diff options
Diffstat (limited to 'docs/htmldocs')
| -rw-r--r-- | docs/htmldocs/advancednetworkmanagement.html | 555 | ||||
| -rw-r--r-- | docs/htmldocs/cups-printing.html | 2773 | ||||
| -rw-r--r-- | docs/htmldocs/domain-member.html | 446 | ||||
| -rw-r--r-- | docs/htmldocs/editreg.1.html | 142 | ||||
| -rw-r--r-- | docs/htmldocs/interdomaintrusts.html | 451 | ||||
| -rw-r--r-- | docs/htmldocs/introsmb.html | 659 | ||||
| -rw-r--r-- | docs/htmldocs/nt4migration.html | 356 | ||||
| -rw-r--r-- | docs/htmldocs/ntlm_auth.1.html | 261 | ||||
| -rw-r--r-- | docs/htmldocs/policymgmt.html | 758 | ||||
| -rw-r--r-- | docs/htmldocs/problems.html | 560 | ||||
| -rw-r--r-- | docs/htmldocs/profilemgmt.html | 1753 | ||||
| -rw-r--r-- | docs/htmldocs/profiles.1.html | 139 | ||||
| -rw-r--r-- | docs/htmldocs/servertype.html | 368 | ||||
| -rw-r--r-- | docs/htmldocs/smbcquotas.1.html | 391 | ||||
| -rw-r--r-- | docs/htmldocs/smbtree.1.html | 304 | ||||
| -rw-r--r-- | docs/htmldocs/swat.html | 233 | ||||
| -rw-r--r-- | docs/htmldocs/unicode.html | 301 |
17 files changed, 10450 insertions, 0 deletions
diff --git a/docs/htmldocs/advancednetworkmanagement.html b/docs/htmldocs/advancednetworkmanagement.html new file mode 100644 index 0000000000..a57b74f275 --- /dev/null +++ b/docs/htmldocs/advancednetworkmanagement.html @@ -0,0 +1,555 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Advanced Network Manangement</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Advanced Configuration" +HREF="optional.html"><LINK +REL="PREVIOUS" +TITLE="Unified Logons between Windows NT and UNIX using Winbind" +HREF="winbind.html"><LINK +REL="NEXT" +TITLE="System and Account Policies" +HREF="policymgmt.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="winbind.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="policymgmt.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="ADVANCEDNETWORKMANAGEMENT" +></A +>Chapter 16. Advanced Network Manangement</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>16.1. <A +HREF="advancednetworkmanagement.html#AEN2870" +>Configuring Samba Share Access Controls</A +></DT +><DT +>16.2. <A +HREF="advancednetworkmanagement.html#AEN2908" +>Remote Server Administration</A +></DT +><DT +>16.3. <A +HREF="advancednetworkmanagement.html#AEN2925" +>Network Logon Script Magic</A +></DT +></DL +></DIV +><P +>This section attempts to document peripheral issues that are of great importance to network +administrators who want to improve network resource access control, to automate the user +environment, and to make their lives a little easier.</P +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2870" +>16.1. Configuring Samba Share Access Controls</A +></H1 +><P +>This section deals with how to configure Samba per share access control restrictions. +By default samba sets no restrictions on the share itself. Restrictions on the share itself +can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can +connect to a share. In the absence of specific restrictions the default setting is to allow +the global user <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Everyone</I +></SPAN +> Full Control (ie: Full control, Change and Read).</P +><P +>At this time Samba does NOT provide a tool for configuring access control setting on the Share +itself. Samba does have the capacity to store and act on access control settings, but the only +way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for +Computer Management.</P +><P +>Samba stores the per share access control settings in a file called <TT +CLASS="FILENAME" +>share_info.tdb</TT +>. +The location of this file on your system will depend on how samba was compiled. The default location +for samba's tdb files is under <TT +CLASS="FILENAME" +>/usr/local/samba/var</TT +>. If the <TT +CLASS="FILENAME" +>tdbdump</TT +> +utility has been compiled and installed on your system then you can examine the contents of this file +by: <KBD +CLASS="USERINPUT" +>tdbdump share_info.tdb</KBD +>.</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2880" +>16.1.1. Share Permissions Management</A +></H2 +><P +>The best tool for the task is platform dependant. Choose the best tool for your environmemt.</P +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN2883" +>16.1.1.1. Windows NT4 Workstation/Server</A +></H3 +><P +>The tool you need to use to manage share permissions on a Samba server is the NT Server Manager. +Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. +You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below.</P +><DIV +CLASS="PROCEDURE" +><P +><B +>Instructions</B +></P +><OL +TYPE="1" +><LI +><P +>Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu +select Computer, then click on the Shared Directories entry.</P +></LI +><LI +><P +> Now click on the share that you wish to manage, then click on the Properties tab, next click on + the Permissions tab. Now you can Add or change access control settings as you wish.</P +></LI +></OL +></DIV +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN2892" +>16.1.1.2. Windows 200x/XP</A +></H3 +><P +>On MS Windows NT4/200x/XP system access control lists on the share itself are set using native +tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder, +then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows +<SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Everyone</I +></SPAN +> Full Control on the Share.</P +><P +>MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the +Microsoft Management Console (MMC). This tool is located by clicking on <TT +CLASS="FILENAME" +>Control Panel -> +Administrative Tools -> Computer Management</TT +>.</P +><DIV +CLASS="PROCEDURE" +><P +><B +>Instructions</B +></P +><OL +TYPE="1" +><LI +><P +> After launching the MMC with the Computer Management snap-in, click on the menu item 'Action', + select 'Connect to another computer'. If you are not logged onto a domain you will be prompted + to enter a domain login user identifier and a password. This will authenticate you to the domain. + If you where already logged in with administrative privilidge this step is not offered.</P +></LI +><LI +><P +>If the Samba server is not shown in the Select Computer box, then type in the name of the target +Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+] +next to 'Shared Folders' in the left panel.</P +></LI +><LI +><P +>Now in the right panel, double-click on the share you wish to set access control permissions on. +Then click on the tab 'Share Permissions'. It is now possible to add access control entities +to the shared folder. Do NOT forget to set what type of access (full control, change, read) you +wish to assign for each entry.</P +></LI +></OL +></DIV +><DIV +CLASS="WARNING" +><P +></P +><TABLE +CLASS="WARNING" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" +HSPACE="5" +ALT="Warning"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Be careful. If you take away all permissions from the Everyone user without removing this user +then effectively no user will be able to access the share. This is a result of what is known as +ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone +will have no access even if this user is given explicit full control access.</P +></TD +></TR +></TABLE +></DIV +></DIV +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2908" +>16.2. Remote Server Administration</A +></H1 +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>How do I get 'User Manager' and 'Server Manager'?</I +></SPAN +></P +><P +>Since I don't need to buy an NT4 Server, how do I get the 'User Manager for Domains', +the 'Server Manager'?</P +><P +>Microsoft distributes a version of these tools called nexus for installation on Windows 9x / Me +systems. The tools set includes:</P +><P +></P +><UL +><LI +><P +>Server Manager</P +></LI +><LI +><P +>User Manager for Domains</P +></LI +><LI +><P +>Event Viewer</P +></LI +></UL +><P +>Click here to download the archived file <A +HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" +TARGET="_top" +>ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A +></P +><P +>The Windows NT 4.0 version of the 'User Manager for +Domains' and 'Server Manager' are available from Microsoft via ftp +from <A +HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" +TARGET="_top" +>ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A +></P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2925" +>16.3. Network Logon Script Magic</A +></H1 +><P +>This section needs work. Volunteer contributions most welcome. Please send your patches or updates +to <A +HREF="mailto:jht@samba.org" +TARGET="_top" +>John Terpstra</A +>.</P +><P +>There are several opportunities for creating a custom network startup configuration environment.</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>No Logon Script</TD +></TR +><TR +><TD +>Simple universal Logon Script that applies to all users</TD +></TR +><TR +><TD +>Use of a conditional Logon Script that applies per user or per group attirbutes</TD +></TR +><TR +><TD +>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create + a custom Logon Script and then execute it.</TD +></TR +><TR +><TD +>User of a tool such as KixStart</TD +></TR +></TBODY +></TABLE +><P +></P +><P +>The Samba source code tree includes two logon script generation/execution tools. See <TT +CLASS="FILENAME" +>examples</TT +> directory <TT +CLASS="FILENAME" +>genlogon</TT +> and <TT +CLASS="FILENAME" +>ntlogon</TT +> subdirectories.</P +><P +>The following listings are from the genlogon directory.</P +><P +>This is the genlogon.pl file: + +<PRE +CLASS="PROGRAMLISTING" +> #!/usr/bin/perl + # + # genlogon.pl + # + # Perl script to generate user logon scripts on the fly, when users + # connect from a Windows client. This script should be called from smb.conf + # with the %U, %G and %L parameters. I.e: + # + # root preexec = genlogon.pl %U %G %L + # + # The script generated will perform + # the following: + # + # 1. Log the user connection to /var/log/samba/netlogon.log + # 2. Set the PC's time to the Linux server time (which is maintained + # daily to the National Institute of Standard's Atomic clock on the + # internet. + # 3. Connect the user's home drive to H: (H for Home). + # 4. Connect common drives that everyone uses. + # 5. Connect group-specific drives for certain user groups. + # 6. Connect user-specific drives for certain users. + # 7. Connect network printers. + + # Log client connection + #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); + ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); + open LOG, ">>/var/log/samba/netlogon.log"; + print LOG "$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n"; + close LOG; + + # Start generating logon script + open LOGON, ">/shared/netlogon/$ARGV[0].bat"; + print LOGON "\@ECHO OFF\r\n"; + + # Connect shares just use by Software Development group + if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev") + { + print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n"; + } + + # Connect shares just use by Technical Support staff + if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support") + { + print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n"; + } + + # Connect shares just used by Administration staff + If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin") + { + print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n"; + print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n"; + } + + # Now connect Printers. We handle just two or three users a little + # differently, because they are the exceptions that have desktop + # printers on LPT1: - all other user's go to the LaserJet on the + # server. + if ($ARGV[0] eq 'jim' + || $ARGV[0] eq 'yvonne') + { + print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n"; + print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; + } + else + { + print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n"; + print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; + } + + # All done! Close the output file. + close LOGON;</PRE +></P +><P +>Those wishing to use more elaborate or capable logon processing system should check out the following sites:</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>http://www.craigelachie.org/rhacer/ntlogon</TD +></TR +><TR +><TD +>http://www.kixtart.org</TD +></TR +></TBODY +></TABLE +><P +></P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="winbind.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="policymgmt.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Unified Logons between Windows NT and UNIX using Winbind</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="optional.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>System and Account Policies</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/cups-printing.html b/docs/htmldocs/cups-printing.html new file mode 100644 index 0000000000..bc704e575e --- /dev/null +++ b/docs/htmldocs/cups-printing.html @@ -0,0 +1,2773 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>CUPS Printing Support</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Advanced Configuration" +HREF="optional.html"><LINK +REL="PREVIOUS" +TITLE="Printing Support" +HREF="printing.html"><LINK +REL="NEXT" +TITLE="Unified Logons between Windows NT and UNIX using Winbind" +HREF="winbind.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="printing.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="winbind.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="CUPS-PRINTING" +></A +>Chapter 14. CUPS Printing Support</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>14.1. <A +HREF="cups-printing.html#AEN2035" +>Introduction</A +></DT +><DT +>14.2. <A +HREF="cups-printing.html#AEN2042" +>Configuring <TT +CLASS="FILENAME" +>smb.conf</TT +> for CUPS</A +></DT +><DT +>14.3. <A +HREF="cups-printing.html#AEN2062" +>CUPS - RAW Print Through Mode</A +></DT +><DT +>14.4. <A +HREF="cups-printing.html#AEN2119" +>CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe +PostScript driver with CUPS-PPDs downloaded to clients</A +></DT +><DT +>14.5. <A +HREF="cups-printing.html#AEN2140" +>Windows Terminal Servers (WTS) as CUPS clients</A +></DT +><DT +>14.6. <A +HREF="cups-printing.html#AEN2144" +>Setting up CUPS for driver download</A +></DT +><DT +>14.7. <A +HREF="cups-printing.html#AEN2157" +>Sources of CUPS drivers / PPDs</A +></DT +><DT +>14.8. <A +HREF="cups-printing.html#AEN2213" +>The CUPS Filter Chains</A +></DT +><DT +>14.9. <A +HREF="cups-printing.html#AEN2252" +>CUPS Print Drivers and Devices</A +></DT +><DT +>14.10. <A +HREF="cups-printing.html#AEN2329" +>Limiting the number of pages users can print</A +></DT +><DT +>14.11. <A +HREF="cups-printing.html#AEN2425" +>Advanced Postscript Printing from MS Windows</A +></DT +><DT +>14.12. <A +HREF="cups-printing.html#AEN2440" +>Auto-Deletion of CUPS spool files</A +></DT +></DL +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2035" +>14.1. Introduction</A +></H1 +><P +>The Common Unix Print System (CUPS) has become very popular, but to many it is +a very mystical tool. There is a great deal of uncertainty regarding CUPS and how +it works. The result is seen in a large number of posting on the samba mailing lists +expressing frustration when MS Windows printers appear not to work with a CUPS +backr-end.</P +><P +>This is a good time to point out how CUPS can be used and what it does. CUPS is more +than just a print spooling system - it is a complete printer management system that +complies with HTTP and IPP protocols. It can be managed remotely via a web browser +and it can print using http and ipp protocols.</P +><P +>CUPS allows to creation of RAW printers (ie: NO file format translation) as well as +SMART printers (ie: CUPS does file format conversion as required for the printer). In +many ways this gives CUPS similar capabilities to the MS Windows print monitoring +system. Of course, if you are a CUPS advocate, you would agrue that CUPS is better! +In any case, let us now move on to explore how one may configure CUPS for interfacing +with MS Windows print clients via Samba.</P +><P +><A +HREF="http://www.cups.org/" +TARGET="_top" +>CUPS</A +> is a newcomer in the UNIX printing scene, +which has convinced many people upon first trial already. However, it has quite a few +new features, which make it different from other, more traditional printing systems.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2042" +>14.2. Configuring <TT +CLASS="FILENAME" +>smb.conf</TT +> for CUPS</A +></H1 +><P +>Printing with CUPS in the most basic <TT +CLASS="FILENAME" +>smb.conf</TT +> +setup in Samba-3 only needs two settings: <B +CLASS="COMMAND" +>printing = cups</B +> and +<B +CLASS="COMMAND" +>printcap = cups</B +>. While CUPS itself doesn't need a printcap +anymore, the <TT +CLASS="FILENAME" +>cupsd.conf</TT +> configuration file knows two directives +(example: <B +CLASS="COMMAND" +>Printcap /etc/printcap</B +> and <B +CLASS="COMMAND" +>PrintcapFormat +BSD</B +>), which control if such a file should be created for the +convenience of third party applications. Make sure it is set! For details see +<B +CLASS="COMMAND" +>man cupsd.conf</B +> and other CUPS-related documentation.</P +><P +>If SAMBA is compiled against libcups, then <B +CLASS="COMMAND" +>printcap = cups</B +> uses the +CUPS API to list printers, submit jobs, etc. Otherwise it maps to the System V commands +with an additional <VAR +CLASS="PARAMETER" +>-oraw</VAR +> option for printing. On a Linux system, +you can use the <B +CLASS="COMMAND" +>ldd</B +> command to find out details (ldd may not be +present on other OS platforms, or its function may be embodied by a different command):</P +><P +><PRE +CLASS="PROGRAMLISTING" +>transmeta:/home/kurt # ldd `which smbd` + libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x4002d000) + libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005a000) + libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000) + libdl.so.2 => /lib/libdl.so.2 (0x401e8000) + libnsl.so.1 => /lib/libnsl.so.1 (0x401ec000) + libpam.so.0 => /lib/libpam.so.0 (0x40202000) + libc.so.6 => /lib/libc.so.6 (0x4020b000) + /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)</PRE +></P +><P +>The line "libcups.so.2 => /usr/lib/libcups.so.2 +(0x40123000)" shows there is CUPS support compiled into this version of +Samba. If this is the case, and <B +CLASS="COMMAND" +>printing = cups</B +> is set, then any +otherwise manually set print command in <TT +CLASS="FILENAME" +>smb.conf</TT +> is ignored.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2062" +>14.3. CUPS - RAW Print Through Mode</A +></H1 +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>When used in raw print through mode is will be necessary to use the printer +vendor's drivers in each Windows client PC.</P +></TD +></TR +></TABLE +></DIV +><P +>When CUPS printers are configured for RAW print-through mode operation it is the +responsibility of the Samba client to fully render the print job (file) in a format +that is suitable for direct delivery to the printer. In this case CUPS will NOT +do any print file format conversion work.</P +><P +>The CUPS files that need to be correctly set for RAW mode printers to work are: + +<P +></P +><UL +><LI +><P +><TT +CLASS="FILENAME" +>/etc/cups/mime.types</TT +></P +></LI +><LI +><P +><TT +CLASS="FILENAME" +>/etc/cups/mime.convs</TT +></P +></LI +></UL +> + +Both contain entries that must be uncommented to allow <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>RAW</I +></SPAN +> mode +operation.</P +><P +>Firstly, to enable CUPS based printing from Samba the following options must be +enabled in your <TT +CLASS="FILENAME" +>smb.conf</TT +> file [globals] section: + +<P +></P +><UL +><LI +><P +>printing = CUPS</P +></LI +><LI +><P +>printcap = CUPS</P +></LI +></UL +> + +When these parameters are specified the print directives in <TT +CLASS="FILENAME" +>smb.conf</TT +> (as well as in +samba itself) will be ignored because samba will directly interface with CUPS through +it's application program interface (API) - so long as Samba has been compiled with +CUPS library (libcups) support. If samba has NOT been compiled with CUPS support then +printing will use the System V AT&T command set with the <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>-oraw</I +></SPAN +> +option automatically passing through.</P +><P +>Cupsomatic (an enhanced printing utility that is part of some CUPS implementations) +on the Samba/CUPS server does *not* add any features if a file is really +printed "raw". However, if you have loaded the driver for the Windows client from +the CUPS server, using the "cupsaddsmb" utility, and if this driver is one using +a "Foomatic" PPD, the PJL header in question is already added on the Windows client, +at the time when the driver initially generated the PostScript data and CUPS in true +"-oraw" manner doesn't remove this PJL header and passes the file "as is" to its +printer communication backend.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>NOTE: editing in the "mime.convs" and the "mime.types" file does not *enforce* +"raw" printing, it only *allows* it.</P +></TD +></TR +></TABLE +></DIV +><P +>Print files that arrive from MS Windows printing are "auto-typed" by CUPS. This aids +the process of determining proper treatment while in the print queue system. + +<P +></P +><UL +><LI +><P +> Files generated by PCL drivers and directed at PCK printers get auto-typed as + <TT +CLASS="FILENAME" +>application/octet-stream</TT +>. Unknown file format types also + get auto-typed with this tag. + </P +></LI +><LI +><P +> Files generated by a Postscript driver and directed at a Postscript printer + are auto-typed depending on the auto-detected most suitable MIME type as: + + <P +></P +><UL +><LI +><P +>* application/postscript</P +></LI +><LI +><P +>* application/vnd.cups-postscript</P +></LI +></UL +> + </P +></LI +></UL +></P +><P +>"application/postscript" first goes thru the "pstops" filter (where the page counting +and accounting takes place). The outcome will be of MIME type +"application/vnd.cups-postscript". The pstopsfilter reads and uses information from +the PPD and inserts user-provided options into the PostScript file. As a consequence, +the filtered file could possibly have an unwanted PJL header.</P +><P +>"application/postscript" will be all files with a ".ps", ".ai", ".eps" suffix or which +have as their first character string one of "%!" or ">04<%".</P +><P +>"application/vnd.cups-postscript" will files which contain the string +"LANGUAGE=POSTSCRIPT" (or similar variations with different capitalization) in the +first 512 bytes, and also contain the "PJL super escape code" in the first 128 bytes +(">1B<%-12345X"). Very likely, most PostScript files generated on Windows using a CUPS +or other PPD, will have to be auto-typed as "vnd.cups-postscript". A file produced +with a "Generic PostScript driver" will just be tagged "application/postscript".</P +><P +>Once the file is in "application/vnd.cups-postscript" format, either "pstoraster" +or "cupsomatic" will take over (depending on the printer configuration, as +determined by the PPD in use).</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>A printer queue with *no* PPD associated to it is a "raw" printer and all files +will go directly there as received by the spooler. The exeptions are file types +"application/octet-stream" which need "passthrough feature" enabled. +"Raw" queues don't do any filtering at all, they hand the file directly to the +CUPS backend. This backend is responsible for the sending of the data to the device +(as in the "device URI" notation as lpd://, socket://, smb://, ipp://, http://, +parallel:/, serial:/, usb:/ etc.)</P +></TD +></TR +></TABLE +></DIV +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>"cupsomatic"/Foomatic are *not* native CUPS drivers and they don't ship with CUPS. +They are a Third Party add-on, developed at Linuxprinting.org. As such, they are +a brilliant hack to make all models (driven by Ghostscript drivers/filters in +traditional spoolers) also work via CUPS, with the same (good or bad!) quality +as in these other spoolers. "cupsomatic" is only a vehicle to execute a ghostscript +commandline at that stage in the CUPS filtering chain, where "normally" the native +CUPS "pstoraster" filter would kick in. cupsomatic by-passes pstoraster, "kidnaps" +the printfile from CUPS away and re-directs it to go through Ghostscipt. CUPS accepts this, +because the associated CUPS-O-Matic-/Foomatic-PPD specifies:</P +><PRE +CLASS="PROGRAMLISTING" +> *cupsFilter: "application/vnd.cups-postscript 0 cupsomatic"</PRE +><P +>This line persuades CUPS to hand the file to cupsomatic, once it has successfully +converted it to the MIME type "application/vnd.cups-postscript". This conversion will not +happen for Jobs arriving from Windows which are auto-typed "application/octet-stream", +with the according changes in "/etc/cups/mime.types" in place.</P +></TD +></TR +></TABLE +></DIV +><P +>CUPS is widely configurable and flexible, even regarding its filtering mechanism. +Another workaround in some situations would be to have +in "/etc/cups/mime.types" entries as follows:</P +><PRE +CLASS="PROGRAMLISTING" +> application/postscript application/vnd.cups-raw 0 - + application/vnd.cups-postscript application/vnd.cups-raw 0 -</PRE +><P +>This would prevent all Postscript files from being filtered (rather, they will go +thru the virtual "nullfilter" denoted with "-"). This could only be useful for +PS printers. If you want to print PS code on non-PS printers an entry as follows +could be useful:</P +><PRE +CLASS="PROGRAMLISTING" +> */* application/vnd.cups-raw 0 -</PRE +><P +>and would effectively send *all* files to the backend without further processing.</P +><P +>Lastly, you could have the following entry:</P +><PRE +CLASS="PROGRAMLISTING" +> application/vnd.cups-postscript application/vnd.cups-raw 0 my_PJL_stripping_filter</PRE +><P +>You will need to write a "my_PJL_stripping_filter" (could be a shellscript) that +parses the PostScript and removes the unwanted PJL. This would need to conform to +CUPS filter design (mainly, receive and pass the parameters printername, job-id, +username, jobtitle, copies, print options and possibly the filename). It would +be installed as world executable into "/usr/lib/cups/filters/" and will be called +by CUPS if it encounters a MIME type "application/vnd.cups-postscript".