TT -CLASS="FILENAME" ->winnt.adm</TT ->. It is convenient - to put the two *.adm files in <TT -CLASS="FILENAME" ->c:\winnt\inf</TT -> which is where - the binary will look for them unless told otherwise. Note also that that - directory is 'hidden'.</P -><P ->The Windows NT policy editor is also included with the - Service Pack 3 (and later) for Windows NT 4.0. Extract the files using - <B -CLASS="COMMAND" ->servicepackname /x</B ->, ie thats <B -CLASS="COMMAND" ->Nt4sp6ai.exe /x</B -> - for service pack 6a. - The policy editor, <B -CLASS="COMMAND" ->poledt.exe</B -> and the associated template files (*.adm) should - be extracted as well. It is also possible to downloaded the policy template - files for Office97 and get a copy of the policy editor. Another possible - location is with the Zero Administration Kit available for download from Microsoft. - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN274" ->Can Win95 do Policies ?</A -></H2 +> file using the + parameters Microsoft thought of and parameters you specify by making your own + template file.</P ><P ->Install the group policy handler for Win9x to pick up group policies. - Look on the Win98 CD in <TT +>In our example configuration here, Samba will expect to find + the <TT CLASS="FILENAME" -> \tools\reskit\netadmin\poledit</TT ->. Install group policies on a Win9x client by double-clicking +>ntconfig.pol</TT +> file in <TT CLASS="FILENAME" ->grouppol.inf</TT ->. Log off and on again a couple of times and see if - Win98 picks up group policies. - Unfortunately this needs to be done on every Win9x machine that uses group policies....</P -><P ->If group policies don't work one reports suggests getting the updated (read: working) - grouppol.dll for Windows 9x. The group list is grabbed from /etc/group.</P -></DIV +>/usr/local/samba/netlogon</TT +>. Needless to say (I hope !), + it is vitally important that ordinary users don't have + write permission to the Policy files.</P ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN280" ->Passwords</A +NAME="AEN251" +>Logon Scripts</A ></H1 -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN282" ->What is password sync and should I use it ?</A -></H2 ><P ->NTws users can change their domain password by pressing Ctrl-Alt-Del and - choosing 'Change Password'. By default however, this does not change the unix password - (typically in <TT +>In the sample config file above there is a line + <TT CLASS="FILENAME" ->/etc/passwd or /etc/shadow</TT ->). In lots of situations - thats OK, for example :</P -><P +>logon script = scripts\%U.bat</TT ></P -><UL -><LI -><P ->The server is only accessible to the user via samba.</P -></LI -><LI -><P ->Pam_smb or similar is installed so other applications - still refer to the samba password.</P -></LI -></UL -><P ->But sometimes you really do need to maintain two seperate password databases and - there are good reasons to keep then in sync. Trying to explain to users - that they need to change their passwords in two seperate places or use - two seperate passwords is not fun.</P +><DIV +CLASS="NOTE" +><BLOCKQUOTE +CLASS="NOTE" ><P ->However do understand that setting up password sync is not without problems either. - The chief difficulty is the interface between Samba and the <B -CLASS="COMMAND" ->passwd</B -> command, - it can be a fiddle to set up and if the password the user has entered fails, - the resulting errors are ambiguously reported - and the user is confused. Further, you need to take steps to ensure that users - only ever change their passwords via samba (or use <B -CLASS="COMMAND" ->smbpasswd</B ->), - otherwise they will only be changing the unix password.</P +><B +>Note: </B +>Note that the slash is like this '\' not like this '/'. + NT is happy with both, win95 is not !</P +></BLOCKQUOTE ></DIV +><P +>This allows you to run a dos batch file every time someone logs on. The batch + file is located on the server, in the sample install mentioned here, + its in <TT +CLASS="FILENAME" +>/usr/local/samba/netlogon/scripts</TT +> and + is named after the user with <TT +CLASS="FILENAME" +>.bat</TT +> appended, eg Joe + Blow's script is called <TT +CLASS="FILENAME" +>/usr/local/samba/netlogon/scripts/joeblow.bat</TT +>.</P ><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN295" ->How do I get remote password (unix and SMB) changing working ?