</P +><P +>CUPS can handle "-o job-hold-until=indefinite". This keeps the job in the queue +"on hold". It will only be printed upon manual release by the printer operator. +This is a requirement in many "central reproduction departments", where a few +operators manage the jobs of hundreds of users on some big machine, where no +user is allowed to have direct access. (The operators often need to load the +proper paper type before running the 10.000 page job requested by marketing +for the mailing, etc.).</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2119" +>14.4. CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe +PostScript driver with CUPS-PPDs downloaded to clients</A +></H1 +><P +>CUPS is perfectly able to use PPD files (PostScript +Printer Descriptions). PPDs can control all print device options. They +are usually provided by the manufacturer -- if you own a PostSript printer, +that is. PPD files are always a component of PostScript printer drivers on MS +Windows or Apple Mac OS systems. They are ASCII files containing +user-selectable print options, mapped to appropriate PostScript, PCL or PJL +commands for the target printer. Printer driver GUI dialogs translate these +options "on-the-fly" into buttons and drop-down lists for the user to +select.</P +><P +>CUPS can load, without any conversions, the PPD file from +any Windows (NT is recommended) PostScript driver and handle the options. +There is a web browser interface to the print options (select +http://localhost:631/printers/ and click on one "Configure Printer" button +to see it), a commandline interface (see <B +CLASS="COMMAND" +>man lpoptions</B +> or +try if you have <B +CLASS="COMMAND" +>lphelp</B +> on your system) plus some different GUI frontends on Linux +UNIX, which can present PPD options to the users. PPD options are normally +meant to become evaluated by the PostScript RIP on the real PostScript +printer.</P +><P +>CUPS doesn't stop at "real" PostScript printers in its +usage of PPDs. The CUPS developers have extended the PPD concept, to also +describe available device and driver options for non-PostScript printers +through CUPS-PPDs.</P +><P +>This is logical, as CUPS includes a fully featured +PostScript interpreter (RIP). This RIP is based on Ghostscript. It can +process all received PostScript (and additionally many other file formats) +from clients. All CUPS-PPDs geared to non-PostScript printers contain an +additional line, starting with the keyword <VAR +CLASS="PARAMETER" +>*cupsFilter</VAR +>. +This line +tells the CUPS print system which printer-specific filter to use for the +interpretation of the accompanying PostScript. Thus CUPS lets all its +printers appear as PostScript devices to its clients, because it can act as a +PostScript RIP for those printers, processing the received PostScript code +into a proper raster print format.</P +><P +>CUPS-PPDs can also be used on Windows-Clients, on top of a +PostScript driver (recommended is the Adobe one).</P +><P +>This feature enables CUPS to do a few tricks no other +spooler can do:</P +><P +></P +><UL +><LI +><P +>act as a networked PostScript RIP (Raster Image Processor), handling + printfiles from all client platforms in a uniform way;</P +></LI +><LI +><P +>act as a central accounting and billing server, as all files are passed + through the <B +CLASS="COMMAND" +>pstops</B +> Filter and are therefor logged in + the CUPS <TT +CLASS="FILENAME" +>page_log</TT +>. - <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>NOTE: </I +></SPAN +>this + can not happen with "raw" print jobs, which always remain unfiltered + per definition;</P +></LI +><LI +><P +>enable clients to consolidate on a single PostScript driver, even for + many different target printers.</P +></LI +></UL +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2140" +>14.5. Windows Terminal Servers (WTS) as CUPS clients</A +></H1 +><P +>This setup may be of special interest to people +experiencing major problems in WTS environments. WTS need often a multitude +of non-PostScript drivers installed to run their clients' variety of +different printer models. This often imposes the price of much increased +instability. In many cases, in an attempt to overcome this problem, site +administrators have resorted to restrict the allowed drivers installed on +their WTS to one generic PCL- and one PostScript driver. This however +restricts the clients in the amount of printer options available for them -- +often they can't get out more then simplex prints from one standard paper +tray, while their devices could do much better, if driven by a different +driver!</P +><P +>Using an Adobe PostScript driver, enabled with a CUPS-PPD, +seems to be a very elegant way to overcome all these shortcomings. The +PostScript driver is not known to cause major stability problems on WTS (even +if used with many different PPDs). The clients will be able to (again) chose +paper trays, duplex printing and other settings. However, there is a certain +price for this too: a CUPS server acting as a PostScript RIP for its clients +requires more CPU and RAM than just to act as a "raw spooling" device. Plus, +this setup is not yet widely tested, although the first feedbacks look very +promising...</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2144" +>14.6. Setting up CUPS for driver download</A +></H1 +><P +>The <B +CLASS="COMMAND" +>cupsadsmb</B +> utility (shipped with all current +CUPS versions) makes the sharing of any (or all) installed CUPS printers very +easy. Prior to using it, you need the following settings in <TT +CLASS="FILENAME" +>smb.conf</TT +>:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>[global] + load printers = yes + printing = cups + printcap name = cups + + [printers] + comment = All Printers + path = /var/spool/samba + browseable = no + public = yes + guest ok = yes + writable = no + printable = yes + printer admin = root + + [print$] + comment = Printer Drivers + path = /etc/samba/drivers + browseable = yes + guest ok = no + read only = yes + write list = root + </PRE +></P +><P +>For licensing reasons the necessary files of the Adobe +Postscript driver can not be distributed with either Samba or CUPS. You need +to download them yourself from the Adobe website. Once extracted, create a +<TT +CLASS="FILENAME" +>drivers</TT +> directory in the CUPS data directory (usually +<TT +CLASS="FILENAME" +>/usr/share/cups/</TT +>). Copy the Adobe files using +UPPERCASE filenames, to this directory as follows:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> ADFONTS.MFM + ADOBEPS4.DRV + ADOBEPS4.HLP + ADOBEPS5.DLL + ADOBEPSU.DLL + ADOBEPSU.HLP + DEFPRTR2.PPD + ICONLIB.DLL + </PRE +></P +><P +>Users of the ESP Print Pro software are able to install +their "Samba Drivers" package for this purpose with no problem.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2157" +>14.7. Sources of CUPS drivers / PPDs</A +></H1 +><P +>On the internet you can find now many thousand CUPS-PPD +files (with their companion filters), in many national languages, +supporting more than 1.000 non-PostScript models.</P +><P +></P +><UL +><LI +><P +><A +HREF="http://wwwl.easysw.com/printpro/" +TARGET="_top" +>ESP PrintPro + (http://wwwl.easysw.com/printpro/)</A +> + (commercial, non-Free) is packaged with more than 3.000 PPDs, ready for + successful usage "out of the box" on Linux, IBM-AIX, HP-UX, Sun-Solaris, + SGI-IRIX, Compaq Tru64, Digital Unix and some more commercial Unices (it + is written by the CUPS developers themselves and its sales help finance + the further development of CUPS, as they feed their creators)</P +></LI +><LI +><P +>the <A +HREF="http://gimp-print.sourceforge.net/" +TARGET="_top" +>Gimp-Print-Project + (http://gimp-print.sourceforge.net/)</A +> + (GPL, Free Software) provides around 120 PPDs (supporting nearly 300 + printers, many driven to photo quality output), to be used alongside the + Gimp-Print CUPS filters;</P +></LI +><LI +><P +><A +HREF="http://www.turboprint.com/" +TARGET="_top" +>TurboPrint + (http://www.turboprint.com/)</A +> + (Shareware, non-Freee) supports roughly the same amount of printers in + excellent quality;</P +></LI +><LI +><P +><A +HREF="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/" +TARGET="_top" +>OMNI + (http://www-124.ibm.com/developerworks/oss/linux/projects/omni/)</A +> + (LPGL, Free) is a package made by IBM, now containing support for more + than 400 printers, stemming from the inheritance of IBM OS/2 KnowHow + ported over to Linux (CUPS support is in a Beta-stage at present);</P +></LI +><LI +><P +><A +HREF="http://hpinkjet.sourceforge.net/" +TARGET="_top" +>HPIJS + (http://hpinkjet.sourceforge.net/)</A +> + (BSD-style licnes, Free) supports around 120 of HP's own printers and is + also providing excellent print quality now;</P +></LI +><LI +><P +><A +HREF="http://www.linuxprinting.org/" +TARGET="_top" +>Foomatic/cupsomatic (http://www.linuxprinting.org/)</A +> + (LPGL, Free) from Linuxprinting.org are providing PPDs for practically every + Ghostscript filter known to the world, now usable with CUPS.</P +></LI +></UL +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>NOTE: </I +></SPAN +>the cupsomatic trick from Linuxprinting.org is +working different from the other drivers. While the other drivers take the +generic CUPS raster (produced by CUPS' own pstoraster PostScript RIP) as +their input, cupsomatic "kidnaps" the PostScript inside CUPS, before +RIP-ping, deviates it to an external Ghostscript installation (which now +becomes the RIP) and gives it back to a CUPS backend once Ghostscript is +finished. -- CUPS versions from 1.1.15 and later will provide their pstoraster +PostScript RIP function again inside a system-wide Ghostscript +installation rather than in "their own" pstoraster filter. (This +CUPS-enabling Ghostscript version may be installed either as a +patch to GNU or AFPL Ghostscript, or as a complete ESP Ghostscript package). +However, this will not change the cupsomatic approach of guiding the printjob +along a different path through the filtering system than the standard CUPS +way...</P +><P +>Once you installed a printer inside CUPS with one of the +recommended methods (the lpadmin command, the web browser interface or one of +the available GUI wizards), you can use <B +CLASS="COMMAND" +>cupsaddsmb</B +> to share the +printer via Samba. <B +CLASS="COMMAND" +>cupsaddsmb</B +> prepares the driver files for +comfortable client download and installation upon their first contact with +this printer share.</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2184" +>14.7.1. <B +CLASS="COMMAND" +>cupsaddsmb</B +></A +></H2 +><P +>The <B +CLASS="COMMAND" +>cupsaddsmb</B +> command copies the needed files +for convenient Windows client installations from the previously prepared CUPS +data directory to your [print$] share. Additionally, the PPD +associated with this printer is copied from <TT +CLASS="FILENAME" +>/etc/cups/ppd/</TT +> to +[print$].</P +><P +><PRE +CLASS="PROGRAMLISTING" +><SAMP +CLASS="PROMPT" +>root# </SAMP +> <B +CLASS="COMMAND" +>cupsaddsmb -U root infotec_IS2027</B +> +Password for root required to access localhost via SAMBA: <KBD +CLASS="USERINPUT" +>[type in password 'secret']</KBD +></PRE +></P +><P +>To share all printers and drivers, use the <VAR +CLASS="PARAMETER" +>-a</VAR +> +parameter instead of a printer name.</P +><P +>Probably you want to see what's going on. Use the +<VAR +CLASS="PARAMETER" +>-v</VAR +> parameter to get a more verbose output:</P +><P +>Probably you want to see what's going on. Use the +<VAR +CLASS="PARAMETER" +>-v</VAR +> parameter to get a more verbose output:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>Note: The following line shave been wrapped so that information is not lost. + +<SAMP +CLASS="PROMPT" +>root# </SAMP +> cupsaddsmb -v -U root infotec_IS2027 + Password for root required to access localhost via SAMBA: + Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir W32X86;put + /var/spool/cups/tmp/3cd1cc66376c0 W32X86/infotec_IS2027.PPD;put /usr/share/cups/drivers/ + ADOBEPS5.DLL W32X86/ADOBEPS5.DLL;put /usr/share/cups/drivers/ADOBEPSU.DLLr + W32X86/ADOBEPSU.DLL;put /usr/share/cups/drivers/ADOBEPSU.HLP W32X86/ADOBEPSU.HLP' + added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0 + added interface ip=192.168.182.1 bcast=192.168.182.255 nmask=255.255.255.0 + added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0 + Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs] + NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86 + putting file /var/spool/cups/tmp/3cd1cc66376c0 as \W32X86/infotec_IS2027.PPD (17394.6 kb/s) + (average 17395.2 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS5.DLL as \W32X86/ADOBEPS5.DLL (10877.4 kb/s) + (average 11343.0 kb/s) + putting file /usr/share/cups/drivers/ADOBEPSU.DLL as \W32X86/ADOBEPSU.DLL (5095.2 kb/s) + (average 9260.4 kb/s) + putting file /usr/share/cups/drivers/ADOBEPSU.HLP as \W32X86/ADOBEPSU.HLP (8828.7 kb/s) + (average 9247.1 kb/s) + + Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir WIN40;put + /var/spool/cups/tmp/3cd1cc66376c0 WIN40/infotec_IS2027.PPD;put + /usr/share/cups/drivers/ADFONTS.MFM WIN40/ADFONTS.MFM;put + /usr/share/cups/drivers/ADOBEPS4.DRV WIN40/ADOBEPS4.DRV;put + /usr/share/cups/drivers/ADOBEPS4.HLP WIN40/ADOBEPS4.HLP;put + /usr/share/cups/drivers/DEFPRTR2.PPD WIN40/DEFPRTR2.PPD;put + /usr/share/cups/drivers/ICONLIB.DLL WIN40/ICONLIB.DLL;put + /usr/share/cups/drivers/PSMON.DLL WIN40/PSMON.DLL;' + added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0 + added interface ip=192.168.182.1 bcast=192.168.182.255 nmask=255.255.255.0 + added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0 + Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs] + NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40 + putting file /var/spool/cups/tmp/3cd1cc66376c0 as \WIN40/infotec_IS2027.PPD (26091.5 kb/s) + (average 26092.8 kb/s) + putting file /usr/share/cups/drivers/ADFONTS.MFM as \WIN40/ADFONTS.MFM (11241.6 kb/s) + (average 11812.9 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS4.DRV as \WIN40/ADOBEPS4.DRV (16640.6 kb/s) + (average 14679.3 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS4.HLP as \WIN40/ADOBEPS4.HLP (11285.6 kb/s) + (average 14281.5 kb/s) + putting file /usr/share/cups/drivers/DEFPRTR2.PPD as \WIN40/DEFPRTR2.PPD (823.5 kb/s) + (average 12944.0 kb/s) + putting file /usr/share/cups/drivers/ICONLIB.DLL as \WIN40/ICONLIB.DLL (19226.2 kb/s) + (average 13169.7 kb/s) + putting file /usr/share/cups/drivers/PSMON.DLL as \WIN40/PSMON.DLL (18666.1 kb/s) + (average 13266.7 kb/s) + + Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows NT x86" + "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:ADOBEPSU.HLP:NULL:RAW:NULL"' + cmd = adddriver "Windows NT x86" "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL: + ADOBEPSU.HLP:NULL:RAW:NULL" + Printer Driver infotec_IS2027 successfully installed. + + Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows 4.0" + "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW: + ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"' + cmd = adddriver "Windows 4.0" "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL: + ADOBEPS4.HLP:PSMON.DLL:RAW:ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL" + Printer Driver infotec_IS2027 successfully installed. + + Running command: rpcclient localhost -N -U'root%secret' + -c 'setdriver infotec_IS2027 infotec_IS2027' + cmd = setdriver infotec_IS2027 infotec_IS2027 + Succesfully set infotec_IS2027 to driver infotec_IS2027. + + <SAMP +CLASS="PROMPT" +>root# </SAMP +></PRE +></P +><P +>If you look closely, you'll discover your root password was transfered unencrypted over +the wire, so beware! Also, if you look further her, you'll discover error messages like +<CODE +CLASS="CONSTANT" +>NT_STATUS_OBJECT_NAME_COLLISION</CODE +> in between. They occur, because +the directories <TT +CLASS="FILENAME" +>WIN40</TT +> and <TT +CLASS="FILENAME" +>W32X86</TT +> already +existed in the [print$] driver download share (from a previous driver +installation). They are harmless here.</P +><P +>Now your printer is prepared for the clients to use. From +a client, browse to the CUPS/Samba server, open the "Printers" +share, right-click on this printer and select "Install..." or +"Connect..." (depending on the Windows version you use). Now their +should be a new printer in your client's local "Printers" folder, +named (in my case) "infotec_IS2027 on kdebitshop"</P +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>NOTE: </I +></SPAN +> +<B +CLASS="COMMAND" +>cupsaddsmb</B +> will only reliably work i +with CUPS version 1.1.15 or higher +and Samba from 2.2.4. If it doesn't work, or if the automatic printer +driver download to the clients doesn't succeed, you can still manually +install the CUPS printer PPD on top of the Adobe PostScript driver on +clients and then point the client's printer queue to the Samba printer +share for connection, should you desire to use the CUPS networked +PostScript RIP functions.</P +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2213" +>14.8. The CUPS Filter Chains</A +></H1 +><P +>The following diagrams reveal how CUPS handles print jobs.</P +><PRE +CLASS="PROGRAMLISTING" +>######################################################################### +# +# CUPS in and of itself has this (general) filter chain (CAPITAL +# letters are FILE-FORMATS or MIME types, other are filters (this is +# true for pre-1.1.15 of pre-4.3 versions of CUPS and ESP PrintPro): +# +# <VAR +CLASS="REPLACEABLE" +>SOMETHNG</VAR +>-FILEFORMAT +# | +# | +# V +# <VAR +CLASS="REPLACEABLE" +>something</VAR +>tops +# | +# | +# V +# APPLICATION/POSTSCRIPT +# | +# | +# V +# pstops +# | +# | +# V +# APPLICATION/VND.CUPS-POSTSCRIPT +# | +# | +# V +# pstoraster # as shipped with CUPS, independent from any Ghostscipt +# | # installation on the system +# | (= "postscipt interpreter") +# | +# V +# APPLICATION/VND.CUPS-RASTER +# | +# | +# V +# rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +> (f.e. Gimp-Print filters may be plugged in here) +# | (= "raster driver") +# | +# V +# SOMETHING-DEVICE-SPECIFIC +# | +# | +# V +# backend +# +# +# ESP PrintPro has some enhanced "rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +>" filters as compared to +# CUPS, and also a somewhat improved "pstoraster" filter. +# +# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to +# CUPS and ESP PrintPro plug-in where rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +> is noted. +# +#########################################################################</PRE +><PRE +CLASS="PROGRAMLISTING" +>######################################################################### +# +# This is how "cupsomatic" comes into play: +# ========================================= +# +# <VAR +CLASS="REPLACEABLE" +>SOMETHNG</VAR +>-FILEFORMAT +# | +# | +# V +# <VAR +CLASS="REPLACEABLE" +>something</VAR +>tops +# | +# | +# V +# APPLICATION/POSTSCRIPT +# | +# | +# V +# pstops +# | +# | +# V +# APPLICATION/VND.CUPS-POSTSCRIPT ----------------+ +# | | +# | V +# V cupsomatic +# pstoraster (constructs complicated +# | (= "postscipt interpreter") Ghostscript commandline +# | to let the file be +# V processed by a +# APPLICATION/VND.CUPS-RASTER "-sDEVICE=<VAR +CLASS="REPLACEABLE" +>s.th.</VAR +>" +# | call...) +# | | +# V | +# rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +> V +# | (= "raster driver") +-------------------------+ +# | | Ghostscript at work.... | +# V | | +# SOMETHING-DEVICE-SPECIFIC *-------------------------+ +# | | +# | | +# V | +# backend >------------------------------------+ +# | +# | +# V +# THE PRINTER +# +# +# Note, that cupsomatic "kidnaps" the printfile after the +# "APPLICATION/VND.CUPS-POSTSCRPT" stage and deviates it through +# the CUPS-external, systemwide Ghostscript installation, bypassing the +# "pstoraster" filter (therefor also bypassing the CUPS-raster-drivers +# "rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +>", and hands the rasterized file directly to the CUPS +# backend... +# +# cupsomatic is not made by the CUPS developers. It is an independent +# contribution to printing development, made by people from +# Linuxprinting.org. (see also http://www.cups.org/cups-help.html) +# +# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to +# CUPS and ESP PrintPro plug-in where rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +> is noted. +# +#########################################################################</PRE +><PRE +CLASS="PROGRAMLISTING" +>######################################################################### +# +# And this is how it works for ESP PrintPro from 4.3: +# =================================================== +# +# <VAR +CLASS="REPLACEABLE" +>SOMETHNG</VAR +>-FILEFORMAT +# | +# | +# V +# <VAR +CLASS="REPLACEABLE" +>something</VAR +>tops +# | +# | +# V +# APPLICATION/POSTSCRIPT +# | +# | +# V +# pstops +# | +# | +# V +# APPLICATION/VND.CUPS-POSTSCRIPT +# | +# | +# V +# gsrip +# | (= "postscipt interpreter") +# | +# V +# APPLICATION/VND.CUPS-RASTER +# | +# | +# V +# rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +> (f.e. Gimp-Print filters may be plugged in here) +# | (= "raster driver") +# | +# V +# SOMETHING-DEVICE-SPECIFIC +# | +# | +# V +# backend +# +# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to +# CUPS and ESP PrintPro plug-in where rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +> is noted. +# +#########################################################################</PRE +><PRE +CLASS="PROGRAMLISTING" +>######################################################################### +# +# This is how "cupsomatic" would come into play with ESP PrintPro: +# ================================================================ +# +# +# <VAR +CLASS="REPLACEABLE" +>SOMETHNG</VAR +>-FILEFORMAT +# | +# | +# V +# <VAR +CLASS="REPLACEABLE" +>something</VAR +>tops +# | +# | +# V +# APPLICATION/POSTSCRIPT +# | +# | +# V +# pstops +# | +# | +# V +# APPLICATION/VND.CUPS-POSTSCRIPT ----------------+ +# | | +# | V +# V cupsomatic +# gsrip (constructs complicated +# | (= "postscipt interpreter") Ghostscript commandline +# | to let the file be +# V processed by a +# APPLICATION/VND.CUPS-RASTER "-sDEVICE=<VAR +CLASS="REPLACEABLE" +>s.th.</VAR +>" +# | call...) +# | | +# V | +# rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +> V +# | (= "raster driver") +-------------------------+ +# | | Ghostscript at work.... | +# V | | +# SOMETHING-DEVICE-SPECIFIC *-------------------------+ +# | | +# | | +# V | +# backend >------------------------------------+ +# | +# | +# V +# THE PRINTER +# +# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to +# CUPS and ESP PrintPro plug-in where rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +> is noted. +# +#########################################################################</PRE +><PRE +CLASS="PROGRAMLISTING" +>######################################################################### +# +# And this is how it works for CUPS from 1.1.15: +# ============================================== +# +# <VAR +CLASS="REPLACEABLE" +>SOMETHNG</VAR +>-FILEFORMAT +# | +# | +# V +# <VAR +CLASS="REPLACEABLE" +>something</VAR +>tops +# | +# | +# V +# APPLICATION/POSTSCRIPT +# | +# | +# V +# pstops +# | +# | +# V +# APPLICATION/VND.CUPS-POSTSCRIPT-----+ +# | +# +------------------v------------------------------+ +# | Ghostscript | +# | at work... | +# | (with | +# | "-sDEVICE=cups") | +# | | +# | (= "postscipt interpreter") | +# | | +# +------------------v------------------------------+ +# | +# | +# APPLICATION/VND.CUPS-RASTER >-------+ +# | +# | +# V +# rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +> +# | (= "raster driver") +# | +# V +# SOMETHING-DEVICE-SPECIFIC +# | +# | +# V +# backend +# +# +# NOTE: since version 1.1.15 CUPS "outsourced" the pstoraster process to +# Ghostscript. GNU Ghostscript needs to be patched to handle the +# CUPS requirement; ESP Ghostscript has this builtin. In any case, +# "gs -h" needs to show up a "cups" device. pstoraster is now a +# calling an appropriate "gs -sDEVICE=cups..." commandline to do +# the job. It will output "application/vnd.cup-raster", which will +# be finally processed by a CUPS raster driver "rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +>" +# Note the difference to "cupsomatic", which will *not* output +# CUPS-raster, but a final version of the printfile, ready to be +# sent to the printer. cupsomatic also doesn't use the "cups" +# devicemode in Ghostscript, but one of the classical devicemodes.... +# +# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to +# CUPS and ESP PrintPro plug-in where rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +> is noted. +# +#########################################################################</PRE +><PRE +CLASS="PROGRAMLISTING" +>######################################################################### +# +# And this is how it works for CUPS from 1.1.15, with cupsomatic included: +# ======================================================================== +# +# <VAR +CLASS="REPLACEABLE" +>SOMETHNG</VAR +>-FILEFORMAT +# | +# | +# V +# <VAR +CLASS="REPLACEABLE" +>something</VAR +>tops +# | +# | +# V +# APPLICATION/POSTSCRIPT +# | +# | +# V +# pstops +# | +# | +# V +# APPLICATION/VND.CUPS-POSTSCRIPT-----+ +# | +# +------------------v------------------------------+ +# | Ghostscript . Ghostscript at work.... | +# | at work... . (with "-sDEVICE= | +# | (with . <VAR +CLASS="REPLACEABLE" +>s.th.</VAR +>" | +# | "-sDEVICE=cups") . | +# | . | +# | (CUPS standard) . (cupsomatic) | +# | . | +# | (= "postscript interpreter") | +# | . | +# +------------------v--------------v---------------+ +# | | +# | | +# APPLICATION/VND.CUPS-RASTER >-------+ | +# | | +# | | +# V | +# rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +> | +# | (= "raster driver") | +# | | +# V | +# SOMETHING-DEVICE-SPECIFIC >------------------------+ +# | +# | +# V +# backend +# +# +# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to +# CUPS and ESP PrintPro plug-in where rasterto<VAR +CLASS="REPLACEABLE" +>something</VAR +> is noted. +# +##########################################################################</PRE +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2252" +>14.9. CUPS Print Drivers and Devices</A +></H1 +><P +>CUPS ships with good support for HP LaserJet type printers. You can install +the driver as follows: + +<P +></P +><UL +><LI +><P +> lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -m laserjet.ppd + </P +></LI +></UL +> + +(The "-m" switch will retrieve the "laserjet.ppd" from the standard repository +for not-yet-installed-PPDs, which CUPS typically stores in +<TT +CLASS="FILENAME" +>/usr/share/cups/model</TT +>. Alternatively, you may use +"-P /absolute/filesystem/path/to/where/there/is/PPD/your.ppd").</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2259" +>14.9.1. Further printing steps</A +></H2 +><P +>Always also consult the database on linuxprinting.org for all recommendations +about which driver is best used for each printer:</P +><P +><A +HREF="http://www.linuxprinting.org/printer_list.cgi" +TARGET="_top" +>http://www.linuxprinting.org/printer_list.cgi</A +></P +><P +>There select your model and click on "Show". You'll arrive at a page listing +all drivers working with your model. There will always be *one* +<SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>recommended</I +></SPAN +> one. Try this one first. In your case +("HP LaserJet 4 Plus"), you'll arrive here:</P +><P +><A +HREF="http://www.linuxprinting.org/show_printer.cgi?recnum=75104" +TARGET="_top" +>http://www.linuxprinting.org/show_printer.cgi?recnum=75104</A +></P +><P +>The recommended driver is "ljet4". It has a link to the page for the ljet4 +driver too:</P +><P +><A +HREF="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4" +TARGET="_top" +>http://www.linuxprinting.org/show_driver.cgi?driver=ljet4</A +></P +><P +>On the driver's page, you'll find important and detailed info about how to use +that driver within the various available spoolers. You can generate a PPD for +CUPS. The PPD contains all the info about how to use your model and the driver; +this is, once installed, working transparently for the user -- you'll only +need to choose resolution, paper size etc. from the web-based menu or from +the print dialog GUI or from the commandline...</P +><P +>On the driver's page, choose to use the "PPD-O-Matic" online PPD generator +program. Select your model and click "Generate PPD file". When you safe the +appearing ASCII text file, don't use "cut'n'past" (as it could possiblly corrupt +line endings and tabs), but use "Save as..." in your browser's menu. Save it +at "/some/path/on/your/filesystem/somewhere/my-name-for-my-printer.ppd"</P +><P +>Then install the printer:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> "lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E \ + -P /some/path/on/your/filesystem/somewhere/my-name-for-my-printer.ppd"</PRE +></P +><P +>Note, that for all the "Foomatic-PPDs" from Linuxprinting.org, you also need +a special "CUPS filter" named "cupsomatic". Get the latest version of +"cupsomatic" from:</P +><P +><A +HREF="http://www.linuxprinting.org/cupsomatic" +TARGET="_top" +>http://www.linuxprinting.org/cupsomatic</A +></P +><P +>This needs to be copied to <TT +CLASS="FILENAME" +>/usr/lib/cups/filter/cupsomatic</TT +> +and be made world executable. This filter is needed to read and act upon the +specially encoded Foomatic comments, embedded in the printfile, which in turn +are used to construct (transparently for you, the user) the complicated +ghostscript command line needed for your printer/driver combo.</P +><P +>You can have a look at all the options for the Ghostscript commandline supported +by your printer and the ljet4 driver by going to the section "Execution details", +selecting your model (Laserjet 4 Plus) and clicking on "Show execution details". +This will bring up this web page:</P +><P +><A +HREF="http://www.linuxprinting.org/execution.cgi?driver=ljet4&printer=75104&.submit=Show+execution+details" +TARGET="_top" +>http://www.linuxprinting.org/execution.cgi?driver=ljet4&printer=75104&.submit=Show+execution+details</A +></P +><P +>The ingenious thing is that the database is kept current. If there +is a bug fix and an improvement somewhere in the database, you will +always get the most current and stable and feature-rich driver by following +the steps described above.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Till Kamppeter from MandrakeSoft is doing an excellent job here that too few +people are aware of. (So if you use it often, please send him a note showing +your appreciation).</P +></TD +></TR +></TABLE +></DIV +><P +>The latest and greatest improvement now is support for "custom page sizes" +for all those printers which support it.</P +><P +>"cupsomatic" is documented here:</P +><P +><A +HREF="http://www.linuxprinting.org/cups-doc.html" +TARGET="_top" +>http://www.linuxprinting.org/cups-doc.html</A +></P +><P +>More printing tutorial info may be found here:</P +><P +><A +HREF="http://www.linuxprinting.org/kpfeifle/LinuxKongress2002/Tutorial/" +TARGET="_top" +>http://www.linuxprinting.org/kpfeifle/LinuxKongress2002/Tutorial/</A +></P +><P +>Note, that *all* the Foomatic drivers listed on Linuxprinting.org (now +approaching the "all-time high" number of 1.000 for the supported models) +are using a special filtering chain involving Ghostscript, as described +in this document.</P +><P +>Summary - You need:</P +><P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>A "foomatic+<VAR +CLASS="REPLACEABLE" +>something</VAR +>" PPD is not enough to print with CUPS (but it is *one* important component)</TD +></TR +><TR +><TD +>The "cupsomatic" filter script (Perl) in <TT +CLASS="FILENAME" +>/usr/lib/cups/filters/</TT +></TD +></TR +><TR +><TD +>Perl to make cupsomatic run</TD +></TR +><TR +><TD +>Ghostscript (because it is called and controlled by the PPD/cupsomatic combo in a way to fit your printermodel/driver combo.</TD +></TR +><TR +><TD +>Ghostscript *must*, depending on the driver/model, contain support for a certain "device" (as shown by "gs -h")</TD +></TR +></TBODY +></TABLE +><P +></P +></P +><P +>In the case of the "hpijs" driver, you need a Ghostscript version, which +has "ijs" amongst its supported devices in "gs -h". In the case of +"hpijs+foomatic", a valid ghostscript commandline would be reading like this:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> gs -q -dBATCH -dPARANOIDSAFER -dQUIET -dNOPAUSE -sDEVICE=ijs \ + -sIjsServer=hpijs<VAR +CLASS="REPLACEABLE" +>PageSize</VAR +> -dDuplex=<VAR +CLASS="REPLACEABLE" +>Duplex</VAR +> <VAR +CLASS="REPLACEABLE" +>Model</VAR +> \ + -r<VAR +CLASS="REPLACEABLE" +>Resolution</VAR +>,PS:MediaPosition=<VAR +CLASS="REPLACEABLE" +>InputSlot</VAR +> -dIjsUseOutputFD \ + -sOutputFile=- -</PRE +></P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Note, that with CUPS and the "hpijs+foomatic" PPD (plus Perl and cupsomatic) +you don't need to remember this. You can choose the available print options +thru a GUI print command (like "glp" from ESP's commercially supported +PrintPro software, or KDE's "kprinter", or GNOME's "gtklp" or the independent +"xpp") or the CUPS web interface via human-readable drop-down selection +menus.</P +></TD +></TR +></TABLE +></DIV +><P +>If you use "ESP Ghostscript" (also under the GPL, provided by Easy Software +Products, the makers of CUPS, downloadable from +<A +HREF="http://www.cups.org/software.html" +TARGET="_top" +>http://www.cups.org/software.html</A +>, +co-maintained by the developers of linuxprinting.org), you are guaranteed to +have in use the most uptodate, bug-fixed, enhanced and stable version of a Free +Ghostscript. It contains support for ~300 devices, whereas plain vanilla +GNU Ghostscript 7.05 only has ~200.</P +><P +>If you print only one CUPS test page, from the web interface and when you try to +print a windows test page, it acts like the job was never sent: + +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Can you print "standard" jobs from the CUPS machine?</TD +></TR +><TR +><TD +>Are the jobs from Windows visible in the Web interface on CUPS (http://localhost:631/)?</TD +></TR +><TR +><TD +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Most important:</I +></SPAN +> What kind of printer driver are you using on the Windows clients?</TD +></TR +></TBODY +></TABLE +><P +></P +> + +You can try to get a more detailed debugging info by setting "LogLevel debug" in +<TT +CLASS="FILENAME" +>/etc/cups/cupsd.conf</TT +>, re-start cupsd and investigate <TT +CLASS="FILENAME" +>/var/log/cups/error_log</TT +> +for the whereabouts of your Windows-originating printjobs:</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>what does the "auto-typing" line say? which is the "MIME type" CUPS thinks is arriving from the Windows clients?</TD +></TR +><TR +><TD +>are there "filter" available for this MIME type?</TD +></TR +><TR +><TD +>are there "filter rules" defined in "/etc/cups/mime.convs" for this MIME type?</TD +></TR +></TBODY +></TABLE +><P +></P +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2329" +>14.10. Limiting the number of pages users can print</A +></H1 +><P +>The feature you want is dependent on the real print subsystem you're using. +Samba's part is always to receive the job files from the clients (filtered +*or* unfiltered) and hand it over to this printing subsystem.</P +><P +>Of course one could "hack" things with one's own scripts.</P +><P +>But there is CUPS (Common Unix Printing System). CUPS supports "quotas". +Quotas can be based on sizes of jobs or on the number of pages or both, +and are spanning any time period you want.</P +><P +>This is an example command how root would set a print quota in CUPS, +assuming an existing printer named "quotaprinter":</P +><PRE +CLASS="PROGRAMLISTING" +> lpadmin -p quotaprinter -o job-quota-period=604800 -o job-k-limit=1024 \ + -o job-page-limit=100</PRE +><P +>This would limit every single user to print 100 pages or 1024 KB of +data (whichever comes first) within the last 604.800 seconds ( = 1 week).</P +><P +>For CUPS to count correctly, the printfile needs to pass the CUPS "pstops" filter, +otherwise it uses a "dummy" count of "1". Some printfiles don't pass it +(eg: image files) but then those are mostly 1 page jobs anyway. This also means, +proprietary drivers for the target printer running on the client computers and +CUPS/Samba then spooling these files as "raw" (i.e. leaving them untouched, not +filtering them), will be counted as "1-pagers" too!</P +><P +>You need to send PostScript from the clients (i.e. run a PostScript driver there) +for having the chance to get accounting done. If the printer is a non-PostScript model, +you need to let CUPS do the job to convert the file to a print-ready format for the +target printer. This will be working for currently ~1.000 different printer models, see</P +><PRE +CLASS="PROGRAMLISTING" +> http://www.linuxprinting.org/printer_list.cgi</PRE +><P +>Before CUPS-1.1.16 your only option was to use the Adobe PostScript +Driver on the Windows clients. The output of this driver was not always +passed thru the "pstops" filter on the CUPS/Samba side, and therefor was +not counted correctly (the reason is that it often --- depending on the +"PPD" being used --- did write a "PJL"-header in front of the real +PostScript which made CUPS to skip the pstops and go directy to +the "pstoraster" stage).</P +><P +>From CUPS-1.1.16 onward you can use the "CUPS PostScript Driver +for Windows NT/2K/XP clients" (it is tagged in the download area of +http://www.cups.org/ as the "cups-samba-1.1.16.tar.gz" package). +It is *not* working for Win9x/ME clients. But it:</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>it guarantees to not write an PJL-header</TD +></TR +><TR +><TD +>it guarantees to still read and support all PJL-options named in the driver PPD with its own means</TD +></TR +><TR +><TD +>it guarantees the file going thru the "pstops" filter on the CUPS/Samba server</TD +></TR +><TR +><TD +>it guarantees to page-count correctly the printfile</TD +></TR +></TBODY +></TABLE +><P +></P +><P +>You can read more about the setup of this combination in the +manpage for "cupsaddsmb" (only present with CUPS installed, only +current with CUPS 1.1.16).</P +><P +>These are the items CUPS logs in the "page_log" for every single *page* of a job:</P +><P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Printer name</TD +></TR +><TR +><TD +>User name</TD +></TR +><TR +><TD +>Job ID</TD +></TR +><TR +><TD +>Time of printing</TD +></TR +><TR +><TD +>the page number</TD +></TR +><TR +><TD +>the number of copies</TD +></TR +><TR +><TD +>a billing info string (optional)</TD +></TR +></TBODY +></TABLE +><P +></P +></P +><P +>Here is an extract of my CUPS server's page_log file to illustrate +the format and included items:</P +><P +><SAMP +CLASS="COMPUTEROUTPUT" +> infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 1 2 #marketing + infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 2 2 #marketing + infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 3 2 #marketing + infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 4 2 #marketing + infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 5 2 #marketing + infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 6 2 #marketing</SAMP +></P +><P +>This was Job ID "40", printed on "infotec_IS2027" by user "kurt", a 6-page job +printed in 2 copies and billed to "#marketing"...</P +><P +>What flaws or shortcomings are there?</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>the ones named above</TD +></TR +><TR +><TD +> CUPS really counts the job pages being *processsed in software* + (going thru the "RIP") rather than the physical sheets successfully + leaving the printing device -- if there is a jam while printing + the 5th sheet out of 1000 and the job is aborted by the printer, + the "page count" will still show the figure of 1000 for that job + </TD +></TR +><TR +><TD +> all quotas are the same for all users (no flexibility to give the + boss a higher quota than the clerk) no support for groups + </TD +></TR +><TR +><TD +> no means to read out the current balance or "used-up" number of current quota + </TD +></TR +><TR +><TD +> a user having used up 99 sheets of 100 quota will still be able to send and print a 1.000 sheet job + </TD +></TR +><TR +><TD +> a user being denied a job because of a filled-up quota doesn't get a meaningful + error message from CUPS other than "client-error-not-possible". + </TD +></TR +></TBODY +></TABLE +><P +></P +><P +>But this is the best system out there currently. And there are +huge improvements under development:</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>page counting will go into the "backends" (these talk + directly to the printer and will increase the count in sync with the + actual printing process -- a jam at the 5th sheet will lead to a stop in the counting)</TD +></TR +><TR +><TD +>quotas will be handled more flexibly</TD +></TR +><TR +><TD +>probably there will be support for users to inquire their "accounts" in advance</TD +></TR +><TR +><TD +>probably there will be support for some other tools around this topic</TD +></TR +></TBODY +></TABLE +><P +></P +><P +>Other than the current stage of the CUPS development, I don't +know any other ready-to-use tool which you could consider.</P +><P +>You can download the driver files from +<A +HREF="http://www.cups.org/software.html" +TARGET="_top" +>http://www.cups.org/software.html</A +>. +It is a separate package from the CUPS base software files, tagged as "CUPS 1.1.16 +Windows NT/2k/XP Printer Driver for SAMBA (tar.gz, 192k)". The filename to +download is "cups-samba-1.1.16.tar.gz". Upon untar-/unzip-ping it will reveal +the files:</P +><P +> <SAMP +CLASS="COMPUTEROUTPUT" +> cups-samba.install + cups-samba.license + cups-samba.readme + cups-samba.remove + cups-samba.ss + </SAMP +> + </P +><P +>These have been packaged with the ESP meta packager software "EPM". The +*.install and *.remove files are simple shell script, which untars the +*.ss (which is nothing else than a tar-archive) and puts its contents +into <TT +CLASS="FILENAME" +>/usr/share/cups/drivers/</TT +>. Its contents are 3 files:</P +><P +> <SAMP +CLASS="COMPUTEROUTPUT" +> cupsdrvr.dll + cupsui.dll + cups.hlp + </SAMP +> + </P +><DIV +CLASS="CAUTION" +><P +></P +><TABLE +CLASS="CAUTION" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/caution.gif" +HSPACE="5" +ALT="Caution"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Due to a bug one CUPS release puts the <TT +CLASS="FILENAME" +>cups.hlp</TT +> +into <TT +CLASS="FILENAME" +>/usr/share/drivers/</TT +> instead of +<TT +CLASS="FILENAME" +>/usr/share/cups/drivers/</TT +>. To work around this, copy/move +the file after running the "./cups-samba.install" script manually to the right place:</P +><P +> <KBD +CLASS="USERINPUT" +> cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/ + </KBD +> + </P +></TD +></TR +></TABLE +></DIV +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>This new CUPS PostScript driver is currently binary-only, but free +no source code is provided (yet). The reason is this: it has +been developed with the help of the Microsoft Driver Developer Kit (DDK) +and compiled with Microsoft Visual Studio 6. It is not clear to the driver +developers if they are allowed to distribute the whole of the source code +as Free Software. However, they will likely release the "diff" in source +code under the GPL, so anybody with a license of Visual Studio and a DDK +will be able to compile for him/herself.</P +><P +>Once you have run the install script (and possibly manually moved the +"cups.hlp" file to "/usr/share/cups/drivers/"), the driver is ready to be +put into Samba's [print$] share (which often maps to "/etc/samba/drivers/" +and contains a subdir tree with WIN40 and W32X86 branches), by running +"cupsaddsmb" (see also "man cupsaddsmb" for CUPS 1.1.16). [Don't forget to +put root into the smbpasswd file by running "smbpasswd" should you run +this whole procedure for the first time.] Once the driver files are in the +[print$] share, they are ready to be downloaded and installed by the +Win NT/2k/XP clients.</P +></TD +></TR +></TABLE +></DIV +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> Win 9x/ME clients won't work with this driver. For these you'd + still need to use the ADOBE*.* drivers as previously. + </P +></TD +></TR +></TABLE +></DIV +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> It is not harming if you've still the ADOBE*.* driver files from + previous installations in the "/usr/share/cups/drivers/" directory. + The new cupsaddsmb (from 1.1.16) will automatically use the + "newest" installed driver (which here then is the CUPS drivers). + </P +></TD +></TR +></TABLE +></DIV +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> Should your Win clients have had the old ADOBE*.* files and the + Adobe PostScript drivers installed, the download and installation + of the new CUPS PostScript driver for Windows NT/2k/XP will fail + at first. + </P +><P +> It is not enough to "delete" the printer (as the driver files + will still be kept by the clients and re-used if you try to + re-install the printer). To really get rid of the Adobe driver + files on the clients, open the "Printers" folder (possibly via + "Start --> Settings --> Control Panel --> Printers"), right-click + onto the folder background and select "Server Properties". A + new dialog opens; select the "Drivers" tab; on the list select + the driver you want to delete and click on the "Delete" button. + (This will only work if there is no single printer left which + uses that particular driver -- you need to "delete" all printers + using this driver in the "Printers" folder first.) + </P +></TD +></TR +></TABLE +></DIV +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> Once you have successfully downloaded the CUPS PostScript driver + to a client, you can easily switch all printers to this one + by proceeding as described elsewhere in the "Samba HOWTO + Collection" to change a driver for an existing printer. + </P +></TD +></TR +></TABLE +></DIV +><P +>What are the benefits with the "CUPS PostScript driver for Windows NT/2k/XP" +as compared to the Adobe drivers?</P +><P +><P +></P +><UL +><LI +><P +> no hassle with the Adobe EULA + </P +></LI +><LI +><P +> no hassle with the question "where do I get the ADOBE*.* driver files from?" + </P +></LI +><LI +><P +> the Adobe drivers (depending on the printer PPD associated with them) + often put a PJL header in front of the core PostScript part of the print + file (thus the file starts with "<VAR +CLASS="REPLACEABLE" +>1B</VAR +>%-12345X" or "<VAR +CLASS="REPLACEABLE" +>escape</VAR +>%-12345X" + instead of "%!PS"). This leads to the CUPS daemon autotyping the + arriving file as a print-ready file, not requiring a pass thru the + "pstops" filter (to speak more technical, it is not regarded as the + generic MIME type "application/postscript", but as the more special + MIME type "application/cups.vnd-postscript"), which therefore also + leads to the page accounting in "/var/log/cups/page_log" not receiving + the exact mumber of pages; instead the dummy page number of "1" is + logged in a standard setup) + </P +></LI +><LI +><P +> the Adobe driver has more options to "mis-configure" the PostScript + generated by it (like setting it inadvertedly to "Optimize for Speed", + instead of "Optimize for Portability", which could lead to CUPS being + unable to process it) + </P +></LI +><LI +><P +> the CUPS PostScript driver output sent by Windows clients to the CUPS + server will be guaranteed to be auto-typed as generic MIME type + "application/postscript", thusly passing thru the CUPS "pstops" filter + and logging the correct number of pages in the page_log for accounting + and quota purposes + </P +></LI +><LI +><P +> the CUPS PostScript driver supports the sending of additional print + options by the Win NT/2k/XP clients, such as naming the CUPS standard + banner pages (or the custom ones, should they be installed at the time + of driver download), using the CUPS "page-label" option, setting a + job-priority and setting the scheduled time of printing (with the option + to support additional useful IPP job attributes in the future). + </P +></LI +><LI +><P +> the CUPS PostScript driver supports the inclusion of the new + "*cupsJobTicket" comments at the beginnig of the PostScript file (which + could be used in the future for all sort of beneficial extensions on + the CUPS side, but which will not disturb any other application as those + will regard it as a comment and simply ignore it). + </P +></LI +><LI +><P +> the CUPS PostScript driver will be the heart of the fully fledged CUPS + IPP client for Windows NT/2k/XP to be released soon (probably alongside + the first Beta release for CUPS 1.2). + </P +></LI +></UL +></P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2425" +>14.11. Advanced Postscript Printing from MS Windows</A +></H1 +><P +>Let the Windows Clients use a PostScript driver to deliver poistscript to +the samba print server (just like any Linux or Unix Client would also use +PostScript to send to the server)</P +><P +>Make the Unix printing subsystem to which Samba sends the job convert the +incoming PostScript files to the native print format of the target printers +(would be PCL if you have an HP printer)</P +><P +>Now if you are afraid that this would just mean using a *Generic* PostScript +driver for the clients that has no Simplex/Duplex selection, and no paper tray +choice, but you need them to be able to set up print jobs, with all the bells +and whistles of your printers:-</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Not possible with traditional spooling systems</TD +></TR +><TR +><TD +> But perfectly supported by CUPS (which uses "PPD" files to + describe how to control the print options for PostScript and + non-PostScript devices alike... + </TD +></TR +></TBODY +></TABLE +><P +></P +><P +>CUPS PPDs are working perfectly on Windows clients who use Adobe PostScript +drivers (or the new CUPS PostScript driver for Windows NT/2K/XP). Clients can use +them to setup the job to their liking and CUPS will use the received job options +to make the (PCL-, ESC/P- or PostScript-) printer behave as required.</P +><P +>If you want to have the additional benefit of page count logging and accounting +then the CUPS PostScript driver is the best choice (better than the Adobe one).</P +><P +>If you want to make the drivers downloadable for the clients then "cupsaddsmb" is +your friend. It will setup the [print$] share on the Samba host to be ready to serve +the clients for a "point and print" driver installation.</P +><DIV +CLASS="WARNING" +><P +></P +><TABLE +CLASS="WARNING" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" +HSPACE="5" +ALT="Warning"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>What strings are attached?</P +></TD +></TR +></TABLE +></DIV +><P +>There are some. But, given the sheer CPU power you can buy nowadays, +these can be overcome easily. The strings:</P +><P +>Well, if the CUPS/Samba side will have to print to many printers serving many users, +you probably will need to set up a second server (which can do automatic load balancing +with the first one, plus a degree of fail-over mechanism). Converting the incoming +PostScript jobs, "interpreting" them for non-PostScript printers, amounts to the work +of a "RIP" (Raster Image Processor) done in software. This requires more CPU and RAM +than for the mere "raw spooling" task your current setup is solving. It all depends +on the avarage and peak printing load the server should be able to handle.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2440" +>14.12. Auto-Deletion of CUPS spool files</A +></H1 +><P +>Samba print files pass thru two "spool" directories. One the incoming directory +managed by Samba, (set eg: in the <B +CLASS="COMMAND" +>path = /var/spool/samba</B +> directive in the [printers] +section of <TT +CLASS="FILENAME" +>smb.conf</TT +>). Second is the spool directory of your UNIX print subsystem. +For CUPS it is normally "/var/spool/cups/", as set by the cupsd.conf directive +"RequestRoot /var/spool/cups".</P +><P +>I am not sure, which one of your directories keeps the files. From what you say, +it is most likely the Samba part.</P +><P +>For the CUPS part, you may want to consult:</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>http://localhost:631/sam.html#PreserveJobFiles</TD +></TR +><TR +><TD +>http://localhost:631/sam.html#PreserveJobHistory</TD +></TR +><TR +><TD +>http://localhost:631/sam.html#MaxJobs</TD +></TR +></TBODY +></TABLE +><P +></P +><P +>There are the settings described for your CUPS daemon, which could lead to completed +job files not being deleted.