</A -></H2 +CLASS="NOTE" +><BLOCKQUOTE +CLASS="NOTE" ><P ->Have a practice changing a user's password (as root) to see what - discussion takes place and change the text in the 'passwd chat' line below as necessary. The - line as shown works for recent RH Linux but most other systems seem to like to do something - different. The '*' is a wild card and will match anything (or nothing). - </P +><B +>Note: </B +>There is a suggestion that user names longer than 8 characters may cause + problems with some systems being unable to run logon scripts. This is confirmed in earlier + versions when connecting using W95, comments about other combinations ??</P +></BLOCKQUOTE +></DIV ><P ->Add these lines to smb.conf under [Global]</P +>You could use a line like this <TT +CLASS="FILENAME" +>logon script = default.bat</TT +> and samba + will supply <TT +CLASS="FILENAME" +>/usr/local/samba/netlogon/default.bat</TT +> for any client and every + user. Maybe you could use %m and get a client machine dependant logon script. + You get the idea...</P +><P +>Note that the file is a dos batch file not a Unix script. It runs dos commands on the client + computer with the logon user's permissions. It must be a dos file with each line ending with + the dos cr/lf not a nice clean newline. Generally, + its best to create the initial file on a DOS system and copy it across.</P +><P +>There is lots of very clever uses of the Samba replaceable variables such + ( %U = user, %G = primary group, %H = client machine, see the 'man 5 smb.conf') to + give you control over which script runs when a particular person logs + on. (Gee, it would be nice to have a default.bat run when nothing else is available.)</P +><P +>Again, it is vitally important that ordinary users don't have write + permission to other peoples, or even probably their own, logon script files.</P +><P +>A typical logon script is reproduced below. Note that it runs separate + commands for win95 and NT, that's because NT has slightly different behaviour + when using the <TT +CLASS="FILENAME" +>net use ..</TT +> command. Its useful for lots of + other situations too. I don't know what syntax to use for win98, I don't use it + here.</P ><PRE CLASS="PROGRAMLISTING" > - unix password sync = true - passwd program = /usr/bin/passwd %u - passwd chat = *password* %n\n *password* %n\n *successful* + rem Default logon script, create links to this file. + + net time \\bioserve /set /yes + @echo off + if %OS%.==Windows_NT. goto WinNT + + :Win95 + net use k: \\trillion\bio_prog + net use p: \\bcfile\homes + goto end + :WinNT + net use k: \\trillion\bio_prog /persistent:no + net use p: \\bcfile\homes /persistent:no + + :end </PRE -><P ->As mentioned above, the change to the unix password - happens as root, not as the user, as is indicated in ~/smbd/chgpasswd.c If - you are using NIS, the Samba server must be running on the NIS master machine.</P -></DIV ></DIV ></DIV ><DIV CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN301" ->Chapter 5. Miscellaneous</A +NAME="AEN272" +>Chapter 5. Passwords and Authentication</A ></H1 +><P +>So far our configuration assumes that ordinary users don't have unix logon access. A change + to the <A +HREF="#AEN211" +><TT +CLASS="FILENAME" +>adduser</TT +></A +> line above would allow unix logon + but it would be with passwords that may + be different from the NT logon. Clearly that won't suit everyone. Trying to explain to users + that they need to change their passwords in two seperate places is not fun. + Further, even if they cannot do a unix logon there are other processes that + might require authentication. We have a nice securely encrypted password in + <TT +CLASS="FILENAME" +>/usr/local/samba/private/smbpasswd</TT +>, why not use it ?</P ><DIV CLASS="SECT1" -><H1 +><HR><H1 CLASS="SECT1" ><A -NAME="AEN303" +NAME="AEN278" ></A ></H1 ><DIV @@ -1441,47 +1335,22 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN305" ->How do I get 'User Manager' and 'Server Manager'</A +NAME="AEN280" +>Syncing Passwords</A ></H2 ><P ->Since I don't need to buy an NT Server CD now, how do I get the 'User Manager for - Domains', the 'Server Manager' ?