</P +><P +>"PreserveJobHistory Yes" -- keeps some details of jobs in +cupsd's mind (well it keeps the "c12345", "c12346" etc. files +in the CUPS spool directory, which do a similar job as the +old-fashioned BSD-LPD control files). This is set to "Yes" +as a default.</P +><P +>"PreserveJobFiles Yes" -- keeps the job files themselves in +cupsd's mind (well it keeps the "d12345", "d12346" etc. files +in the CUPS spool directory...). This is set to "No" as the +CUPS default.</P +><P +>"MaxJobs 500" -- this directive controls the maximum number +of jobs that are kept in memory. Once the number of jobs +reaches the limit, the oldest completed job is automatically +purged from the system to make room for the new one. If all +of the known jobs are still pending or active then the new +job will be rejected. Setting the maximum to 0 disables this +functionality. The default setting is 0.</P +><P +>(There are also additional settings for "MaxJobsPerUser" and +"MaxJobsPerPrinter"...)</P +><P +>For everything to work as announced, you need to have three things:</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +> a Samba-<SPAN +CLASS="APPLICATION" +>smbd</SPAN +> which is compiled against "libcups" (Check on Linux by running <KBD +CLASS="USERINPUT" +>ldd `which smbd`</KBD +>) + </TD +></TR +><TR +><TD +> a Samba-<TT +CLASS="FILENAME" +>smb.conf</TT +> setting of <B +CLASS="COMMAND" +>printing = cups</B +> + </TD +></TR +><TR +><TD +> another Samba-<TT +CLASS="FILENAME" +>smb.conf</TT +> setting of <B +CLASS="COMMAND" +>printcap = cups</B +> + </TD +></TR +></TBODY +></TABLE +><P +></P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Note, that in this case all other manually set printing-related +commands (like "print command", "lpq command", "lprm command", +"lppause command" or "lpresume command") are ignored and they +should normally have no influence what-so-ever on your printing.</P +></TD +></TR +></TABLE +></DIV +><P +>If you want to do things manually, replace the "printing = cups" +by "printing = bsd". Then your manually set commands may work +(haven't tested this), and a "print command = lp -d %P %s; rm %s" +may do what you need.</P +><P +>You forgot to mention the CUPS version you're using. If you did +set things up as described in the man pages, then the Samba +spool files should be deleted. Otherwise it may be a bug. On +the CUPS side, you can control the behaviour as described +above.</P +><P +>If you have more problems, post the output of these commands:</P +><P +><KBD +CLASS="USERINPUT" +> grep -v ^# /etc/cups/cupsd.conf | grep -v ^$ + grep -v ^# /etc/samba/smb.conf | grep -v ^$ | grep -v "^;"</KBD +></P +><P +>(adapt paths as needed). These commands sanitize the files +and cut out the empty lines and lines with comments, providing +the "naked settings" in a compact way.</P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="printing.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="winbind.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Printing Support</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="optional.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Unified Logons between Windows NT and UNIX using Winbind</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/domain-member.html b/docs/htmldocs/domain-member.html new file mode 100644 index 0000000000..97eaaf799d --- /dev/null +++ b/docs/htmldocs/domain-member.html @@ -0,0 +1,446 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Samba as a NT4 or Win2k domain member</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Type of installation" +HREF="type.html"><LINK +REL="PREVIOUS" +TITLE="Samba as a ADS domain member" +HREF="ads.html"><LINK +REL="NEXT" +TITLE="Advanced Configuration" +HREF="optional.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="ads.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="optional.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="DOMAIN-MEMBER" +></A +>Chapter 10. Samba as a NT4 or Win2k domain member</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>10.1. <A +HREF="domain-member.html#AEN1448" +>Joining an NT Domain with Samba 3.0</A +></DT +><DT +>10.2. <A +HREF="domain-member.html#AEN1502" +>Why is this better than security = server?</A +></DT +></DL +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1448" +>10.1. Joining an NT Domain with Samba 3.0</A +></H1 +><P +>Assume you have a Samba 3.0 server with a NetBIOS name of + <CODE +CLASS="CONSTANT" +>SERV1</CODE +> and are joining an or Win2k NT domain called + <CODE +CLASS="CONSTANT" +>DOM</CODE +>, which has a PDC with a NetBIOS name + of <CODE +CLASS="CONSTANT" +>DOMPDC</CODE +> and two backup domain controllers + with NetBIOS names <CODE +CLASS="CONSTANT" +>DOMBDC1</CODE +> and <CODE +CLASS="CONSTANT" +>DOMBDC2 + </CODE +>.</P +><P +>Firstly, you must edit your <TT +CLASS="FILENAME" +>smb.conf</TT +> file to tell Samba it should + now use domain security.</P +><P +>Change (or add) your <A +HREF="smb.conf.5.html#SECURITY" +TARGET="_top" +> <VAR +CLASS="PARAMETER" +>security =</VAR +></A +> line in the [global] section + of your <TT +CLASS="FILENAME" +>smb.conf</TT +> to read:</P +><P +><B +CLASS="COMMAND" +>security = domain</B +></P +><P +>Next change the <A +HREF="smb.conf.5.html#WORKGROUP" +TARGET="_top" +><VAR +CLASS="PARAMETER" +> workgroup =</VAR +></A +> line in the [global] section to read: </P +><P +><B +CLASS="COMMAND" +>workgroup = DOM</B +></P +><P +>as this is the name of the domain we are joining. </P +><P +>You must also have the parameter <A +HREF="smb.conf.5.html#ENCRYPTPASSWORDS" +TARGET="_top" +> <VAR +CLASS="PARAMETER" +>encrypt passwords</VAR +></A +> set to <CODE +CLASS="CONSTANT" +>yes + </CODE +> in order for your users to authenticate to the NT PDC.</P +><P +>Finally, add (or modify) a <A +HREF="smb.conf.5.html#PASSWORDSERVER" +TARGET="_top" +> <VAR +CLASS="PARAMETER" +>password server =</VAR +></A +> line in the [global] + section to read: </P +><P +><B +CLASS="COMMAND" +>password server = DOMPDC DOMBDC1 DOMBDC2</B +></P +><P +>These are the primary and backup domain controllers Samba + will attempt to contact in order to authenticate users. Samba will + try to contact each of these servers in order, so you may want to + rearrange this list in order to spread out the authentication load + among domain controllers.</P +><P +>Alternatively, if you want smbd to automatically determine + the list of Domain controllers to use for authentication, you may + set this line to be :</P +><P +><B +CLASS="COMMAND" +>password server = *</B +></P +><P +>This method, allows Samba to use exactly the same + mechanism that NT does. This + method either broadcasts or uses a WINS database in order to + find domain controllers to authenticate against.</P +><P +>In order to actually join the domain, you must run this + command:</P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>net rpc join -S DOMPDC + -U<VAR +CLASS="REPLACEABLE" +>Administrator%password</VAR +></KBD +></P +><P +>as we are joining the domain DOM and the PDC for that domain + (the only machine that has write access to the domain SAM database) + is DOMPDC. The <VAR +CLASS="REPLACEABLE" +>Administrator%password</VAR +> is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message:</P +><P +><SAMP +CLASS="COMPUTEROUTPUT" +>Joined domain DOM.</SAMP +> + or <SAMP +CLASS="COMPUTEROUTPUT" +>Joined 'SERV1' to realm 'MYREALM'</SAMP +> + </P +><P +>in your terminal window. See the <A +HREF="net.8.html" +TARGET="_top" +> net(8)</A +> man page for more details.</P +><P +>This process joins the server to thedomain + without having to create the machine trust account on the PDC + beforehand.</P +><P +>This command goes through the machine account password + change protocol, then writes the new (random) machine account + password for this Samba server into a file in the same directory + in which an smbpasswd file would be stored - normally :</P +><P +><TT +CLASS="FILENAME" +>/usr/local/samba/private/secrets.tdb</TT +></P +><P +>This file is created and owned by root and is not + readable by any other user. It is the key to the domain-level + security for your system, and should be treated as carefully + as a shadow password file.</P +><P +>Finally, restart your Samba daemons and get ready for + clients to begin using domain security!</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1502" +>10.2. Why is this better than security = server?</A +></H1 +><P +>Currently, domain security in Samba doesn't free you from + having to create local Unix users to represent the users attaching + to your server. This means that if domain user <CODE +CLASS="CONSTANT" +>DOM\fred + </CODE +> attaches to your domain security Samba server, there needs + to be a local Unix user fred to represent that user in the Unix + filesystem. This is very similar to the older Samba security mode + <A +HREF="smb.conf.5.html#SECURITYEQUALSSERVER" +TARGET="_top" +>security = server</A +>, + where Samba would pass through the authentication request to a Windows + NT server in the same way as a Windows 95 or Windows 98 server would. + </P +><P +>Please refer to the <A +HREF="winbind.html" +TARGET="_top" +>Winbind + paper</A +> for information on a system to automatically + assign UNIX uids and gids to Windows NT Domain users and groups. + This code is available in development branches only at the moment, + but will be moved to release branches soon.</P +><P +>The advantage to domain-level security is that the + authentication in domain-level security is passed down the authenticated + RPC channel in exactly the same way that an NT server would do it. This + means Samba servers now participate in domain trust relationships in + exactly the same way NT servers do (i.e., you can add Samba servers into + a resource domain and have the authentication passed on from a resource + domain PDC to an account domain PDC.</P +><P +>In addition, with <B +CLASS="COMMAND" +>security = server</B +> every Samba + daemon on a server has to keep a connection open to the + authenticating server for as long as that daemon lasts. This can drain + the connection resources on a Microsoft NT server and cause it to run + out of available connections. With <B +CLASS="COMMAND" +>security = domain</B +>, + however, the Samba daemons connect to the PDC/BDC only for as long + as is necessary to authenticate the user, and then drop the connection, + thus conserving PDC connection resources.</P +><P +>And finally, acting in the same manner as an NT server + authenticating to a PDC means that as part of the authentication + reply, the Samba server gets the user identification information such + as the user SID, the list of NT groups the user belongs to, etc. </P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> Much of the text of this document + was first published in the Web magazine <A +HREF="http://www.linuxworld.com" +TARGET="_top" +> + LinuxWorld</A +> as the article <A +HREF="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html" +TARGET="_top" +>Doing + the NIS/NT Samba</A +>.</P +></TD +></TR +></TABLE +></DIV +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="ads.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="optional.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Samba as a ADS domain member</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="type.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Advanced Configuration</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/editreg.1.html b/docs/htmldocs/editreg.1.html new file mode 100644 index 0000000000..571e50560c --- /dev/null +++ b/docs/htmldocs/editreg.1.html @@ -0,0 +1,142 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>editreg</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="EDITREG.1" +></A +>editreg</H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>editreg -- A utility to report and change SIDs in registry files + </DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>editreg</B +> [-v] [-c file] {file}</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN14" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <SPAN +CLASS="CITEREFENTRY" +><SPAN +CLASS="REFENTRYTITLE" +>Samba</SPAN +>(7)</SPAN +> suite.</P +><P +><B +CLASS="COMMAND" +>editreg</B +> is a utility that + can visualize windows registry files (currently only NT4) and apply + so-called commandfiles to them. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN22" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>registry_file</DT +><DD +><P +>Registry file to view or edit. </P +></DD +><DT +>-v,--verbose</DT +><DD +><P +>Increases verbosity of messages. + </P +></DD +><DT +>-c commandfile</DT +><DD +><P +>Read commands to execute on <TT +CLASS="FILENAME" +>registry_file</TT +> from <TT +CLASS="FILENAME" +>commandfile</TT +>. Currently not yet supported! + </P +></DD +><DT +>-h|--help</DT +><DD +><P +>Print a summary of command line options.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN43" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 3.0 of the Samba + suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN46" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The editreg man page was written by Jelmer Vernooij. </P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/interdomaintrusts.html b/docs/htmldocs/interdomaintrusts.html new file mode 100644 index 0000000000..10efda81a2 --- /dev/null +++ b/docs/htmldocs/interdomaintrusts.html @@ -0,0 +1,451 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Interdomain Trust Relationships</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Advanced Configuration" +HREF="optional.html"><LINK +REL="PREVIOUS" +TITLE="Desktop Profile Management" +HREF="profilemgmt.html"><LINK +REL="NEXT" +TITLE="PAM Configuration for Centrally Managed Authentication" +HREF="pam.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="profilemgmt.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="pam.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="INTERDOMAINTRUSTS" +></A +>Chapter 19. Interdomain Trust Relationships</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>19.1. <A +HREF="interdomaintrusts.html#AEN3447" +>Trust Relationship Background</A +></DT +><DT +>19.2. <A +HREF="interdomaintrusts.html#AEN3456" +>Native MS Windows NT4 Trusts Configuration</A +></DT +><DD +><DL +><DT +>19.2.1. <A +HREF="interdomaintrusts.html#AEN3459" +>NT4 as the Trusting Domain (ie. creating the trusted account)</A +></DT +><DT +>19.2.2. <A +HREF="interdomaintrusts.html#AEN3462" +>NT4 as the Trusted Domain (ie. creating trusted account's password)</A +></DT +></DL +></DD +><DT +>19.3. <A +HREF="interdomaintrusts.html#AEN3465" +>Configuring Samba NT-style Domain Trusts</A +></DT +><DD +><DL +><DT +>19.3.1. <A +HREF="interdomaintrusts.html#AEN3469" +>Samba-3 as the Trusting Domain</A +></DT +><DT +>19.3.2. <A +HREF="interdomaintrusts.html#AEN3481" +>Samba-3 as the Trusted Domain</A +></DT +></DL +></DD +></DL +></DIV +><P +>Samba-3 supports NT4 style domain trust relationships. This is feature that many sites +will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to +adopt Active Directory or an LDAP based authentication back end. This section explains +some background information regarding trust relationships and how to create them. It is now +possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts.</P +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3447" +>19.1. Trust Relationship Background</A +></H1 +><P +>MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure. +The limitations of this architecture as it affects the scalability of MS Windows networking +in large organisations is well known. Additionally, the flat-name space that results from +this design significantly impacts the delegation of administrative responsibilities in +large and diverse organisations.</P +><P +>Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means +of circumventing the limitations of the older technologies. Not every organisation is ready +or willing to embrace ADS. For small companies the older NT4 style domain security paradigm +is quite adequate, there thus remains an entrenched user base for whom there is no direct +desire to go through a disruptive change to adopt ADS.</P +><P +>Microsoft introduced with MS Windows NT the ability to allow differing security domains +to affect a mechanism so that users from one domain may be given access rights and privileges +in another domain. The language that describes this capability is couched in terms of +<SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Trusts</I +></SPAN +>. Specifically, one domain will <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>trust</I +></SPAN +> the users +from another domain. The domain from which users are available to another security domain is +said to be a trusted domain. The domain in which those users have assigned rights and privileges +is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only, +thus if users in both domains are to have privileges and rights in each others' domain, then it is +necessary to establish two (2) relationships, one in each direction.</P +><P +>In an NT4 style MS security domain, all trusts are non-transitive. This means that if there +are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust +relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no +implied trust between the RED and BLUE domains. ie: Relationships are explicit and not +transitive.</P +><P +>New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way +by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE +domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is +an inherent feature of ADS domains. Samba-3 implements MS Windows NT4 +style Interdomain trusts and interoperates with MS Windows 200x ADS +security domains in similar manner to MS Windows NT4 style domains.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3456" +>19.2. Native MS Windows NT4 Trusts Configuration</A +></H1 +><P +>There are two steps to creating an interdomain trust relationship.</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3459" +>19.2.1. NT4 as the Trusting Domain (ie. creating the trusted account)</A +></H2 +><P +>For MS Windows NT4, all domain trust relationships are configured using the Domain User Manager. +To affect a two way trust relationship it is necessary for each domain administrator to make +available (for use by an external domain) it's security resources. This is done from the Domain +User Manager Policies entry on the menu bar. From the Policy menu, select Trust Relationships, then +next to the lower box that is labelled "Permitted to Trust this Domain" are two buttons, "Add" and +"Remove". The "Add" button will open a panel in which needs to be entered the remote domain that +will be able to assign user rights to your domain. In addition it is necessary to enter a password +that is specific to this trust relationship. The password needs to be +typed twice (for standard confirmation).</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3462" +>19.2.2. NT4 as the Trusted Domain (ie. creating trusted account's password)</A +></H2 +><P +>A trust relationship will work only when the other (trusting) domain makes the appropriate connections +with the trusted domain. To consumate the trust relationship the administrator will launch the +Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the +"Add" button that is next to the box that is labelled "Trusted Domains". A panel will open in +which must be entered the name of the remote domain as well as the password assigned to that trust.</P +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3465" +>19.3. Configuring Samba NT-style Domain Trusts</A +></H1 +><P +>This description is meant to be a fairly short introduction about how to set up a Samba server so +that it could participate in interdomain trust relationships. Trust relationship support in Samba +is in its early stage, so lot of things don't work yet.</P +><P +>Each of the procedures described below is treated as they were performed with Windows NT4 Server on +one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after +reading this document, that combining Samba-specific parts of what's written below leads to trust +between domains in purely Samba environment.</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3469" +>19.3.1. Samba-3 as the Trusting Domain</A +></H2 +><P +>In order to set Samba PDC to be trusted party of the relationship first you need +to create special account for the domain that will be the trusting party. To do that, +you can use the 'smbpasswd' utility. Creating the trusted domain account is very +similiar to creating a trusted machine account. Suppose, your domain is +called SAMBA, and the remote domain is called RUMBA. The first step +will be to issue this command from your favourite shell:</P +><P +><PRE +CLASS="SCREEN" +> <SAMP +CLASS="PROMPT" +>deity#</SAMP +> <KBD +CLASS="USERINPUT" +>smbpasswd -a -i rumba</KBD +> + New SMB password: XXXXXXXX + Retype SMB password: XXXXXXXX + Added user rumba$</PRE +> + +where <VAR +CLASS="PARAMETER" +>-a</VAR +> means to add a new account into the +passdb database and <VAR +CLASS="PARAMETER" +>-i</VAR +> means: ''create this +account with the InterDomain trust flag''</P +><P +>The account name will be 'rumba$' (the name of the remote domain)</P +><P +>After issuing this command you'll be asked to enter the password for +the account. You can use any password you want, but be aware that Windows NT will +not change this password until 7 days following account creation. +After the command returns successfully, you can look at the entry for new account +(in the way depending on your configuration) and see that account's name is +really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm +the trust by establishing it from Windows NT Server.</P +><P +>Open 'User Manager for Domains' and from menu 'Policies' select 'Trust Relationships...'. +Right beside 'Trusted domains' list box press 'Add...' button. You will be prompted for +the trusted domain name and the relationship password. Type in SAMBA, as this is +your domain name, and the password used at the time of account creation. +Press OK and, if everything went without incident, you will see 'Trusted domain relationship +successfully established' message.</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3481" +>19.3.2. Samba-3 as the Trusted Domain</A +></H2 +><P +>This time activities are somewhat reversed. Again, we'll assume that your domain +controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.</P +><P +>The very first thing requirement is to add an account for the SAMBA domain on RUMBA's PDC.</P +><P +>Launch the Domain User Manager, then from the menu select 'Policies', 'Trust Relationships'. +Now, next to 'Trusted Domains' box press the 'Add' button, and type in the name of the trusted +domain (SAMBA) and password securing the relationship.</P +><P +>The password can be arbitrarily chosen. It is easy to change it the password +from Samba server whenever you want. After confirming the password your account is +ready for use. Now it's Samba's turn.</P +><P +>Using your favourite shell while being logged in as root, issue this command:</P +><P +><SAMP +CLASS="PROMPT" +>deity# </SAMP +><KBD +CLASS="USERINPUT" +>net rpc trustdom establish rumba</KBD +></P +><P +>You will be prompted for the password you just typed on your Windows NT4 Server box. +Don not worry if you see an error message that mentions a returned code of +<SPAN +CLASS="ERRORNAME" +>NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</SPAN +>. It means the +password you gave is correct and the NT4 Server says the account is +ready for interdomain connection and not for ordinary +connection. After that, be patient it can take a while (especially +in large networks), you should see the 'Success' message. Congratulations! Your trust +relationship has just been established.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Note that you have to run this command as root because you must have write access to +the <TT +CLASS="FILENAME" +>secrets.tdb</TT +> file.</P +></TD +></TR +></TABLE +></DIV +></DIV +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="profilemgmt.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="pam.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Desktop Profile Management</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="optional.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>PAM Configuration for Centrally Managed Authentication</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/introsmb.html b/docs/htmldocs/introsmb.html new file mode 100644 index 0000000000..52db6a8a95 --- /dev/null +++ b/docs/htmldocs/introsmb.html @@ -0,0 +1,659 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Introduction to Samba</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="General installation" +HREF="introduction.html"><LINK +REL="PREVIOUS" +TITLE="General installation" +HREF="introduction.html"><LINK +REL="NEXT" +TITLE="How to Install and Test SAMBA" +HREF="install.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="introduction.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="install.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="INTROSMB" +></A +>Chapter 1. Introduction to Samba</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>1.1. <A +HREF="introsmb.html#AEN61" +>Background</A +></DT +><DT +>1.2. <A +HREF="introsmb.html#AEN67" +>Terminology</A +></DT +><DT +>1.3. <A +HREF="introsmb.html#AEN91" +>Related Projects</A +></DT +><DT +>1.4. <A +HREF="introsmb.html#AEN100" +>SMB Methodology</A +></DT +><DT +>1.5. <A +HREF="introsmb.html#AEN115" +>Additional Resources</A +></DT +><DT +>1.6. <A +HREF="introsmb.html#AEN151" +>Epilogue</A +></DT +><DT +>1.7. <A +HREF="introsmb.html#AEN162" +>Miscellaneous</A +></DT +></DL +></DIV +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>"If you understand what you're doing, you're not learning anything." +-- Anonymous</I +></SPAN +></P +><P +>Samba is a file and print server for Windows-based clients using TCP/IP as the underlying +transport protocol. In fact, it can support any SMB/CIFS-enabled client. One of Samba's big +strengths is that you can use it to blend your mix of Windows and Linux machines together +without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed +by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.</P +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN61" +>1.1. Background</A +></H1 +><P +>Once long ago, there was a buzzword referred to as DCE/RPC. This stood for Distributed +Computing Environment/Remote Procedure Calls and conceptually was a good idea. It was +originally developed by Apollo/HP as NCA 1.0 (Network Computing Architecture) and only +ran over UDP. When there was a need to run it over TCP so that it would be compatible +with DECnet 3.0, it was redesigned, submitted to The Open Group, and officially became +known as DCE/RPC. Microsoft came along and decided, rather than pay $20 per seat to +license this technology, to reimplement DCE/RPC themselves as MSRPC. From this, the +concept continued in the form of SMB (Server Message Block, or the "what") using the +NetBIOS (Network Basic Input/Output System, or the "how") compatibility layer. You can +run SMB (i.e., transport) over several different protocols; many different implementations +arose as a result, including NBIPX (NetBIOS over IPX, NwLnkNb, or NWNBLink) and NBT +(NetBIOS over TCP/IP, or NetBT). As the years passed, NBT became the most common form +of implementation until the advance of "Direct-Hosted TCP" -- the Microsoft marketing +term for eliminating NetBIOS entirely and running SMB by itself across TCP port 445 +only. As of yet, direct-hosted TCP has yet to catch on.</P +><P +>Perhaps the best summary of the origins of SMB are voiced in the 1997 article titled, CIFS: +Common Insecurities Fail Scrutiny:</P +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Several megabytes of NT-security archives, random whitepapers, RFCs, the CIFS spec, the Samba +stuff, a few MS knowledge-base articles, strings extracted from binaries, and packet dumps have +been dutifully waded through during the information-gathering stages of this project, and there +are *still* many missing pieces... While often tedious, at least the way has been generously +littered with occurrences of clapping hand to forehead and muttering 'crikey, what are they +thinking?</I +></SPAN +></P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN67" +>1.2. Terminology</A +></H1 +><P +></P +><UL +><LI +><P +> SMB: Acronym for "Server Message Block". This is Microsoft's file and printer sharing protocol. + </P +></LI +><LI +><P +> CIFS: Acronym for "Common Internet File System". Around 1996, Microsoft apparently + decided that SMB needed the word "Internet" in it, so they changed it to CIFS. + </P +></LI +><LI +><P +> Direct-Hosted: A method of providing file/printer sharing services over port 445/tcp + only using DNS for name resolution instead of WINS. + </P +></LI +><LI +><P +> IPC: Acronym for "Inter-Process Communication". A method to communicate specific + information between programs. + </P +></LI +><LI +><P +> Marshalling: - A method of serializing (i.e., sequential ordering of) variable data + suitable for transmission via a network connection or storing in a file. The source + data can be re-created using a similar process called unmarshalling. + </P +></LI +><LI +><P +> NetBIOS: Acronym for "Network Basic Input/Output System". This is not a protocol; + it is a method of communication across an existing protocol. This is a standard which + was originally developed for IBM by Sytek in 1983. To exaggerate the analogy a bit, + it can help to think of this in comparison your computer's BIOS -- it controls the + essential functions of your input/output hardware -- whereas NetBIOS controls the + essential functions of your input/output traffic via the network. Again, this is a bit + of an exaggeration but it should help that paradigm shift. What is important to realize + is that NetBIOS is a transport standard, not a protocol. Unfortunately, even technically + brilliant people tend to interchange NetBIOS with terms like NetBEUI without a second + thought; this will cause no end (and no doubt) of confusion. + </P +></LI +><LI +><P +> NetBEUI: Acronym for the "NetBIOS Extended User Interface". Unlike NetBIOS, NetBEUI + is a protocol, not a standard. It is also not routable, so traffic on one side of a + router will be unable to communicate with the other side. Understanding NetBEUI is + not essential to deciphering SMB; however it helps to point out that it is not the + same as NetBIOS and to improve your score in trivia at parties. NetBEUI was originally + referred to by Microsoft as "NBF", or "The Windows NT NetBEUI Frame protocol driver". + It is not often heard from these days. + </P +></LI +><LI +><P +> NBT: Acronym for "NetBIOS over TCP"; also known as "NetBT". Allows the continued use + of NetBIOS traffic proxied over TCP/IP. As a result, NetBIOS names are made + to IP addresses and NetBIOS name types are conceptually equivalent to TCP/IP ports. + This is how file and printer sharing are accomplished in Windows 95/98/ME. They + traditionally rely on three ports: NetBIOS Name Service (nbname) via UDP port 137, + NetBIOS Datagram Service (nbdatagram) via UDP port 138, and NetBIOS Session Service + (nbsession) via TCP port 139. All name resolution is done via WINS, NetBIOS broadcasts, + and DNS. NetBIOS over TCP is documented in RFC 1001 (Concepts and methods) and RFC 1002 + (Detailed specifications). + </P +></LI +><LI +><P +> W2K: Acronym for Windows 2000 Professional or Server + </P +></LI +><LI +><P +> W3K: Acronym for Windows 2003 Server + </P +></LI +></UL +><P +>If you plan on getting help, make sure to subscribe to the Samba Mailing List (available at +http://www.samba.org). Optionally, you could just search mailing.unix.samba at http://groups.google.com</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN91" +>1.3. Related Projects</A +></H1 +><P +>Currently, there are two projects that are directly related to Samba: SMBFS and CIFS network +client file systems for Linux, both available in the Linux kernel itself.</P +><P +></P +><UL +><LI +><P +> SMBFS (Server Message Block File System) allows you to mount SMB shares (the protocol + that Microsoft Windows and OS/2 Lan Manager use to share files and printers + over local networks) and access them just like any other Unix directory. This is useful + if you just want to mount such filesystems without being a SMBFS server. + </P +></LI +><LI +><P +> CIFS (Common Internet File System) is the successor to SMB, and is actively being worked + on in the upcoming version of the Linux kernel. The intent of this module is to + provide advanced network file system functionality including support for dfs (heirarchical + name space), secure per-user session establishment, safe distributed caching (oplock), + optional packet signing, Unicode and other internationalization improvements, and optional + Winbind (nsswitch) integration. + </P +></LI +></UL +><P +>Again, it's important to note that these are implementations for client filesystems, and have +nothing to do with acting as a file and print server for SMB/CIFS clients.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN100" +>1.4. SMB Methodology</A +></H1 +><P +>Traditionally, SMB uses UDP port 137 (NetBIOS name service, or netbios-ns), +UDP port 138 (NetBIOS datagram service, or netbios-dgm), and TCP port 139 (NetBIOS +session service, or netbios-ssn). Anyone looking at their network with a good +packet sniffer will be amazed at the amount of traffic generated by just opening +up a single file. In general, SMB sessions are established in the following order:</P +><P +></P +><UL +><LI +><P +> "TCP Connection" - establish 3-way handshake (connection) to port 139/tcp + or 445/tcp. + </P +></LI +><LI +><P +> "NetBIOS Session Request" - using the following "Calling Names": The local + machine's NetBIOS name plus the 16th character 0x00; The server's NetBIOS + name plus the 16th character 0x20 + </P +></LI +><LI +><P +> "SMB Negotiate Protocol" - determine the protocol dialect to use, which will + be one of the following: PC Network Program 1.0 (Core) - share level security + mode only; Microsoft Networks 1.03 (Core Plus) - share level security + mode only; Lanman1.0 (LAN Manager 1.0) - uses Challenge/Response + Authentication; Lanman2.1 (LAN Manager 2.1) - uses Challenge/Response + Authentication; NT LM 0.12 (NT LM 0.12) - uses Challenge/Response + Authentication + </P +></LI +><LI +><P +> SMB Session Startup. Passwords are encrypted (or not) according to one of + the following methods: Null (no encryption); Cleartext (no encryption); LM + and NTLM; NTLM; NTLMv2 + </P +></LI +><LI +><P +> SMB Tree Connect: Connect to a share name (e.g., \\servername\share); Connect + to a service type (e.g., IPC$ named pipe) + </P +></LI +></UL +><P +>A good way to examine this process in depth is to try out SecurityFriday's SWB program +at http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html. It allows you to +walk through the establishment of a SMB/CIFS session step by step.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN115" +>1.5. Additional Resources</A +></H1 +><P +></P +><UL +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>CIFS: Common Insecurities Fail Scrutiny</I +></SPAN +> by "Hobbit", + http://hr.uoregon.edu/davidrl/cifs.txt + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Doing the Samba on Windows</I +></SPAN +> by Financial Review, + http://afr.com/it/2002/10/01/FFXDF43AP6D.html + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Implementing CIFS</I +></SPAN +> by Christopher R. Hertel, + http://ubiqx.org/cifs/ + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Just What Is SMB?</I +></SPAN +> by Richard Sharpe, + http://samba.anu.edu.au/cifs/docs/what-is-smb.html + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Opening Windows Everywhere</I +></SPAN +> by Mike Warfield, + http://www.linux-mag.com/1999-05/samba_01.html + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>SMB HOWTO</I +></SPAN +> by David Wood, + http://www.tldp.org/HOWTO/SMB-HOWTO.html + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>SMB/CIFS by The Root</I +></SPAN +> by "ledin", + http://www.phrack.org/phrack/60/p60-0x0b.txt + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>The Story of Samba</I +></SPAN +> by Christopher R. Hertel, + http://www.linux-mag.com/1999-09/samba_01.html + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>The Unofficial Samba HOWTO</I +></SPAN +> by David Lechnyr, + http://hr.uoregon.edu/davidrl/samba/ + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Understanding the Network Neighborhood</I +></SPAN +> by Christopher R. Hertel, + http://www.linux-mag.com/2001-05/smb_01.html + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Using Samba as a PDC</I +></SPAN +> by Andrew Bartlett, + http://www.linux-mag.com/2002-02/samba_01.html + </P +></LI +></UL +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN151" +>1.6. Epilogue</A +></H1 +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>"What's fundamentally wrong is that nobody ever had any taste when they +did it. Microsoft has been very much into making the user interface look good, +but internally it's just a complete mess. And even people who program for Microsoft +and who have had years of experience, just don't know how it works internally. +Worse, nobody dares change it. Nobody dares to fix bugs because it's such a +mess that fixing one bug might just break a hundred programs that depend on +that bug. And Microsoft isn't interested in anyone fixing bugs -- they're interested +in making money. They don't have anybody who takes pride in Windows 95 as an +operating system.</I +></SPAN +></P +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>People inside Microsoft know it's a bad operating system and they still +continue obviously working on it because they want to get the next version out +because they want to have all these new features to sell more copies of the +system.</I +></SPAN +></P +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>The problem with that is that over time, when you have this kind of approach, +and because nobody understands it, because nobody REALLY fixes bugs (other than +when they're really obvious), the end result is really messy. You can't trust +it because under certain circumstances it just spontaneously reboots or just +halts in the middle of something that shouldn't be strange. Normally it works +fine and then once in a blue moon for some completely unknown reason, it's dead, +and nobody knows why. Not Microsoft, not the experienced user and certainly +not the completely clueless user who probably sits there shivering thinking +"What did I do wrong?" when they didn't do anything wrong at all.</I +></SPAN +></P +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>That's what's really irritating to me."</I +></SPAN +></P +><P +>-- Linus Torvalds, from an interview with BOOT Magazine, Sept 1998 +(http://hr.uoregon.edu/davidrl/boot.txt)</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN162" +>1.7. Miscellaneous</A +></H1 +><P +>This chapter was lovingly handcrafted on a Dell Latitude C400 laptop running Slackware Linux 9.0, +in case anyone asks.</P +><P +>This chapter is Copyright © 2003 David Lechnyr (david at lechnyr dot com). +Permission is granted to copy, distribute and/or modify this document under the terms +of the GNU Free Documentation License, Version 1.2 or any later version published by the Free +Software Foundation. A copy of the license is available at http://www.gnu.org/licenses/fdl.txt.</P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="introduction.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="install.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>General installation</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="introduction.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>How to Install and Test SAMBA</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/nt4migration.html b/docs/htmldocs/nt4migration.html new file mode 100644 index 0000000000..6278a64371 --- /dev/null +++ b/docs/htmldocs/nt4migration.html @@ -0,0 +1,356 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Migration from NT4 PDC to Samba-3 PDC</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Appendixes" +HREF="appendixes.html"><LINK +REL="PREVIOUS" +TITLE="How to compile SAMBA" +HREF="compiling.html"><LINK +REL="NEXT" +TITLE="Portability" +HREF="portability.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="compiling.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="portability.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="NT4MIGRATION" +></A +>Chapter 28. Migration from NT4 PDC to Samba-3 PDC</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>28.1. <A +HREF="nt4migration.html#AEN4375" +>Planning and Getting Started</A +></DT +><DD +><DL +><DT +>28.1.1. <A +HREF="nt4migration.html#AEN4379" +>Objectives</A +></DT +><DT +>28.1.2. <A +HREF="nt4migration.html#AEN4405" +>Steps In Migration Process</A +></DT +></DL +></DD +><DT +>28.2. <A +HREF="nt4migration.html#AEN4408" +>Managing Samba-3 Domain Control</A +></DT +></DL +></DIV +><P +>This is a rough guide to assist those wishing to migrate from NT4 domain control to +Samba-3 based domain control.</P +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN4375" +>28.1. Planning and Getting Started</A +></H1 +><P +>In the IT world there is often a saying that all problems are encountered because of +poor planning. The corrollary to this saying is that not all problems can be anticpated +and planned for. Then again, good planning will anticpate most show stopper type situations.</P +><P +>Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control +environment would do well to develop a detailed migration plan. So here are a few pointers to +help migration get under way.</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN4379" +>28.1.1. Objectives</A +></H2 +><P +>The key objective for most organisations will be to make the migration from MS Windows NT4 +to Samba-3 domain control as painless as possible. One of the challenges you may experience +in your migration process may well be one of convincing management that the new environment +should remain in place. Many who have introduced open source technologies have experienced +pressure to return to a Microsoft based platform solution at the first sign of trouble. </P +><P +>It is strongly advised that before attempting a migration to a Samba-3 controlled network +that every possible effort be made to gain all-round commitment to the change. Firstly, you +should know precisely <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>why</I +></SPAN +> the change is important for the organisation. +Possible motivations to make a change include:</P +><P +></P +><UL +><LI +><P +>Improve network manageability</P +></LI +><LI +><P +>Obtain better user level functionality</P +></LI +><LI +><P +>Reduce network operating costs</P +></LI +><LI +><P +>Reduce exposure caused by Microsoft withdrawal of NT4 support</P +></LI +><LI +><P +>Avoid MS License 6 implications</P +></LI +><LI +><P +>Reduce organisation's dependency on Microsoft</P +></LI +></UL +><P +>It is vital that oit be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers +an alternative solution that is both different from MS Windows NT4 and that offers some +advantages compared with it. It should also be recognised that Samba-3 lacks many of the +features that Microsoft has promoted as core values in migration from MS Windows NT4 to +MS Windows 2000 and beyond (with or without Active Directory services).</P +><P +>What are the features the Samba-3 can NOT provide?</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Active Directory Server</TD +></TR +><TR +><TD +>Group Policy Objects (in Active Direcrtory)</TD +></TR +><TR +><TD +>Machine Policy objects</TD +></TR +><TR +><TD +>Logon Scripts in Active Directorty</TD +></TR +><TR +><TD +>Software Application and Access Controls in Active Directory</TD +></TR +></TBODY +></TABLE +><P +></P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN4405" +>28.1.2. Steps In Migration Process</A +></H2 +><P +>This is not a definitive ste-by-step process yet - just a place holder so the info +is not lost. + +1. You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated + +2. Samba-3 set up as a DC with netlogon share, profile share, etc. + +3. Process: + a. Create a BDC account for the samba server using NT Server Manager + - Samba must NOT be running + + b. rpcclient NT4PDC -U Administrator%passwd + lsaquery + + Note the SID returned by step b. + + c. net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd + + Note the SID in step c. + + d. net getlocalsid + + Note the SID, now check that all three SIDS reported are the same! + + e. net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd + + f. net rpc vampire -S NT4PDC -U administrator%passwd + + g. pdbedit -l + + Note - did the users migrate? + + h. initGrps.sh DOMNAME + + i. smbgroupedit -v + + Now check that all groups are recognised + + j. net rpc campire -S NT4PDC -U administrator%passwd + + k. pdbedit -lv + + Note - check that all group membership has been migrated. + + +Now it is time to migrate all the profiles, then migrate all policy files. + +Moe later.</P +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN4408" +>28.2. Managing Samba-3 Domain Control</A +></H1 +><P +>Lots of blah blah here.</P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="compiling.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="portability.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>How to compile SAMBA</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="appendixes.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Portability</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/ntlm_auth.1.html b/docs/htmldocs/ntlm_auth.1.html new file mode 100644 index 0000000000..95558aae38 --- /dev/null +++ b/docs/htmldocs/ntlm_auth.1.html @@ -0,0 +1,261 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>ntlm_auth</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="NTLM-AUTH.1" +></A +>ntlm_auth</H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>ntlm_auth -- tool to allow external access to Winbind's NTLM authentication function</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>ntlm_auth</B +> [-d debuglevel] [-l logfile] [-s <smb config file>]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN14" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <SPAN +CLASS="CITEREFENTRY" +><SPAN +CLASS="REFENTRYTITLE" +>Samba</SPAN +>(7)</SPAN +> suite.</P +><P +><B +CLASS="COMMAND" +>ntlm_auth</B +> is a helper utility that authenticates + users using NT/LM authentication. It returns 0 if the users is authenticated + successfully and 1 if access was denied. ntlm_auth uses winbind to access + the user and authentication data for a domain. This utility + is only to be used by other programs (currently squid). + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN22" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>--helper-protocol=PROTO</DT +><DD +><P +> Operate as a stdio-based helper + </P +></DD +><DT +>--username=USERNAME</DT +><DD +><P +> Specify username of user to authenticate + </P +></DD +><DT +>--domain=DOMAIN</DT +><DD +><P +> Specify domain of user to authenticate + </P +></DD +><DT +>--workstation=WORKSTATION</DT +><DD +><P +> Specify the workstation the user authenticated from + </P +></DD +><DT +>--challenge=STRING</DT +><DD +><P +>challenge (HEX encoded)</P +></DD +><DT +>--lm-response=RESPONSE</DT +><DD +><P +>LM Response to the challenge (HEX encoded)</P +></DD +><DT +>--nt-response=RESPONSE</DT +><DD +><P +>NT or NTLMv2 Response to the challenge (HEX encoded)</P +></DD +><DT +>--password=PASSWORD</DT +><DD +><P +>User's plaintext password</P +></DD +><DT +>--request-lm-key</DT +><DD +><P +>Retreive LM session key</P +></DD +><DT +>--request-nt-key</DT +><DD +><P +>Request NT key</P +></DD +><DT +>-V</DT +><DD +><P +>Prints the version number for +<B +CLASS="COMMAND" +>smbd</B +>.</P +></DD +><DT +>-s <configuration file></DT +><DD +><P +>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +> for more information. +The default configuration file name is determined at +compile time.</P +></DD +><DT +>-d|--debug=debuglevel</DT +><DD +><P +><VAR +CLASS="REPLACEABLE" +>debuglevel</VAR +> is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.</P +><P +>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day to day running - it generates a small amount of +information about operations carried out.</P +><P +>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</P +><P +>Note that specifying this parameter here will +override the <A +HREF="smb.conf.5.html#loglevel" +TARGET="_top" +>log +level</A +> parameter in the <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +> file.</P +></DD +><DT +>-l|--logfile=logbasename</DT +><DD +><P +>File name for log/debug files. The extension +<CODE +CLASS="CONSTANT" +>".client"</CODE +> will be appended. The log file is +never removed by the client.</P +></DD +><DT +>-h|--help</DT +><DD +><P +>Print a summary of command line options.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN96" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 3.0 of the Samba + suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN99" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The ntlm_auth manpage was written by Jelmer Vernooij.</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/policymgmt.html b/docs/htmldocs/policymgmt.html new file mode 100644 index 0000000000..65f50dc0fb --- /dev/null +++ b/docs/htmldocs/policymgmt.html @@ -0,0 +1,758 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>System and Account Policies</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Advanced Configuration" +HREF="optional.html"><LINK +REL="PREVIOUS" +TITLE="Advanced Network Manangement" +HREF="advancednetworkmanagement.html"><LINK +REL="NEXT" +TITLE="Desktop Profile Management" +HREF="profilemgmt.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="advancednetworkmanagement.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="profilemgmt.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="POLICYMGMT" +></A +>Chapter 17. System and Account Policies</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>17.1. <A +HREF="policymgmt.html#AEN2959" +>Creating and Managing System Policies</A +></DT +><DD +><DL +><DT +>17.1.1. <A +HREF="policymgmt.html#AEN2973" +>Windows 9x/Me Policies</A +></DT +><DT +>17.1.2. <A +HREF="policymgmt.html#AEN2985" +>Windows NT4 Style Policy Files</A +></DT +><DT +>17.1.3. <A +HREF="policymgmt.html#AEN3003" +>MS Windows 200x / XP Professional Policies</A +></DT +></DL +></DD +><DT +>17.2. <A +HREF="policymgmt.html#AEN3031" +>Managing Account/User Policies</A +></DT +><DD +><DL +><DT +>17.2.1. <A +HREF="policymgmt.html#AEN3046" +>With Windows NT4/200x</A +></DT +><DT +>17.2.2. <A +HREF="policymgmt.html#AEN3049" +>With a Samba PDC</A +></DT +></DL +></DD +><DT +>17.3. <A +HREF="policymgmt.html#AEN3053" +>System Startup and Logon Processing Overview</A +></DT +></DL +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2959" +>17.1. Creating and Managing System Policies</A +></H1 +><P +>Under MS Windows platforms, particularly those following the release of MS Windows +NT4 and MS Windows 95) it is possible to create a type of file that would be placed +in the NETLOGON share of a domain controller. As the client logs onto the network +this file is read and the contents initiate changes to the registry of the client +machine. This file allows changes to be made to those parts of the registry that +affect users, groups of users, or machines.</P +><P +>For MS Windows 9x/Me this file must be called <TT +CLASS="FILENAME" +>Config.POL</TT +> and may +be generated using a tool called <TT +CLASS="FILENAME" +>poledit.exe</TT +>, better known as the +Policy Editor. The policy editor was provided on the Windows 98 installation CD, but +dissappeared again with the introduction of MS Windows Me (Millenium Edition). From +comments from MS Windows network administrators it would appear that this tool became +a part of the MS Windows Me Resource Kit.</P +><P +>MS Windows NT4 Server products include the <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>System Policy Editor</I +></SPAN +> +under the <TT +CLASS="FILENAME" +>Start -> Programs -> Administrative Tools</TT +> menu item. +For MS Windows NT4 and later clients this file must be called <TT +CLASS="FILENAME" +>NTConfig.POL</TT +>.