</P -><P -></P -><P -><B ->Microsoft distributes a version of these tools called nexus - for installation on Windows 95 systems. The tools set includes</B -></P -><UL -><LI -><P ->Server Manager</P -></LI -><LI -><P ->User Manager for Domains</P -></LI -><LI -><P ->Event Viewer</P -></LI -></UL -><P ->Click here to download the archived file - <A -HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" -TARGET="_top" -> ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A -></P -><P ->The Windows NT 4.0 version of the 'User Manager for Domains' - and 'Server Manager' are available from Microsoft via ftp from - <A -HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" +>Yes, its possible and seems the easiest way (initially anyway). + The <A +HREF="samba-pdc-faq.html" TARGET="_top" -> ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A +>FAQ</A +> details how to + do so in the sections <I +CLASS="EMPHASIS" +>What is password sync and should I use it ?</I +> and <I +CLASS="EMPHASIS" +> How do I get remote password (unix and SMB) changing working ?</I ></P ></DIV ><DIV @@ -1489,172 +1358,51 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN320" ->The time setting from a Samba server does not work.</A -></H2 -><P ->If it works OK when you log on as Domain Admin then the problem is that ordinary users - don't have permission to change the time. (The system is running with their permission - at logon time.) This is not a Samba problem, you will have the same problem where ever - you connect. You can give 'everyone' permission to change the time from the User Manager. - </P -><P ->Anyone know what the registry settings are so this could be done with a Policy ?</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN324" ->"trust account xxx should be in DOMAIN_GROUP_RID_USERS"</A +NAME="AEN286" +>Using PAM</A ></H2 ><P ->I keep getting the message "trust account xxx should be in DOMAIN_GROUP_RID_USERS." - in the logs. What do I need to do?</P -><P ->You are using one of the old development versions. Upgrade. - (The message is unimportant, was a reminder to a developer)</P +>Pam enabled systems have a much better solution available. The Samba + PDC server will offer to authenticate domain users to other processes + (either on this server or on the domain). With a suitable pam stack + such as <A +HREF="http://www.csn.ul.ie/~airlied/pam_smb/" +TARGET="_top" +> Pam_smb</A +> + you can get any pam aware application looking to the samba password and + can leave the password field in <TT +CLASS="FILENAME" +>/etc/shadow</TT +> + or <TT +CLASS="FILENAME" +>/etc/passwd</TT +> invalid.</P ></DIV ><DIV CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN328" ->How do I get my samba server to become a member ( not PDC ) of an NT domain?</A +NAME="AEN292" +>Authenticating other Samba Servers</A ></H2 ><P >In a domain that has a number of servers you only need one password database. The machines that don't have their own ask the PDC to check for them. - This will work fine for a domain controlled by either a Samba or NT machine. - The following lines in smb.conf are typical, 'password server' points to the - samba machine (or an NT) that has the password list : </P -><PRE -CLASS="PROGRAMLISTING" -> - - [global] - ... - security = domain - workgroup = { Put your domain name here } - password server = { Put the ip of the PDC here } - encrypt passwords = yes - ... - </PRE + This will work fine for a domain controlled by either a Samba or NT machine.</P ><P ->The samba server in question will have to 'join the domain', that requires - the domain controller to have a machine account for it. This is no different - to the machine account requirements to allow a NTws to join the domain. For - example, if we want a unix box called <I -CLASS="EMPHASIS" ->sleepy</I -> to ask the PDC called <I -CLASS="EMPHASIS" ->grumpy</I -> - to do its authentication then <I -CLASS="EMPHASIS" ->grumpy</I -> will need an entry in its smbpasswd - (assuming it's also samba) that starts with <I -CLASS="EMPHASIS" ->sleepy$</I ->. It would have to be - created <A -HREF="#AEN171" ->manually</A ->. </P -><P ->If the domain is controlled by an NTServer then the "Server Manager for Domains" - tool must be used to add 'sleepy' to the domain list.</P -><P ->In either case we then join the domain. If the domain is called <I +>To do so the Samba machine must be told to refer to the PDC and where the PDC is. + See the section in the NTDom <A +HREF="samba-pdc-faq.html" +TARGET="_top" +>FAQ</A +> called <I CLASS="EMPHASIS" ->forest</I -> - then on sleepy we would join the domain by typing :</P -><P -><B -CLASS="COMMAND" ->smbpasswd -j forest</B +>How do I get my samba server to + become a member ( not PDC ) of an NT domain?</I ></P -><P ->Note that the directory where the smbpasswd file would be - located should exist as this is where smbd will generate the MACHINE.SID file. This - might be <TT -CLASS="FILENAME" ->/usr/local/samba/private/FOREST.SLEEPY.SID</TT -> and - it contains the trust account password for the domain member. The permissions are - (and should remain) "rw-------</P -><P ->Note the Samba Servers without the password list will most likely still need an account - for each user, this means a line in its <TT -CLASS="FILENAME" ->/etc/passwd</TT ->. Because authentication - is being handled at the domain level the - <TT -CLASS="FILENAME" ->/etc/passwd</TT -> line does not need a password. - If the shares being offered are not user specific, ie a common (read only ?) - area or perhaps just printing then the user's - <TT -CLASS="FILENAME" ->/etc/passwd</TT -> does not need a home directory. A typical - line in <TT -CLASS="FILENAME" ->/etc/passwd</TT -> for a server that allows domain users to - connect to the samba shares but does not offer a home share ('cos that's on the PDC) - and does not allow logon to the unix prompt would be like this :</P -><PRE -CLASS="PROGRAMLISTING" ->jblow:x:542:100:Joe Blow:/dev/null:/bin/false</PRE -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -></P -><UL -><LI -><P ->When removing those 'dummy' users, watch the 'remove user' scripts, - some OS think they should remove a users directory even when its not owned by the user ! - </P -></LI -><LI -><P ->The <TT -CLASS="FILENAME" ->username map = </TT -> parameter might help you to avoid having - all those accounts created.</P -></LI -><LI -><P ->You should investigate the smb.conf parameter - <TT -CLASS="FILENAME" ->'add user script'</TT ->, it will be used to create accounts on - secondary servers when that account already exists on the PDC. Very nice. - Something like :</P -><PRE -CLASS="PROGRAMLISTING" -> [Global] - .... - add user script = /usr/sbin/adduser -n -g users -c User -d /dev/null -s /bin/false %U - .... - </PRE -></LI -></UL -></BLOCKQUOTE -></DIV ></DIV ></DIV ></DIV @@ -1662,294 +1410,101 @@ CLASS="PROGRAMLISTING" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN363" ->Chapter 6. Troubleshooting and Bug Reporting</A +NAME="AEN298" +>Chapter 6. Background</A ></H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN365" ->Diagnostic tools</A +NAME="AEN300" +></A ></H1 ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN367" ->What are some diagnostics tools I can use to debug the domain logon process and where can I - find them?</A +NAME="AEN302" +>History</A ></H2 ><P ->One of the best diagnostic tools for debugging problems is Samba itself. You can use the -d - option for both smbd and nmbd to specifiy what 'debug level' at which to run. See the man - pages on smbd, nmbd and smb.conf for more information on debugging options. The debug - level can range from 1 (the default) to around 100 but a debug level of about 20 will - normally help you find any errors that samba is encountering. Another helpful method - of debugging is to compile samba using the gcc -g flag. This will include debug - information in the binaries and allow you to attch gdb to the running smbd / nmbd - process. In order to attach gdb to an smbd process for an NT workstation, first - get the workstation to make the connection. Pressing ctrl-alt-delete and going down - to the domain box is sufficient (at least, on the first time you join the domain) to - generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation maintains an open - connection, and therefore there will be an smbd process running (assuming that you - haven't set a really short smbd idle timeout) So, in between pressing ctrl alt - delete, and actually typing in your password, you can gdb attach and continue.</P -><P ->An SMB enabled version of tcpdump is available from - <A -HREF="ftp://samba.org/pub/samba/tcpdump-smb/" +>It might help you understand the limitations of the PDC in Samba if you + read something of its history. Well, the history as I understand it anyway.</P +><P +>For many years the Samba team have been developing Samba, some time ago + a number of people, possibly lead by Luke Leighton started contributing NT + PDC stuff. This was added to the 'head' stream (that would eventually + become the next version) and later to a seperate stream (NTDom). They did so + much that eventually this development stream was so mutated that it could not + be merged back into the main stream and was abandoned towards the end of 1999. + And that was very sad because many users, myself include had become heavily + dependant on the NTController facilities it offered. Oh well...