</P +><P +>New with the introduction of MS Windows 2000 was the Microsoft Management Console +or MMC. This tool is the new wave in the ever changing landscape of Microsoft +methods for management of network access and security. Every new Microsoft product +or technology seems to obsolete the old rules and to introduce newer and more +complex tools and methods. To Microsoft's credit though, the MMC does appear to +be a step forward, but improved functionality comes at a great price.</P +><P +>Before embarking on the configuration of network and system policies it is highly +advisable to read the documentation available from Microsoft's web site regarding +<A +HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" +TARGET="_top" +>Implementing Profiles and Policies in Windows NT 4.0 from http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp</A +> available from Microsoft. +There are a large number of documents in addition to this old one that should also +be read and understood. Try searching on the Microsoft web site for "Group Policies".</P +><P +>What follows is a very brief discussion with some helpful notes. The information provided +here is incomplete - you are warned.</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2973" +>17.1.1. Windows 9x/Me Policies</A +></H2 +><P +>You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me. +It can be found on the Original full product Win98 installation CD under +<TT +CLASS="FILENAME" +>tools/reskit/netadmin/poledit</TT +>. Install this using the +Add/Remove Programs facility and then click on the 'Have Disk' tab.</P +><P +>Use the Group Policy Editor to create a policy file that specifies the location of +user profiles and/or the <TT +CLASS="FILENAME" +>My Documents</TT +> etc. stuff. Then +save these settings in a file called <TT +CLASS="FILENAME" +>Config.POL</TT +> that needs to +be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto +the Samba Domain, it will automatically read this file and update the Win9x/Me registry +of the machine as it logs on.</P +><P +>Further details are covered in the Win98 Resource Kit documentation.</P +><P +>If you do not take the right steps, then every so often Win9x/Me will check the +integrity of the registry and will restore it's settings from the back-up +copy of the registry it stores on each Win9x/Me machine. Hence, you will +occasionally notice things changing back to the original settings.</P +><P +>Install the group policy handler for Win9x to pick up group policies. Look on the +Win98 CD in <TT +CLASS="FILENAME" +>\tools\reskit\netadmin\poledit</TT +>. +Install group policies on a Win9x client by double-clicking +<TT +CLASS="FILENAME" +>grouppol.inf</TT +>. Log off and on again a couple of times and see +if Win98 picks up group policies. Unfortunately this needs to be done on every +Win9x/Me machine that uses group policies.</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2985" +>17.1.2. Windows NT4 Style Policy Files</A +></H2 +><P +>To create or edit <TT +CLASS="FILENAME" +>ntconfig.pol</TT +> you must use the NT Server +Policy Editor, <B +CLASS="COMMAND" +>poledit.exe</B +> which is included with NT4 Server +but <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>not NT Workstation</I +></SPAN +>. There is a Policy Editor on a NT4 +Workstation but it is not suitable for creating <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Domain Policies</I +></SPAN +>. +Further, although the Windows 95 Policy Editor can be installed on an NT4 +Workstation/Server, it will not work with NT clients. However, the files from +the NT Server will run happily enough on an NT4 Workstation.</P +><P +>You need <TT +CLASS="FILENAME" +>poledit.exe, common.adm</TT +> and <TT +CLASS="FILENAME" +>winnt.adm</TT +>. +It is convenient to put the two *.adm files in the <TT +CLASS="FILENAME" +>c:\winnt\inf</TT +> +directory which is where the binary will look for them unless told otherwise. Note also that that +directory is normally 'hidden'.</P +><P +>The Windows NT policy editor is also included with the Service Pack 3 (and +later) for Windows NT 4.0. Extract the files using <B +CLASS="COMMAND" +>servicepackname /x</B +>, +i.e. that's <B +CLASS="COMMAND" +>Nt4sp6ai.exe /x</B +> for service pack 6a. The policy editor, +<B +CLASS="COMMAND" +>poledit.exe</B +> and the associated template files (*.adm) should +be extracted as well. It is also possible to downloaded the policy template +files for Office97 and get a copy of the policy editor. Another possible +location is with the Zero Administration Kit available for download from Microsoft.</P +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3000" +>17.1.2.1. Registry Tattoos</A +></H3 +><P +> With NT4 style registry based policy changes, a large number of settings are not + automatically reversed as the user logs off. Since the settings that were in the + NTConfig.POL file were applied to the client machine registry and that apply to the + hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known + as tattooing. It can have serious consequences down-stream and the administrator must + be extremely careful not to lock out the ability to manage the machine at a later date. + </P +></DIV +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3003" +>17.1.3. MS Windows 200x / XP Professional Policies</A +></H2 +><P +>Windows NT4 System policies allows setting of registry parameters specific to +users, groups and computers (client workstations) that are members of the NT4 +style domain. Such policy file will work with MS Windows 2000 / XP clients also.</P +><P +>New to MS Windows 2000 Microsoft introduced a new style of group policy that confers +a superset of capabilities compared with NT4 style policies. Obviously, the tool used +to create them is different, and the mechanism for implementing them is much changed.</P +><P +>The older NT4 style registry based policies are known as <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Administrative Templates</I +></SPAN +> +in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security +configurations, enforce Internet Explorer browser settings, change and redirect aspects of the +users' desktop (including: the location of <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>My Documents</I +></SPAN +> files (directory), as +well as intrinsics of where menu items will appear in the Start menu). An additional new +feature is the ability to make available particular software Windows applications to particular +users and/or groups.</P +><P +>Remember: NT4 policy files are named <TT +CLASS="FILENAME" +>NTConfig.POL</TT +> and are stored in the root +of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password +and selects the domain name to which the logon will attempt to take place. During the logon +process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating +server, modifies the local registry values according to the settings in this file.</P +><P +>Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of +a Windows 200x policy file is stored in the Active Directory itself and the other part is stored +in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active +Directory domain controllers. The part that is stored in the Active Directory itself is called the +group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is +known as the group policy template (GPT).</P +><P +>With NT4 clients the policy file is read and executed upon only aas each user log onto the network. +MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine +startup (machine specific part) and when the user logs onto the network the user specific part +is applied. In MS Windows 200x style policy management each machine and/or user may be subject +to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows +the administrator to also set filters over the policy settings. No such equivalent capability +exists with NT4 style policy files.</P +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3014" +>17.1.3.1. Administration of Win2K / XP Policies</A +></H3 +><DIV +CLASS="PROCEDURE" +><P +><B +>Instructions</B +></P +><P +>Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the +executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console +(MMC) snap-in as follows:</P +><OL +TYPE="1" +><LI +><P +>Go to the Windows 200x / XP menu <TT +CLASS="FILENAME" +>Start->Programs->Administrative Tools</TT +> + and select the MMC snap-in called "Active Directory Users and Computers"</P +></LI +><LI +><P +>Select the domain or organizational unit (OU) that you wish to manage, then right click +to open the context menu for that object, select the properties item.</P +></LI +><LI +><P +>Now left click on the Group Policy tab, then left click on the New tab. Type a name +for the new policy you will create.</P +></LI +><LI +><P +>Now left click on the Edit tab to commence the steps needed to create the GPO.</P +></LI +></OL +></DIV +><P +>All policy configuration options are controlled through the use of policy administrative +templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP. +Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x. +The later introduces many new features as well as extended definition capabilities. It is +well beyond the scope of this documentation to explain how to program .adm files, for that +the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular +version of MS Windows.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used +to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you +use this powerful tool. Please refer to the resource kit manuals for specific usage information.</P +></TD +></TR +></TABLE +></DIV +></DIV +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3031" +>17.2. Managing Account/User Policies</A +></H1 +><P +>Policies can define a specific user's settings or the settings for a group of users. The resulting +policy file contains the registry settings for all users, groups, and computers that will be using +the policy file. Separate policy files for each user, group, or computer are not not necessary.</P +><P +>If you create a policy that will be automatically downloaded from validating domain controllers, +you should name the file NTconfig.POL. As system administrator, you have the option of renaming the +policy file and, by modifying the Windows NT-based workstation, directing the computer to update +the policy from a manual path. You can do this by either manually changing the registry or by using +the System Policy Editor. This path can even be a local path such that each machine has its own policy file, +but if a change is necessary to all machines, this change must be made individually to each workstation.</P +><P +>When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain +controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then +applied to the user's part of the registry.</P +><P +>MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally, +acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory +itself. The key benefit of using AS GPOs is that they impose no registry <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>tatooing</I +></SPAN +> effect. +This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates.</P +><P +>Inaddition to user access controls that may be imposed or applied via system and/or group policies +in a manner that works in conjunction with user profiles, the user management environment under +MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied. +Common restrictions that are frequently used includes:</P +><P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Logon Hours</TD +></TR +><TR +><TD +>Password Aging</TD +></TR +><TR +><TD +>Permitted Logon from certain machines only</TD +></TR +><TR +><TD +>Account type (Local or Global)</TD +></TR +><TR +><TD +>User Rights</TD +></TR +></TBODY +></TABLE +><P +></P +></P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3046" +>17.2.1. With Windows NT4/200x</A +></H2 +><P +>The tools that may be used to configure these types of controls from the MS Windows environment are: +The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe). +Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate +"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3049" +>17.2.2. With a Samba PDC</A +></H2 +><P +>With a Samba Domain Controller, the new tools for managing of user account and policy information includes: +<TT +CLASS="FILENAME" +>smbpasswd, pdbedit, smbgroupedit, net, rpcclient.</TT +>. The administrator should read the +man pages for these tools and become familiar with their use.</P +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3053" +>17.3. System Startup and Logon Processing Overview</A +></H1 +><P +>The following attempts to document the order of processing of system and user policies following a system +reboot and as part of the user logon:</P +><P +></P +><OL +TYPE="1" +><LI +><P +> Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming + Convention Provider (MUP) start + </P +></LI +><LI +><P +> Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded + and applied. The list may include GPOs that: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Apply to the location of machines in a Directory</TD +></TR +><TR +><TD +>Apply only when settings have changed</TD +></TR +><TR +><TD +>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</TD +></TR +></TBODY +></TABLE +><P +></P +> + No desktop user interface is presented until the above have been processed. + </P +></LI +><LI +><P +> Execution of start-up scripts (hidden and synchronous by defaut). + </P +></LI +><LI +><P +> A keyboard action to affect start of logon (Ctrl-Alt-Del). + </P +></LI +><LI +><P +> User credentials are validated, User profile is loaded (depends on policy settings). + </P +></LI +><LI +><P +> An ordered list of User GPOs is obtained. The list contents depends on what is configured in respsect of: + +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Is user a domain member, thus subject to particular policies</TD +></TR +><TR +><TD +>Loopback enablement, and the state of the loopback policy (Merge or Replace)</TD +></TR +><TR +><TD +>Location of the Active Directory itself</TD +></TR +><TR +><TD +>Has the list of GPOs changed. No processing is needed if not changed.</TD +></TR +></TBODY +></TABLE +><P +></P +> + </P +></LI +><LI +><P +> User Policies are applied from Active Directory. Note: There are several types. + </P +></LI +><LI +><P +> Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group + Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal + window. + </P +></LI +><LI +><P +> The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4 + Domain) machine (system) policies are applied at start-up, User policies are applied at logon. + </P +></LI +></OL +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="advancednetworkmanagement.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="profilemgmt.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Advanced Network Manangement</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="optional.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Desktop Profile Management</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/problems.html b/docs/htmldocs/problems.html new file mode 100644 index 0000000000..7c0e1acab5 --- /dev/null +++ b/docs/htmldocs/problems.html @@ -0,0 +1,560 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Analysing and solving samba problems</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Appendixes" +HREF="appendixes.html"><LINK +REL="PREVIOUS" +TITLE="The samba checklist" +HREF="diagnosis.html"><LINK +REL="NEXT" +TITLE="Reporting Bugs" +HREF="bugreport.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="diagnosis.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="bugreport.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="PROBLEMS" +></A +>Chapter 34. Analysing and solving samba problems</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>34.1. <A +HREF="problems.html#AEN4983" +>Diagnostics tools</A +></DT +><DT +>34.2. <A +HREF="problems.html#AEN4998" +>Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</A +></DT +><DT +>34.3. <A +HREF="problems.html#AEN5027" +>Useful URL's</A +></DT +><DT +>34.4. <A +HREF="problems.html#AEN5051" +>Getting help from the mailing lists</A +></DT +><DT +>34.5. <A +HREF="problems.html#AEN5081" +>How to get off the mailinglists</A +></DT +></DL +></DIV +><P +>There are many sources of information available in the form +of mailing lists, RFC's and documentation. The docs that come +with the samba distribution contain very good explanations of +general SMB topics such as browsing.</P +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN4983" +>34.1. Diagnostics tools</A +></H1 +><P +>One of the best diagnostic tools for debugging problems is Samba itself. +You can use the -d option for both smbd and nmbd to specify what +'debug level' at which to run. See the man pages on smbd, nmbd and +smb.conf for more information on debugging options. The debug +level can range from 1 (the default) to 10 (100 for debugging passwords).</P +><P +>Another helpful method of debugging is to compile samba using the +<B +CLASS="COMMAND" +>gcc -g </B +> flag. This will include debug +information in the binaries and allow you to attach gdb to the +running smbd / nmbd process. In order to attach gdb to an smbd +process for an NT workstation, first get the workstation to make the +connection. Pressing ctrl-alt-delete and going down to the domain box +is sufficient (at least, on the first time you join the domain) to +generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation +maintains an open connection, and therefore there will be an smbd +process running (assuming that you haven't set a really short smbd +idle timeout) So, in between pressing ctrl alt delete, and actually +typing in your password, you can gdb attach and continue.</P +><P +>Some useful samba commands worth investigating:</P +><P +></P +><UL +><LI +><P +>testparam | more</P +></LI +><LI +><P +>smbclient -L //{netbios name of server}</P +></LI +></UL +><P +>An SMB enabled version of tcpdump is available from +<A +HREF="http://www.tcpdump.org/" +TARGET="_top" +>http://www.tcpdup.org/</A +>. +Ethereal, another good packet sniffer for Unix and Win32 +hosts, can be downloaded from <A +HREF="http://www.ethereal.com/" +TARGET="_top" +>http://www.ethereal.com</A +>.</P +><P +>For tracing things on the Microsoft Windows NT, Network Monitor +(aka. netmon) is available on the Microsoft Developer Network CD's, +the Windows NT Server install CD and the SMS CD's. The version of +netmon that ships with SMS allows for dumping packets between any two +computers (i.e. placing the network interface in promiscuous mode). +The version on the NT Server install CD will only allow monitoring +of network traffic directed to the local NT box and broadcasts on the +local subnet. Be aware that Ethereal can read and write netmon +formatted files.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN4998" +>34.2. Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</A +></H1 +><P +>Installing netmon on an NT workstation requires a couple +of steps. The following are for installing Netmon V4.00.349, which comes +with Microsoft Windows NT Server 4.0, on Microsoft Windows NT +Workstation 4.0. The process should be similar for other version of +Windows NT / Netmon. You will need both the Microsoft Windows +NT Server 4.0 Install CD and the Workstation 4.0 Install CD.</P +><P +>Initially you will need to install 'Network Monitor Tools and Agent' +on the NT Server. To do this </P +><P +></P +><UL +><LI +><P +>Goto Start - Settings - Control Panel - + Network - Services - Add </P +></LI +><LI +><P +>Select the 'Network Monitor Tools and Agent' and + click on 'OK'.</P +></LI +><LI +><P +>Click 'OK' on the Network Control Panel. + </P +></LI +><LI +><P +>Insert the Windows NT Server 4.0 install CD + when prompted.</P +></LI +></UL +><P +>At this point the Netmon files should exist in +<TT +CLASS="FILENAME" +>%SYSTEMROOT%\System32\netmon\*.*</TT +>. +Two subdirectories exist as well, <TT +CLASS="FILENAME" +>parsers\</TT +> +which contains the necessary DLL's for parsing the netmon packet +dump, and <TT +CLASS="FILENAME" +>captures\</TT +>.</P +><P +>In order to install the Netmon tools on an NT Workstation, you will +first need to install the 'Network Monitor Agent' from the Workstation +install CD.</P +><P +></P +><UL +><LI +><P +>Goto Start - Settings - Control Panel - + Network - Services - Add</P +></LI +><LI +><P +>Select the 'Network Monitor Agent' and click + on 'OK'.</P +></LI +><LI +><P +>Click 'OK' on the Network Control Panel. + </P +></LI +><LI +><P +>Insert the Windows NT Workstation 4.0 install + CD when prompted.</P +></LI +></UL +><P +>Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* +to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set +permissions as you deem appropriate for your site. You will need +administrative rights on the NT box to run netmon.</P +><P +>To install Netmon on a Windows 9x box install the network monitor agent +from the Windows 9x CD (\admin\nettools\netmon). There is a readme +file located with the netmon driver files on the CD if you need +information on how to do this. Copy the files from a working +Netmon installation.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN5027" +>34.3. Useful URL's</A +></H1 +><P +></P +><UL +><LI +><P +>Home of Samba site <A +HREF="http://samba.org" +TARGET="_top" +> http://samba.org</A +>. We have a mirror near you !</P +></LI +><LI +><P +> The <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Development</I +></SPAN +> document +on the Samba mirrors might mention your problem. If so, +it might mean that the developers are working on it.</P +></LI +><LI +><P +>See how Scott Merrill simulates a BDC behavior at + <A +HREF="http://www.skippy.net/linux/smb-howto.html" +TARGET="_top" +> http://www.skippy.net/linux/smb-howto.html</A +>. </P +></LI +><LI +><P +>Although 2.0.7 has almost had its day as a PDC, David Bannon will + keep the 2.0.7 PDC pages at <A +HREF="http://bioserve.latrobe.edu.au/samba" +TARGET="_top" +> http://bioserve.latrobe.edu.au/samba</A +> going for a while yet.</P +></LI +><LI +><P +>Misc links to CIFS information + <A +HREF="http://samba.org/cifs/" +TARGET="_top" +>http://samba.org/cifs/</A +></P +></LI +><LI +><P +>NT Domains for Unix <A +HREF="http://mailhost.cb1.com/~lkcl/ntdom/" +TARGET="_top" +> http://mailhost.cb1.com/~lkcl/ntdom/</A +></P +></LI +><LI +><P +>FTP site for older SMB specs: + <A +HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/" +TARGET="_top" +> ftp://ftp.microsoft.com/developr/drg/CIFS/</A +></P +></LI +></UL +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN5051" +>34.4. Getting help from the mailing lists</A +></H1 +><P +>There are a number of Samba related mailing lists. Go to <A +HREF="http://samba.org" +TARGET="_top" +>http://samba.org</A +>, click on your nearest mirror +and then click on <B +CLASS="COMMAND" +>Support</B +> and then click on <B +CLASS="COMMAND" +>Samba related mailing lists</B +>.</P +><P +>For questions relating to Samba TNG go to +<A +HREF="http://www.samba-tng.org/" +TARGET="_top" +>http://www.samba-tng.org/</A +> +It has been requested that you don't post questions about Samba-TNG to the +main stream Samba lists.</P +><P +>If you post a message to one of the lists please observe the following guide lines :</P +><P +></P +><UL +><LI +><P +> Always remember that the developers are volunteers, they are +not paid and they never guarantee to produce a particular feature at +a particular time. Any time lines are 'best guess' and nothing more.</P +></LI +><LI +><P +> Always mention what version of samba you are using and what +operating system its running under. You should probably list the +relevant sections of your <TT +CLASS="FILENAME" +>smb.conf</TT +> file, at least the options +in [global] that affect PDC support.</P +></LI +><LI +><P +>In addition to the version, if you obtained Samba via +CVS mention the date when you last checked it out.</P +></LI +><LI +><P +> Try and make your question clear and brief, lots of long, +convoluted questions get deleted before they are completely read ! +Don't post html encoded messages (if you can select colour or font +size its html).</P +></LI +><LI +><P +> If you run one of those nifty 'I'm on holidays' things when +you are away, make sure its configured to not answer mailing lists.</P +></LI +><LI +><P +> Don't cross post. Work out which is the best list to post to +and see what happens, i.e. don't post to both samba-ntdom and samba-technical. +Many people active on the lists subscribe to more +than one list and get annoyed to see the same message two or more times. +Often someone will see a message and thinking it would be better dealt +with on another, will forward it on for you.</P +></LI +><LI +><P +>You might include <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>partial</I +></SPAN +> +log files written at a debug level set to as much as 20. +Please don't send the entire log but enough to give the context of the +error messages.</P +></LI +><LI +><P +>(Possibly) If you have a complete netmon trace ( from the opening of +the pipe to the error ) you can send the *.CAP file as well.</P +></LI +><LI +><P +>Please think carefully before attaching a document to an email. +Consider pasting the relevant parts into the body of the message. The samba +mailing lists go to a huge number of people, do they all need a copy of your +smb.conf in their attach directory?</P +></LI +></UL +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN5081" +>34.5. How to get off the mailinglists</A +></H1 +><P +>To have your name removed from a samba mailing list, go to the +same place you went to to get on it. Go to <A +HREF="http://lists.samba.org/" +TARGET="_top" +>http://lists.samba.org</A +>, +click on your nearest mirror and then click on <B +CLASS="COMMAND" +>Support</B +> and +then click on <B +CLASS="COMMAND" +> Samba related mailing lists</B +>. Or perhaps see +<A +HREF="http://lists.samba.org/mailman/roster/samba-ntdom" +TARGET="_top" +>here</A +></P +><P +>Please don't post messages to the list asking to be removed, you will just +be referred to the above address (unless that process failed in some way...)</P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="diagnosis.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="bugreport.