</P +><P +>The NTDom team continued on with their new found knowledge however and + built the TNG stream. Intended to be carefully controlled so that it can be + merged back into the main stream and benefiting from what they learnt, it is + a very different product to the origional NTDom product. However, for a + number of reasons, the merge did not take place and now TNG is being developed + at <A +HREF="http://www.samba-tng.org" TARGET="_top" ->ftp://samba.org/pub/samba/tcpdump-smb/ - </A -></P -><P ->Capconvert is a small C program for translating output from tcpdump-smb to CAP format - that can be read by netmon. You will need to use the raw output from tcp dump - ( ie. <B -CLASS="COMMAND" ->tcpdump -w output.dump</B -> ). Good news! Now you can convert - Solaris' snoop output as well. The C source code for snoop2cap is available for download. - </P -><P ->For tracing things on the Microsoft Windows NT, Network Monitor (aka. netmon) is available - on the Microsoft Developer Network CD's, the Windows NT Server install CD and the SMS CD's. - The version of netmon that ships with SMS allows for dumping packets between any two - computers (ie. placing the network interface in promiscuous mode). The version - on the NT Server install CD will only allow monitoring of network traffic directed to the - local NT box and broadcasts on the local subnet.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN375" ->How do I install 'Network Monitor' on an NT Workstation or a Windows 9x box?</A -></H2 -><P ->Installing netmon on an NT workstation requires a couple of steps. The following - are for installing Netmon V4.00.349, which comes with Microsoft Windows NT Server - 4.0, on Microsoft Windows NT Workstation 4.0. The process should be similar - for other version of Windows NT / Netmon. You will need both the Microsoft Windows - NT Server 4.0 Install CD and the Workstation 4.0 Install CD.</P -><P ->Initially you will need to install 'Network Monitor Tools and Agent' on the - NT Server. To do this </P -><P -></P -><UL -><LI -><P ->Goto Start - Settings - Control Panel - Network - Services - Add </P -></LI -><LI -><P ->Select the 'Network Monitor Tools and Agent' and click on 'OK'.</P -></LI -><LI -><P ->Click 'OK' on the Network Control Panel.</P -></LI -><LI -><P ->Insert the Windows NT Server 4.0 install CD when prompted.</P -></LI -></UL -><P ->At this point the Netmon files should exist in <TT -CLASS="FILENAME" ->%SYSTEMROOT%\System32\netmon\*.*</TT ->. - Two subdirectories exist as well, <TT -CLASS="FILENAME" ->parsers\</TT -> which contains the necessary DLL's - for parsing the netmon packet dump, and <TT -CLASS="FILENAME" ->captures\</TT +>http://www.samba-tng.org</A >.</P ><P ->In order to install the Netmon tools on an NT Workstation, you will first need to - install the 'Network Monitor Agent' from the Workstation install CD.</P -><P -></P -><UL -><LI -><P ->Goto Start - Settings - Control Panel - Network - Services - Add</P -></LI -><LI -><P ->Select the 'Network Monitor Agent' and click on 'OK'.</P -></LI -><LI -><P ->Click 'OK' on the Network Control Panel.</P -></LI -><LI -><P ->Insert the Windows NT Workstation 4.0 install CD when prompted.</P -></LI -></UL -><P ->Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* to - %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set permissions as - you deem appropriate for your site. You will need administrative rights on the - NT box to run netmon.</P -><P ->To install Netmon on a Windows 9x box install the network monitor agent from - the Windows 9x CD (\admin\nettools\netmon). - There is a readme file located with the netmon driver files on the CD if you need - information on how to do this. Copy the files from a working Netmon installation.</P -></DIV +>Now, the NTDom things that the main strean 2.0.x version does is based more + on the old (initial version) abandoned code than on the TNG ideas. It appears + that version 2.2.0 will also include an improved version of the 2.0.7 domain + controller charactistics, not the TNG ways. The developers have indicated + that 2.2.0 will be further developed incrementally and the ideas from TNG + incorporated into it.</P +><P +>One more little wriggle is worth mentioning. At one stage the NTDom + stream was called Samba 2.1.0-prealpha and similar names. This is most + unfortunate because at least one book published advises people who want to + use NTDom Samba to get version 2.1.0 or later. As main stream Samba will soon + be called 2.2.0 and NOT officially supporting NTDom Controlling functions, + the potential for confusion is certainly there.</P ></DIV ><DIV -CLASS="SECT1" -><HR><H1 -CLASS="SECT1" -><A -NAME="AEN404" ->What other help can I get ?</A -></H1 -><P ->There are many sources of information available in the form of mailing lists, RFC's - and documentation. The docs that come with the samba distribution contain very - good explanations of general SMB topics such as browsing.</P -><DIV CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN407" ->URLs and similar</A +NAME="AEN310" +>The Future</A ></H2 ><P -></P -><UL -><LI -><P ->Home of Samba site <A -HREF="http://samba.org" -TARGET="_top" -> http://samba.org</A ->. We have a mirror near you !</P -></LI -><LI -><P -> The <I +>There is a document on the Samba mirrors called <I CLASS="EMPHASIS" ->Development</I -> document - on the Samba mirrors might mention your problem. If so, - it might mean that the developers are working on it.</P -></LI -><LI -><P -> Ignacio Coupeau has a very comprehesive look at LDAP with Samba at - <A -HREF="http://www.unav.es/cti/ldap-smb-howto.html" -TARGET="_top" -> http://www.unav.es/cti/ldap-smb-howto.html</A -> - Be a little carefull however, I suspect that it does not specificly - address samba 2.2.x. The HEAD pre-2.1 may possibly be the best - stream to look at.</P -></LI -><LI -><P -> Lars Kneschke's site covers <A -HREF="http://www.samba-tng.org" -TARGET="_top" -> Samba-TNG</A -> at - <A -HREF="http://www.kneschke.de/projekte/samba_tng" -TARGET="_top" -> http://www.kneschke.de/projekte/samba_tng</A ->, but again, a - lot of it does not apply to the main stream Samba.</P -></LI -><LI -><P ->Although 2.0.7 has almost had its day as a PDC, I (drb) will - keep the 2.0.7 PDC pages at <A -HREF="http://bioserve.latrobe.edu.au/samba" -TARGET="_top" -> http://bioserve.latrobe.edu.au/samba</A -> going for a while yet.</P -></LI -><LI -><P ->Misc links to CIFS information - <A -HREF="http://samba.org/cifs/" -TARGET="_top" ->http://samba.org/cifs/</A -></P -></LI -><LI -><P ->NT Domains for Unix <A -HREF="http://mailhost.cb1.com/~lkcl/ntdom/" -TARGET="_top" -> http://mailhost.cb1.com/~lkcl/ntdom/</A -></P -></LI -><LI -><P ->FTP site for older SMB specs: - <A -HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/" -TARGET="_top" -> ftp://ftp.microsoft.com/developr/drg/CIFS/</A -></P -></LI -></UL +>'Development' + </I +>. It offers the 'best guess' of what is planned for future releases + of Samba.</P ><P -></P +>The future of Samba as a Primary Domain Controller appears rosie, however + be aware that its the future, not the present. The developers are strongly committed + to building a full featured PDC into Samba but it will take time. If this + version does not meet your requirements then you should consider (in no particular + order) :</P ><P -><B ->There are a number of documents that no longer appear to live at their - origional home. Any one know where the following may be found ?</B ></P ><UL ><LI ><P ->CIFS/E Browser Protocol draft-leach-cifs-browser-spec-00.txt</P -></LI -><LI -><P ->CIFS Remote Administration Protocol draft-leach-cifs-rap-spec-00.txt</P -></LI -><LI -><P ->CIFS Logon and Pass Through Authentication draft-leach-cifs-logon-spec-00.txt</P +> Wait. No, we don't know how long. Repeated asking won't help.</P ></LI ><LI ><P ->A Common Internet File System (CIFS/1.0) Protocol draft-leach-cifs-v1-spec-01.txt</P +>Investigate the development versions, TNG perhaps or HEAD where new code is being added + all the time. Realise that development code is often unstable, poorly documented and subject to change. + You will need to use cvs to download development versions.</P ></LI ><LI ><P ->CIFS Printing Specification draft-leach-cifs-print-spec-00.txt</P -></LI -><LI -><P ->RFC1001 (March '87) Protocol standard for a NetBIOS service on a TCP/UDP transport: Concepts and methods. - http://ds.internic.net/rfc/rfc1001.txt </P -></LI -><LI -><P ->RFC1002 (March '87) Protocol standard for a NetBIOS service on a TCP/UDP transport: Detailed specifications. - http://ds.internic.net/rfc/rfc1002.txt </P -></LI -><LI -><P ->Microsoft's main CIFS page: http://www.microsoft.com/workshop/networking/cifs/</P +>Join one of the Samba mailing lists so that you can find out + what is happening on the 'bleeding edge'.