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>The samba checklist</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="appendixes.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Reporting Bugs</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/profilemgmt.html b/docs/htmldocs/profilemgmt.html new file mode 100644 index 0000000000..8a101049e0 --- /dev/null +++ b/docs/htmldocs/profilemgmt.html @@ -0,0 +1,1753 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Desktop Profile Management</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Advanced Configuration" +HREF="optional.html"><LINK +REL="PREVIOUS" +TITLE="System and Account Policies" +HREF="policymgmt.html"><LINK +REL="NEXT" +TITLE="Interdomain Trust Relationships" +HREF="interdomaintrusts.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="policymgmt.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="interdomaintrusts.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="PROFILEMGMT" +></A +>Chapter 18. Desktop Profile Management</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>18.1. <A +HREF="profilemgmt.html#AEN3096" +>Roaming Profiles</A +></DT +><DD +><DL +><DT +>18.1.1. <A +HREF="profilemgmt.html#AEN3103" +>Samba Configuration for Profile Handling</A +></DT +><DD +><DL +><DT +>18.1.1.1. <A +HREF="profilemgmt.html#AEN3106" +>NT4/200x User Profiles</A +></DT +><DT +>18.1.1.2. <A +HREF="profilemgmt.html#AEN3116" +>Windows 9x / Me User Profiles</A +></DT +><DT +>18.1.1.3. <A +HREF="profilemgmt.html#AEN3131" +>Mixed Windows 9x / Me and Windows NT4/200x User Profiles</A +></DT +></DL +></DD +><DT +>18.1.2. <A +HREF="profilemgmt.html#AEN3138" +>Windows Client Profile Configuration Information</A +></DT +><DD +><DL +><DT +>18.1.2.1. <A +HREF="profilemgmt.html#AEN3140" +>Windows 9x / Me Profile Setup</A +></DT +><DT +>18.1.2.2. <A +HREF="profilemgmt.html#AEN3176" +>Windows NT4 Workstation</A +></DT +><DT +>18.1.2.3. <A +HREF="profilemgmt.html#AEN3185" +>Windows 2000/XP Professional</A +></DT +></DL +></DD +><DT +>18.1.3. <A +HREF="profilemgmt.html#AEN3258" +>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A +></DT +><DT +>18.1.4. <A +HREF="profilemgmt.html#AEN3265" +>Profile Migration from Windows NT4/200x Server to Samba</A +></DT +><DD +><DL +><DT +>18.1.4.1. <A +HREF="profilemgmt.html#AEN3268" +>Windows NT4 Profile Management Tools</A +></DT +><DT +>18.1.4.2. <A +HREF="profilemgmt.html#AEN3291" +>Side bar Notes</A +></DT +><DT +>18.1.4.3. <A +HREF="profilemgmt.html#AEN3295" +>moveuser.exe</A +></DT +><DT +>18.1.4.4. <A +HREF="profilemgmt.html#AEN3298" +>Get SID</A +></DT +></DL +></DD +></DL +></DD +><DT +>18.2. <A +HREF="profilemgmt.html#AEN3303" +>Mandatory profiles</A +></DT +><DT +>18.3. <A +HREF="profilemgmt.html#AEN3310" +>Creating/Managing Group Profiles</A +></DT +><DT +>18.4. <A +HREF="profilemgmt.html#AEN3316" +>Default Profile for Windows Users</A +></DT +><DD +><DL +><DT +>18.4.1. <A +HREF="profilemgmt.html#AEN3319" +>MS Windows 9x/Me</A +></DT +><DT +>18.4.2. <A +HREF="profilemgmt.html#AEN3331" +>MS Windows NT4 Workstation</A +></DT +><DT +>18.4.3. <A +HREF="profilemgmt.html#AEN3385" +>MS Windows 200x/XP</A +></DT +></DL +></DD +></DL +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3096" +>18.1. Roaming Profiles</A +></H1 +><DIV +CLASS="WARNING" +><P +></P +><TABLE +CLASS="WARNING" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" +HSPACE="5" +ALT="Warning"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Roaming profiles support is different for Win9x / Me and Windows NT4/200x.</P +></TD +></TR +></TABLE +></DIV +><P +>Before discussing how to configure roaming profiles, it is useful to see how +Windows 9x / Me and Windows NT4/200x clients implement these features.</P +><P +>Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's +profiles location. However, the response does not have room for a separate +profiles location field, only the user's home share. This means that Win9X/Me +profiles are restricted to being stored in the user's home directory.</P +><P +>Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields, +including a separate field for the location of the user's profiles.</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3103" +>18.1.1. Samba Configuration for Profile Handling</A +></H2 +><P +>This section documents how to configure Samba for MS Windows client profile support.</P +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3106" +>18.1.1.1. NT4/200x User Profiles</A +></H3 +><P +>To support Windowns NT4/200x clients, in the [global] section of smb.conf set the +following (for example):</P +><P +><PRE +CLASS="PROGRAMLISTING" +> logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</PRE +> + + This is typically implemented like: + +<PRE +CLASS="PROGRAMLISTING" +> logon path = \\%L\Profiles\%u</PRE +> +where %L translates to the name of the Samba server and %u translates to the user name</P +><P +>The default for this option is \\%N\%U\profile, namely \\sambaserver\username\profile. +The \\N%\%U service is created automatically by the [homes] service. If you are using +a samba server for the profiles, you _must_ make the share specified in the logon path +browseable. Please refer to the man page for smb.conf in respect of the different +symantics of %L and %N, as well as %U and %u.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>MS Windows NT/2K clients at times do not disconnect a connection to a server +between logons. It is recommended to NOT use the <B +CLASS="COMMAND" +>homes</B +> +meta-service name as part of the profile share path.</P +></TD +></TR +></TABLE +></DIV +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3116" +>18.1.1.2. Windows 9x / Me User Profiles</A +></H3 +><P +>To support Windows 9x / Me clients, you must use the "logon home" parameter. Samba has +now been fixed so that <KBD +CLASS="USERINPUT" +>net use /home</KBD +> now works as well, and it, too, relies +on the <B +CLASS="COMMAND" +>logon home</B +> parameter.</P +><P +>By using the logon home parameter, you are restricted to putting Win9x / Me +profiles in the user's home directory. But wait! There is a trick you +can use. If you set the following in the <B +CLASS="COMMAND" +>[global]</B +> section of your <TT +CLASS="FILENAME" +>smb.conf</TT +> file:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> logon home = \\%L\%U\.profiles</PRE +></P +><P +>then your Windows 9x / Me clients will dutifully put their clients in a subdirectory +of your home directory called <TT +CLASS="FILENAME" +>.profiles</TT +> (thus making them hidden).</P +><P +>Not only that, but <KBD +CLASS="USERINPUT" +>net use/home</KBD +> will also work, because of a feature in +Windows 9x / Me. It removes any directory stuff off the end of the home directory area +and only uses the server and share portion. That is, it looks like you +specified \\%L\%U for <B +CLASS="COMMAND" +>logon home</B +>.</P +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3131" +>18.1.1.3. Mixed Windows 9x / Me and Windows NT4/200x User Profiles</A +></H3 +><P +>You can support profiles for both Win9X and WinNT clients by setting both the +<B +CLASS="COMMAND" +>logon home</B +> and <B +CLASS="COMMAND" +>logon path</B +> parameters. For example:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> logon home = \\%L\%u\.profiles + logon path = \\%L\profiles\%u</PRE +></P +></DIV +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3138" +>18.1.2. Windows Client Profile Configuration Information</A +></H2 +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3140" +>18.1.2.1. Windows 9x / Me Profile Setup</A +></H3 +><P +>When a user first logs in on Windows 9X, the file user.DAT is created, +as are folders "Start Menu", "Desktop", "Programs" and "Nethood". +These directories and their contents will be merged with the local +versions stored in c:\windows\profiles\username on subsequent logins, +taking the most recent from each. You will need to use the [global] +options "preserve case = yes", "short preserve case = yes" and +"case sensitive = no" in order to maintain capital letters in shortcuts +in any of the profile folders.</P +><P +>The user.DAT file contains all the user's preferences. If you wish to +enforce a set of preferences, rename their user.DAT file to user.MAN, +and deny them write access to this file.</P +><P +></P +><OL +TYPE="1" +><LI +><P +> On the Windows 9x / Me machine, go to Control Panel -> Passwords and + select the User Profiles tab. Select the required level of + roaming preferences. Press OK, but do _not_ allow the computer + to reboot. + </P +></LI +><LI +><P +> On the Windows 9x / Me machine, go to Control Panel -> Network -> + Client for Microsoft Networks -> Preferences. Select 'Log on to + NT Domain'. Then, ensure that the Primary Logon is 'Client for + Microsoft Networks'. Press OK, and this time allow the computer + to reboot. + </P +></LI +></OL +><P +>Under Windows 9x / Me Profiles are downloaded from the Primary Logon. +If you have the Primary Logon as 'Client for Novell Networks', then +the profiles and logon script will be downloaded from your Novell +Server. If you have the Primary Logon as 'Windows Logon', then the +profiles will be loaded from the local machine - a bit against the +concept of roaming profiles, it would seem!</P +><P +>You will now find that the Microsoft Networks Login box contains +[user, password, domain] instead of just [user, password]. Type in +the samba server's domain name (or any other domain known to exist, +but bear in mind that the user will be authenticated against this +domain and profiles downloaded from it, if that domain logon server +supports it), user name and user's password.</P +><P +>Once the user has been successfully validated, the Windows 9x / Me machine +will inform you that 'The user has not logged on before' and asks you +if you wish to save the user's preferences? Select 'yes'.</P +><P +>Once the Windows 9x / Me client comes up with the desktop, you should be able +to examine the contents of the directory specified in the "logon path" +on the samba server and verify that the "Desktop", "Start Menu", +"Programs" and "Nethood" folders have been created.</P +><P +>These folders will be cached locally on the client, and updated when +the user logs off (if you haven't made them read-only by then). +You will find that if the user creates further folders or short-cuts, +that the client will merge the profile contents downloaded with the +contents of the profile directory already on the local client, taking +the newest folders and short-cuts from each set.</P +><P +>If you have made the folders / files read-only on the samba server, +then you will get errors from the Windows 9x / Me machine on logon and logout, as +it attempts to merge the local and the remote profile. Basically, if +you have any errors reported by the Windows 9x / Me machine, check the Unix file +permissions and ownership rights on the profile directory contents, +on the samba server.</P +><P +>If you have problems creating user profiles, you can reset the user's +local desktop cache, as shown below. When this user then next logs in, +they will be told that they are logging in "for the first time".</P +><P +></P +><OL +TYPE="1" +><LI +><P +> instead of logging in under the [user, password, domain] dialog, + press escape. + </P +></LI +><LI +><P +> run the regedit.exe program, and look in: + </P +><P +> HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList + </P +><P +> you will find an entry, for each user, of ProfilePath. Note the + contents of this key (likely to be c:\windows\profiles\username), + then delete the key ProfilePath for the required user. + + [Exit the registry editor]. + + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>WARNING</I +></SPAN +> - before deleting the contents of the + directory listed in the ProfilePath (this is likely to be + <TT +CLASS="FILENAME" +>c:\windows\profiles\username)</TT +>, ask them if they + have any important files stored on their desktop or in their start menu. + Delete the contents of the directory ProfilePath (making a backup if any + of the files are needed). + </P +><P +> This will have the effect of removing the local (read-only hidden + system file) user.DAT in their profile directory, as well as the + local "desktop", "nethood", "start menu" and "programs" folders. + </P +></LI +><LI +><P +> search for the user's .PWL password-caching file in the c:\windows + directory, and delete it. + </P +></LI +><LI +><P +> log off the windows 9x / Me client. + </P +></LI +><LI +><P +> check the contents of the profile path (see "logon path" described + above), and delete the user.DAT or user.MAN file for the user, + making a backup if required. + </P +></LI +></OL +><P +>If all else fails, increase samba's debug log levels to between 3 and 10, +and / or run a packet trace program such as ethereal or netmon.exe, and +look for error messages.</P +><P +>If you have access to an Windows NT4/200x server, then first set up roaming profiles +and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine +the example packet traces provided with Windows NT4/200x server, and see what the +differences are with the equivalent samba trace.</P +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3176" +>18.1.2.2. Windows NT4 Workstation</A +></H3 +><P +>When a user first logs in to a Windows NT Workstation, the profile +NTuser.DAT is created. The profile location can be now specified +through the "logon path" parameter.</P +><P +>There is a parameter that is now available for use with NT Profiles: +"logon drive". This should be set to <TT +CLASS="FILENAME" +>H:</TT +> or any other drive, and +should be used in conjunction with the new "logon home" parameter.</P +><P +>The entry for the NT4 profile is a _directory_ not a file. The NT +help on profiles mentions that a directory is also created with a .PDS +extension. The user, while logging in, must have write permission to +create the full profile path (and the folder with the .PDS extension +for those situations where it might be created.)</P +><P +>In the profile directory, Windows NT4 creates more folders than Windows 9x / Me. +It creates "Application Data" and others, as well as "Desktop", "Nethood", +"Start Menu" and "Programs". The profile itself is stored in a file +NTuser.DAT. Nothing appears to be stored in the .PDS directory, and +its purpose is currently unknown.</P +><P +>You can use the System Control Panel to copy a local profile onto +a samba server (see NT Help on profiles: it is also capable of firing +up the correct location in the System Control Panel for you). The +NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN +turns a profile into a mandatory one.</P +><P +>The case of the profile is significant. The file must be called +NTuser.DAT or, for a mandatory profile, NTuser.MAN.</P +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3185" +>18.1.2.3. Windows 2000/XP Professional</A +></H3 +><P +>You must first convert the profile from a local profile to a domain +profile on the MS Windows workstation as follows:</P +><P +></P +><UL +><LI +><P +> Log on as the LOCAL workstation administrator. + </P +></LI +><LI +><P +> Right click on the 'My Computer' Icon, select 'Properties' + </P +></LI +><LI +><P +> Click on the 'User Profiles' tab + </P +></LI +><LI +><P +> Select the profile you wish to convert (click on it once) + </P +></LI +><LI +><P +> Click on the button 'Copy To' + </P +></LI +><LI +><P +> In the "Permitted to use" box, click on the 'Change' button. + </P +></LI +><LI +><P +> Click on the 'Look in" area that lists the machine name, when you click + here it will open up a selection box. Click on the domain to which the + profile must be accessible. + </P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="90%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>You will need to log on if a logon box opens up. Eg: In the connect + as: MIDEARTH\root, password: mypassword.</P +></TD +></TR +></TABLE +></DIV +></LI +><LI +><P +> To make the profile capable of being used by anyone select 'Everyone' + </P +></LI +><LI +><P +> Click OK. The Selection box will close. + </P +></LI +><LI +><P +> Now click on the 'Ok' button to create the profile in the path you + nominated. + </P +></LI +></UL +><P +>Done. You now have a profile that can be editted using the samba-3.0.0 +<TT +CLASS="FILENAME" +>profiles</TT +> tool.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Under NT/2K the use of mandotory profiles forces the use of MS Exchange +storage of mail data. That keeps desktop profiles usable.</P +></TD +></TR +></TABLE +></DIV +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +></P +><UL +><LI +><P +>This is a security check new to Windows XP (or maybe only +Windows XP service pack 1). It can be disabled via a group policy in +Active Directory. The policy is:</P +><P +>"Computer Configuration\Administrative Templates\System\User +Profiles\Do not check for user ownership of Roaming Profile Folders"</P +><P +>...and it should be set to "Enabled". +Does the new version of samba have an Active Directory analogue? If so, +then you may be able to set the policy through this.</P +><P +>If you cannot set group policies in samba, then you may be able to set +the policy locally on each machine. If you want to try this, then do +the following (N.B. I don't know for sure that this will work in the +same way as a domain group policy):</P +></LI +><LI +><P +>On the XP workstation log in with an Administrator account.</P +></LI +><LI +><P +>Click: "Start", "Run"</P +></LI +><LI +><P +>Type: "mmc"</P +></LI +><LI +><P +>Click: "OK"</P +></LI +><LI +><P +>A Microsoft Management Console should appear.</P +></LI +><LI +><P +>Click: File, "Add/Remove Snap-in...", "Add"</P +></LI +><LI +><P +>Double-Click: "Group Policy"</P +></LI +><LI +><P +>Click: "Finish", "Close"</P +></LI +><LI +><P +>Click: "OK"</P +></LI +><LI +><P +>In the "Console Root" window:</P +></LI +><LI +><P +>Expand: "Local Computer Policy", "Computer Configuration",</P +></LI +><LI +><P +>"Administrative Templates", "System", "User Profiles"</P +></LI +><LI +><P +>Double-Click: "Do not check for user ownership of Roaming Profile</P +></LI +><LI +><P +>Folders"</P +></LI +><LI +><P +>Select: "Enabled"</P +></LI +><LI +><P +>Click: OK"</P +></LI +><LI +><P +>Close the whole console. You do not need to save the settings (this + refers to the console settings rather than the policies you have + changed).</P +></LI +><LI +><P +>Reboot</P +></LI +></UL +></TD +></TR +></TABLE +></DIV +></DIV +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3258" +>18.1.3. Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A +></H2 +><P +>Sharing of desktop profiles between Windows versions is NOT recommended. +Desktop profiles are an evolving phenomenon and profiles for later versions +of MS Windows clients add features that may interfere with earlier versions +of MS Windows clients. Probably the more salient reason to NOT mix profiles +is that when logging off an earlier version of MS Windows the older format +of profile contents may overwrite information that belongs to the newer +version resulting in loss of profile information content when that user logs +on again with the newer version of MS Windows.</P +><P +>If you then want to share the same Start Menu / Desktop with W9x/Me, you will +need to specify a common location for the profiles. The smb.conf parameters +that need to be common are <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>logon path</I +></SPAN +> and +<SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>logon home</I +></SPAN +>.</P +><P +>If you have this set up correctly, you will find separate user.DAT and +NTuser.DAT files in the same profile directory.</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3265" +>18.1.4. Profile Migration from Windows NT4/200x Server to Samba</A +></H2 +><P +>There is nothing to stop you specifying any path that you like for the +location of users' profiles. Therefore, you could specify that the +profile be stored on a samba server, or any other SMB server, as long as +that SMB server supports encrypted passwords.</P +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3268" +>18.1.4.1. Windows NT4 Profile Management Tools</A +></H3 +><P +>Unfortunately, the Resource Kit information is specific to the version of MS Windows +NT4/200x. The correct resource kit is required for each platform.</P +><P +>Here is a quick guide:</P +><P +></P +><UL +><LI +><P +>On your NT4 Domain Controller, right click on 'My Computer', then +select the tab labelled 'User Profiles'.</P +></LI +><LI +><P +>Select a user profile you want to migrate and click on it.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="90%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>I am using the term "migrate" lossely. You can copy a profile to +create a group profile. You can give the user 'Everyone' rights to the +profile you copy this to. That is what you need to do, since your samba +domain is not a member of a trust relationship with your NT4 PDC.</P +></TD +></TR +></TABLE +></DIV +></LI +><LI +><P +>Click the 'Copy To' button.</P +></LI +><LI +><P +>In the box labelled 'Copy Profile to' add your new path, eg: + <TT +CLASS="FILENAME" +>c:\temp\foobar</TT +></P +></LI +><LI +><P +>Click on the button labelled 'Change' in the "Permitted to use" box.</P +></LI +><LI +><P +>Click on the group 'Everyone' and then click OK. This closes the + 'chose user' box.</P +></LI +><LI +><P +>Now click OK.</P +></LI +></UL +><P +>Follow the above for every profile you need to migrate.</P +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3291" +>18.1.4.2. Side bar Notes</A +></H3 +><P +>You should obtain the SID of your NT4 domain. You can use smbpasswd to do +this. Read the man page.</P +><P +>With Samba-3.0.0 alpha code you can import all you NT4 domain accounts +using the net samsync method. This way you can retain your profile +settings as well as all your users.</P +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3295" +>18.1.4.3. moveuser.exe</A +></H3 +><P +>The W2K professional resource kit has moveuser.exe. moveuser.exe changes +the security of a profile from one user to another. This allows the account +domain to change, and/or the user name to change.</P +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3298" +>18.1.4.4. Get SID</A +></H3 +><P +>You can identify the SID by using GetSID.exe from the Windows NT Server 4.0 +Resource Kit.</P +><P +>Windows NT 4.0 stores the local profile information in the registry under +the following key: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</P +><P +>Under the ProfileList key, there will be subkeys named with the SIDs of the +users who have logged on to this computer. (To find the profile information +for the user whose locally cached profile you want to move, find the SID for +the user with the GetSID.exe utility.) Inside of the appropriate user's +subkey, you will see a string value named ProfileImagePath.</P +></DIV +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3303" +>18.2. Mandatory profiles</A +></H1 +><P +>A Mandatory Profile is a profile that the user does NOT have the ability to overwrite. +During the user's session it may be possible to change the desktop environment, but +as the user logs out all changes made will be lost. If it is desired to NOT allow the +user any ability to change the desktop environment then this must be done through +policy settings. See previous chapter.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Under NO circumstances should the profile directory (or it's contents) be made read-only +as this may render the profile un-usable.</P +></TD +></TR +></TABLE +></DIV +><P +>For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles +also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT +file in the copied profile and rename it to NTUser.MAN.</P +><P +>For MS Windows 9x / Me it is the User.DAT file that must be renamed to User.MAN to +affect a mandatory profile.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3310" +>18.3. Creating/Managing Group Profiles</A +></H1 +><P +>Most organisations are arranged into departments. There is a nice benenfit in +this fact since usually most users in a department will require the same desktop +applications and the same desktop layout. MS Windows NT4/200x/XP will allow the +use of Group Profiles. A Group Profile is a profile that is created firstly using +a template (example) user. Then using the profile migration tool (see above) the +profile is assigned access rights for the user group that needs to be given access +to the group profile.</P +><P +>The next step is rather important. PLEASE NOTE: Instead of assigning a group profile +to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned +the now modified profile.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> Be careful with group profiles, if the user who is a member of a group also + has a personal profile, then the result will be a fusion (merge) of the two. + </P +></TD +></TR +></TABLE +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3316" +>18.4. Default Profile for Windows Users</A +></H1 +><P +>MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom +a profile does not already exist. Armed with a knowledge of where the default profile +is located on the Windows workstation, and knowing which registry keys affect the path +from which the default profile is created, it is possible to modify the default profile +to one that has been optimised for the site. This has significant administrative +advantages.</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3319" +>18.4.1. MS Windows 9x/Me</A +></H2 +><P +>To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System +Policy Editor or change the registry directly.</P +><P +>To enable default per user profiles in Windows 9x / Me, launch the System Policy Editor, then +select File -> Open Registry, then click on the Local Computer icon, click on Windows 98 System, +select User Profiles, click on the enable box. Do not forget to save the registry changes.</P +><P +>To modify the registry directly, launch the Registry Editor (regedit.exe), select the hive +<TT +CLASS="FILENAME" +>HKEY_LOCAL_MACHINE\Network\Logon</TT +>. Now add a DWORD type key with the name +"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0.</P +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3325" +>18.4.1.1. How User Profiles Are Handled in Windows 9x / Me?