</P ></LI ></UL ></DIV @@ -1958,135 +1513,42 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN453" ->How do I get help from the mailing lists ?</A +NAME="AEN322" +>Getting further help</A ></H2 ><P -> There are a number of Samba related mailing lists. Go to <A -HREF="http://samba.org" -TARGET="_top" ->http://samba.org</A ->, click on your nearest mirror - and then click on <B -CLASS="COMMAND" ->Support</B -> and then click on <B -CLASS="COMMAND" -> Samba related mailing lists</B ->.</P -><P ->For questions relating to Samba TNG go to - <A -HREF="http://www.samba-tng.org/" +>This document cannot possibly answer all your questions. Please understand that its very + likely that someone has been confrounted by the same problem that you have. The + <A +HREF="samba-pdc-faq.html" TARGET="_top" ->http://www.samba-tng.org/</A -> - It has been requested that you don't post questions about Samba-TNG to the - main stream Samba lists.</P +>FAQ</A +> + discusses a number of possible paths to take to get further help :</P ><P ></P -><P -><B ->If you post a message to one of the lists please - observe the following guide lines :</B -></P ><UL ><LI ><P -> Always remember that the developers are volunteers, they are - not paid and they never guarantee to produce a particular feature at - a particular time. Any time lines are 'best guess' and nothing more. - </P -></LI -><LI -><P -> Always mention what version of samba you are using and what - operating system its running under. You should probably list the - relevant sections of your smb.conf file, at least the options - in [global] that affect PDC support.</P -></LI -><LI -><P ->In addition to the version, if you obtained Samba via - CVS mention the date when you last checked it out.</P -></LI -><LI -><P -> Try and make your question clear and brief, lots of long, - convoluted questions get deleted before they are completely read ! - Don't post html encoded messages (if you can select colour or font - size its html).</P -></LI -><LI -><P -> If you run one of those niffy 'I'm on holidays' things when - you are away, make sure its configured to not answer mailing lists. - </P -></LI -><LI -><P -> Don't cross post. Work out which is the best list to post to - and see what happens, ie don't post to both samba-ntdom and samba-technical. - Many people active on the lists subscribe to more - than one list and get annoyed to see the same message two or more times. - Often someone will see a message and thinking it would be better dealt - with on another, will forward it on for you.</P +>Documents on the Samba Sites.</P ></LI ><LI ><P ->You might include <I -CLASS="EMPHASIS" ->partial</I -> - log files written at a debug level set to as much as 20. - Please don't send the entire log but enough to give the context of the - error messages.</P +>Other web sites.</P ></LI ><LI ><P ->(Possibly) If you have a complete netmon trace ( from the opening of - the pipe to the error ) you can send the *.CAP file as well.</P -></LI -><LI -><P ->Please think carefully before attaching a document to an email. - Consider pasting the relevant parts into the body of the message. The samba - mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory ?</P +>Mailing list.</P ></LI ></UL -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN482" ->How do I get off the mailing lists ?</A -></H2 ><P ->To have your name removed from a samba mailing list, go to the - same place you went to to get on it. Go to <A -HREF="http://samba.org" -TARGET="_top" ->http://samba.org</A ->, click on your nearest mirror - and then click on <B -CLASS="COMMAND" ->Support</B -> and then click on <B -CLASS="COMMAND" -> Samba related mailing lists</B ->. Or perhaps see - <A -HREF="http://lists.samba.org/mailman/roster/samba-ntdom" +>There is some discussion about guide lines for using the Mailing Lists on the + accompanying <A +HREF="samba-pdc-faq.html" TARGET="_top" ->here</A -></P -><P ->Please don't post messages to the list asking to be removed, you will just - be refered to the above address (unless that process failed in some way...) - </P +>FAQ</A +>, + please read them before posting.</P ></DIV ></DIV ></DIV |