</A +></H3 +><P +>When a user logs on to a Windows 9x / Me machine, the local profile path, +<TT +CLASS="FILENAME" +>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</TT +>, is checked +for an existing entry for that user:</P +><P +>If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached +version of the user profile. Windows 9x / Me also checks the user's home directory (or other +specified directory if the location has been modified) on the server for the User Profile. +If a profile exists in both locations, the newer of the two is used. If the User Profile exists +on the server, but does not exist on the local machine, the profile on the server is downloaded +and used. If the User Profile only exists on the local machine, that copy is used.</P +><P +>If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me +machine is used and is copied to a newly created folder for the logged on user. At log off, any +changes that the user made are written to the user's local profile. If the user has a roaming +profile, the changes are written to the user's profile on the server.</P +></DIV +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3331" +>18.4.2. MS Windows NT4 Workstation</A +></H2 +><P +>On MS Windows NT4 the default user profile is obtained from the location +<TT +CLASS="FILENAME" +>%SystemRoot%\Profiles</TT +> which in a default installation will translate to +<TT +CLASS="FILENAME" +>C:\WinNT\Profiles</TT +>. Under this directory on a clean install there will be +three (3) directories: <TT +CLASS="FILENAME" +>Administrator, All Users, Default User</TT +>.</P +><P +>The <TT +CLASS="FILENAME" +>All Users</TT +> directory contains menu settings that are common across all +system users. The <TT +CLASS="FILENAME" +>Default User</TT +> directory contains menu entries that are +customisable per user depending on the profile settings chosen/created.</P +><P +>When a new user first logs onto an MS Windows NT4 machine a new profile is created from:</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>All Users settings</TD +></TR +><TR +><TD +>Default User settings (contains the default NTUser.DAT file)</TD +></TR +></TBODY +></TABLE +><P +></P +><P +>When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain +the following steps are followed in respect of profile handling:</P +><P +></P +><OL +TYPE="1" +><LI +><P +> The users' account information which is obtained during the logon process contains + the location of the users' desktop profile. The profile path may be local to the + machine or it may be located on a network share. If there exists a profile at the location + of the path from the user account, then this profile is copied to the location + <TT +CLASS="FILENAME" +>%SystemRoot%\Profiles\%USERNAME%</TT +>. This profile then inherits the + settings in the <TT +CLASS="FILENAME" +>All Users</TT +> profile in the <TT +CLASS="FILENAME" +>%SystemRoot%\Profiles</TT +> + location. + </P +></LI +><LI +><P +> If the user account has a profile path, but at it's location a profile does not exist, + then a new profile is created in the <TT +CLASS="FILENAME" +>%SystemRoot%\Profiles\%USERNAME%</TT +> + directory from reading the <TT +CLASS="FILENAME" +>Default User</TT +> profile. + </P +></LI +><LI +><P +> If the NETLOGON share on the authenticating server (logon server) contains a policy file + (<TT +CLASS="FILENAME" +>NTConfig.POL</TT +>) then it's contents are applied to the <TT +CLASS="FILENAME" +>NTUser.DAT</TT +> + which is applied to the <TT +CLASS="FILENAME" +>HKEY_CURRENT_USER</TT +> part of the registry. + </P +></LI +><LI +><P +> When the user logs out, if the profile is set to be a roaming profile it will be written + out to the location of the profile. The <TT +CLASS="FILENAME" +>NTuser.DAT</TT +> file is then + re-created from the contents of the <TT +CLASS="FILENAME" +>HKEY_CURRENT_USER</TT +> contents. + Thus, should there not exist in the NETLOGON share an <TT +CLASS="FILENAME" +>NTConfig.POL</TT +> at the + next logon, the effect of the provious <TT +CLASS="FILENAME" +>NTConfig.POL</TT +> will still be held + in the profile. The effect of this is known as <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>tatooing</I +></SPAN +>. + </P +></LI +></OL +><P +>MS Windows NT4 profiles may be <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Local</I +></SPAN +> or <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Roaming</I +></SPAN +>. A Local profile +will stored in the <TT +CLASS="FILENAME" +>%SystemRoot%\Profiles\%USERNAME%</TT +> location. A roaming profile will +also remain stored in the same way, unless the following registry key is created:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\ + "DeleteRoamingCache"=dword:00000001</PRE +> + +In which case, the local copy (in <TT +CLASS="FILENAME" +>%SystemRoot%\Profiles\%USERNAME%</TT +>) will be +deleted on logout.</P +><P +>Under MS Windows NT4 default locations for common resources (like <TT +CLASS="FILENAME" +>My Documents</TT +> +may be redirected to a network share by modifying the following registry keys. These changes may be affected +via use of the System Policy Editor (to do so may require that you create your owns template extension +for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first +creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings.</P +><P +>The Registry Hive key that affects the behaviour of folders that are part of the default user profile +are controlled by entries on Windows NT4 is:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> HKEY_CURRENT_USER + \Software + \Microsoft + \Windows + \CurrentVersion + \Explorer + \User Shell Folders\</PRE +></P +><P +>The above hive key contains a list of automatically managed folders. The default entries are:</P +><P +> <PRE +CLASS="PROGRAMLISTING" +> Name Default Value + -------------- ----------------------------------------- + AppData %USERPROFILE%\Application Data + Desktop %USERPROFILE%\Desktop + Favorites %USERPROFILE%\Favorites + NetHood %USERPROFILE%\NetHood + PrintHood %USERPROFILE%\PrintHood + Programs %USERPROFILE%\Start Menu\Programs + Recent %USERPROFILE%\Recent + SendTo %USERPROFILE%\SendTo + Start Menu %USERPROFILE%\Start Menu + Startup %USERPROFILE%\Start Menu\Programs\Startup + </PRE +> + </P +><P +>The registry key that contains the location of the default profile settings is: + +<PRE +CLASS="PROGRAMLISTING" +> HKEY_LOCAL_MACHINE + \SOFTWARE + \Microsoft + \Windows + \CurrentVersion + \Explorer + \User Shell Folders</PRE +> + +The default entries are: + +<PRE +CLASS="PROGRAMLISTING" +> Common Desktop %SystemRoot%\Profiles\All Users\Desktop + Common Programs %SystemRoot%\Profiles\All Users\Programs + Common Start Menu %SystemRoot%\Profiles\All Users\Start Menu + Common Startu p %SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup</PRE +></P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3385" +>18.4.3. MS Windows 200x/XP</A +></H2 +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> MS Windows XP Home Edition does use default per user profiles, but can not participate + in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile + only from itself. While there are benefits in doing this the beauty of those MS Windows + clients that CAN participate in domain logon processes allows the administrator to create + a global default profile and to enforce it through the use of Group Policy Objects (GPOs). + </P +></TD +></TR +></TABLE +></DIV +><P +>When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from +<TT +CLASS="FILENAME" +>C:\Documents and Settings\Default User</TT +>. The administrator can modify (or change +the contents of this location and MS Windows 200x/XP will gladly user it. This is far from the optimum +arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client +workstation. </P +><P +>When MS Windows 200x/XP participate in a domain security context, and if the default user +profile is not found, then the client will search for a default profile in the NETLOGON share +of the authenticating server. ie: In MS Windows parlance: +<TT +CLASS="FILENAME" +>%LOGONSERVER%\NETLOGON\Default User</TT +> and if one exits there it will copy this +to the workstation to the <TT +CLASS="FILENAME" +>C:\Documents and Settings\</TT +> under the Windows +login name of the user.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> This path translates, in Samba parlance, to the smb.conf [NETLOGON] share. The directory + should be created at the root of this share and msut be called <TT +CLASS="FILENAME" +>Default Profile</TT +>. + </P +></TD +></TR +></TABLE +></DIV +><P +>If a default profile does not exist in this location then MS Windows 200x/XP will use the local +default profile.</P +><P +>On loging out, the users' desktop profile will be stored to the location specified in the registry +settings that pertain to the user. If no specific policies have been created, or passed to the client +during the login process (as Samba does automatically), then the user's profile will be written to +the local machine only under the path <TT +CLASS="FILENAME" +>C:\Documents and Settings\%USERNAME%</TT +>.</P +><P +>Those wishing to modify the default behaviour can do so through up to three methods:</P +><P +></P +><UL +><LI +><P +> Modify the registry keys on the local machine manually and place the new default profile in the + NETLOGON share root - NOT recommended as it is maintenance intensive. + </P +></LI +><LI +><P +> Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file + in the root of the NETLOGON share along with the new default profile. + </P +></LI +><LI +><P +> Create a GPO that enforces this through Active Directory, and place the new default profile + in the NETLOGON share. + </P +></LI +></UL +><P +>The Registry Hive key that affects the behaviour of folders that are part of the default user profile +are controlled by entries on Windows 200x/XP is:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> HKEY_CURRENT_USER + \Software + \Microsoft + \Windows + \CurrentVersion + \Explorer + \User Shell Folders\</PRE +></P +><P +>The above hive key contains a list of automatically managed folders. The default entries are:</P +><P +> <PRE +CLASS="PROGRAMLISTING" +> Name Default Value + -------------- ----------------------------------------- + AppData %USERPROFILE%\Application Data + Cache %USERPROFILE%\Local Settings\Temporary Internet Files + Cookies %USERPROFILE%\Cookies + Desktop %USERPROFILE%\Desktop + Favorites %USERPROFILE%\Favorites + History %USERPROFILE%\Local Settings\History + Local AppData %USERPROFILE%\Local Settings\Application Data + Local Settings %USERPROFILE%\Local Settings + My Pictures %USERPROFILE%\My Documents\My Pictures + NetHood %USERPROFILE%\NetHood + Personal %USERPROFILE%\My Documents + PrintHood %USERPROFILE%\PrintHood + Programs %USERPROFILE%\Start Menu\Programs + Recent %USERPROFILE%\Recent + SendTo %USERPROFILE%\SendTo + Start Menu %USERPROFILE%\Start Menu + Startup %USERPROFILE%\Start Menu\Programs\Startup + Templates %USERPROFILE%\Templates + </PRE +> + </P +><P +>There is also an entry called "Default" that has no value set. The default entry is of type REG_SZ, all +the others are of type REG_EXPAND_SZ.</P +><P +>It makes a huge difference to the speed of handling roaming user profiles if all the folders are +stored on a dedicated location on a network server. This means that it will NOT be necessary to +write Outlook PST file over the network for every login and logout.</P +><P +>To set this to a network location you could use the following examples: + +<PRE +CLASS="PROGRAMLISTING" +> %LOGONSERVER%\%USERNAME%\Default Folders</PRE +> + +This would store the folders in the user's home directory under a directory called "Default Folders" + +You could also use: + +<PRE +CLASS="PROGRAMLISTING" +> \\SambaServer\FolderShare\%USERNAME%</PRE +> + +in which case the default folders will be stored in the server named <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>SambaServer</I +></SPAN +> +in the share called <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>FolderShare</I +></SPAN +> under a directory that has the name of the MS Windows +user as seen by the Linux/Unix file system.</P +><P +>Please note that once you have created a default profile share, you MUST migrate a user's profile +(default or custom) to it.</P +><P +>MS Windows 200x/XP profiles may be <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Local</I +></SPAN +> or <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Roaming</I +></SPAN +>. +A roaming profile will be cached locally unless the following registry key is created:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\ + "DeleteRoamingCache"=dword:00000001</PRE +> + +In which case, the local cache copy will be deleted on logout.</P +></DIV +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="policymgmt.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="interdomaintrusts.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>System and Account Policies</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="optional.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Interdomain Trust Relationships</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/profiles.1.html b/docs/htmldocs/profiles.1.html new file mode 100644 index 0000000000..53deae6f28 --- /dev/null +++ b/docs/htmldocs/profiles.1.html @@ -0,0 +1,139 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>profiles</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="PROFILES.1" +></A +>profiles</H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>profiles -- A utility to report and change SIDs in registry files + </DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>profiles</B +> [-v] [-c SID] [-n SID] {file}</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN15" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <SPAN +CLASS="CITEREFENTRY" +><SPAN +CLASS="REFENTRYTITLE" +>Samba</SPAN +>(7)</SPAN +> suite.</P +><P +><B +CLASS="COMMAND" +>profiles</B +> is a utility that + reports and changes SIDs in windows registry files. It currently only + supports NT. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN23" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>file</DT +><DD +><P +>Registry file to view or edit. </P +></DD +><DT +>-v,--verbose</DT +><DD +><P +>Increases verbosity of messages. + </P +></DD +><DT +>-c SID1 -n SID2</DT +><DD +><P +>Change all occurences of SID1 in <TT +CLASS="FILENAME" +>file</TT +> by SID2. + </P +></DD +><DT +>-h|--help</DT +><DD +><P +>Print a summary of command line options.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN43" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 3.0 of the Samba + suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN46" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The profiles man page was written by Jelmer Vernooij. </P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/servertype.html b/docs/htmldocs/servertype.html new file mode 100644 index 0000000000..c52ed3208b --- /dev/null +++ b/docs/htmldocs/servertype.html @@ -0,0 +1,368 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Nomenclature of Server Types</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Type of installation" +HREF="type.html"><LINK +REL="PREVIOUS" +TITLE="Type of installation" +HREF="type.html"><LINK +REL="NEXT" +TITLE="Samba as Stand-Alone Server" +HREF="securitylevels.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="type.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="securitylevels.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="SERVERTYPE" +></A +>Chapter 5. Nomenclature of Server Types</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>5.1. <A +HREF="servertype.html#AEN847" +>Stand Alone Server</A +></DT +><DT +>5.2. <A +HREF="servertype.html#AEN854" +>Domain Member Server</A +></DT +><DT +>5.3. <A +HREF="servertype.html#AEN860" +>Domain Controller</A +></DT +></DL +></DIV +><P +>Adminstrators of Microsoft networks often refer to there being three +different type of servers:</P +><P +></P +><UL +><LI +><P +>Stand Alone Server</P +></LI +><LI +><P +>Domain Member Server</P +></LI +><LI +><P +>Domain Controller</P +><P +></P +><UL +><LI +><P +>Primary Domain Controller</P +></LI +><LI +><P +>Backup Domain Controller</P +></LI +><LI +><P +>ADS Domain Controller</P +></LI +></UL +></LI +></UL +><P +>A network administrator who is familiar with these terms and who +wishes to migrate to or use Samba will want to know what these terms mean +within a Samba context.</P +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN847" +>5.1. Stand Alone Server</A +></H1 +><P +>The term <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>stand alone server</I +></SPAN +> means that the server +will provide local authentication and access control for all resources +that are available from it. In general this means that there will be a +local user database. In more technical terms, it means that resources +on the machine will either be made available in either SHARE mode or in +USER mode. SHARE mode and USER mode security are documented under +discussions regarding "security mode". The smb.conf configuration parameters +that control security mode are: "security = user" and "security = share".</P +><P +>No special action is needed other than to create user accounts. Stand-alone +servers do NOT provide network logon services, meaning that machines that +use this server do NOT perform a domain logon but instead make use only of +the MS Windows logon which is local to the MS Windows workstation/server.</P +><P +>Samba tends to blur the distinction a little in respect of what is +a stand alone server. This is because the authentication database may be +local or on a remote server, even if from the samba protocol perspective +the samba server is NOT a member of a domain security context.</P +><P +>Through the use of PAM (Pluggable Authentication Modules) and nsswitch +(the name service switcher) the source of authentication may reside on +another server. We would be inclined to call this the authentication server. +This means that the samba server may use the local Unix/Linux system +password database (/etc/passwd or /etc/shadow), may use a local smbpasswd +file (/etc/samba/smbpasswd or /usr/local/samba/lib/private/smbpasswd), or +may use an LDAP back end, or even via PAM and Winbind another CIFS/SMB +server for authentication.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN854" +>5.2. Domain Member Server</A +></H1 +><P +>This mode of server operation involves the samba machine being made a member +of a domain security context. This means by definition that all user authentication +will be done from a centrally defined authentication regime. The authentication +regime may come from an NT3/4 style (old domain technology) server, or it may be +provided from an Active Directory server (ADS) running on MS Windows 2000 or later.</P +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Of course it should be clear that the authentication back end itself could be from any +distributed directory architecture server that is supported by Samba. This can be +LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory Server, etc.</I +></SPAN +></P +><P +>Please refer to the section on Howto configure Samba as a Primary Domain Controller +and for more information regarding how to create a domain machine account for a +domain member server as well as for information regading how to enable the samba +domain member machine to join the domain and to be fully trusted by it.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN860" +>5.3. Domain Controller</A +></H1 +><P +>Over the years public perceptions of what Domain Control really is has taken on an +almost mystical nature. Before we branch into a brief overview of what Domain Control +is the following types of controller are known:</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN863" +>5.3.1. Domain Controller Types</A +></H2 +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Primary Domain Controller</TD +></TR +><TR +><TD +>Backup Domain Controller</TD +></TR +><TR +><TD +>ADS Domain Controller</TD +></TR +></TBODY +></TABLE +><P +></P +><P +>The <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Primary Domain Controller</I +></SPAN +> or PDC plays an important role in the MS +Windows NT3 and NT4 Domain Control architecture, but not in the manner that so many +expect. The PDC seeds the Domain Control database (a part of the Windows registry) and +it plays a key part in synchronisation of the domain authentication database. </P +><P +>New to Samba-3.0.0 is the ability to use a back-end file that holds the same type of data as +the NT4 style SAM (Security Account Manager) database (one of the registry files). +The samba-3.0.0 SAM can be specified via the smb.conf file parameter "passwd backend" and +valid options include <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +> smbpasswd tdbsam ldapsam nisplussam plugin unixsam</I +></SPAN +>. +The smbpasswd, tdbsam and ldapsam options can have a "_nua" suffix to indicate that No Unix +Accounts need to be created. In other words, the Samba SAM will be independant of Unix/Linux +system accounts, provided a uid range is defined from which SAM accounts can be created.</P +><P +>The <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Backup Domain Controller</I +></SPAN +> or BDC plays a key role in servicing network +authentication requests. The BDC is biased to answer logon requests so that on a network segment +that has a BDC and a PDC the BDC will be most likely to service network logon requests. The PDC will +answer network logon requests when the BDC is too busy (high load). A BDC can be promoted to +a PDC. If the PDC is on line at the time that the BDC is promoted to PDC the previous PDC is +automatically demoted to a BDC.</P +><P +>At this time Samba is NOT capable of acting as an <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>ADS Domain Controller</I +></SPAN +>.</P +></DIV +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="type.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="securitylevels.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Type of installation</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="type.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Samba as Stand-Alone Server</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbcquotas.1.html b/docs/htmldocs/smbcquotas.1.html new file mode 100644 index 0000000000..334f08bbb9 --- /dev/null +++ b/docs/htmldocs/smbcquotas.1.html @@ -0,0 +1,391 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>smbcquotas</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMBCQUOTAS.1" +></A +>smbcquotas</H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbcquotas -- Set or get QUOTAs of NTFS 5 shares</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbcquotas</B +> {//server/share} [-u user] [-L] [-F] [-S QUOTA_SET_COMMAND] [-n] [-t] [-v] [-d debuglevel] [-s configfile] [-l logfilebase] [-V] [-U username] [-N] [-k] [-A]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN27" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <SPAN +CLASS="CITEREFENTRY" +><SPAN +CLASS="REFENTRYTITLE" +>Samba</SPAN +>(7)</SPAN +> suite.</P +><P +>The <B +CLASS="COMMAND" +>smbcquotas</B +> program manipulates NT Quotas on SMB file shares. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN35" +></A +><H2 +>OPTIONS</H2 +><P +>The following options are available to the <B +CLASS="COMMAND" +>smbcquotas</B +> program. </P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-u user</DT +><DD +><P +> Specifies the user of whom the quotas are get or set. + By default the current user's username will be used.</P +></DD +><DT +>-L</DT +><DD +><P +>Lists all quota records of the share.</P +></DD +><DT +>-F</DT +><DD +><P +>Show the share quota status and default limits.</P +></DD +><DT +>-S QUOTA_SET_COMMAND</DT +><DD +><P +>This command set/modify quotas for a user or on the share, + depending on the QUOTA_SET_COMMAND parameter witch is described later</P +></DD +><DT +>-n</DT +><DD +><P +>This option displays all QUOTA information in numeric + format. The default is to convert SIDs to names and QUOTA limits + to a readable string format. </P +></DD +><DT +>-t</DT +><DD +><P +> Don't actually do anything, only validate the correctness of + the arguments. + </P +></DD +><DT +>-v</DT +><DD +><P +> Be verbose. + </P +></DD +><DT +>-h|--help</DT +><DD +><P +>Print a summary of command line options.</P +></DD +><DT +>-V</DT +><DD +><P +>Prints the version number for +<B +CLASS="COMMAND" +>smbd</B +>.</P +></DD +><DT +>-s <configuration file></DT +><DD +><P +>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +> for more information. +The default configuration file name is determined at +compile time.</P +></DD +><DT +>-d|--debug=debuglevel</DT +><DD +><P +><VAR +CLASS="REPLACEABLE" +>debuglevel</VAR +> is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.</P +><P +>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day to day running - it generates a small amount of +information about operations carried out.</P +><P +>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</P +><P +>Note that specifying this parameter here will +override the <A +HREF="smb.conf.5.html#loglevel" +TARGET="_top" +>log +level</A +> parameter in the <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +> file.</P +></DD +><DT +>-l|--logfile=logbasename</DT +><DD +><P +>File name for log/debug files. The extension +<CODE +CLASS="CONSTANT" +>".client"</CODE +> will be appended. The log file is +never removed by the client.</P +></DD +><DT +>-N</DT +><DD +><P +>If specified, this parameter suppresses the normal +password prompt from the client to the user. This is useful when +accessing a service that does not require a password. </P +><P +>Unless a password is specified on the command line or +this parameter is specified, the client will request a +password.</P +></DD +><DT +>-k</DT +><DD +><P +>Try to authenticate with kerberos. Only useful in +an Active Directory environment.</P +></DD +><DT +>-A|--authfile=filename</DT +><DD +><P +>This option allows +you to specify a file from which to read the username and +password used in the connection. The format of the file is</P +><P +><PRE +CLASS="PROGRAMLISTING" +>username = <value> +password = <value> +domain = <value></PRE +></P +><P +>Make certain that the permissions on the file restrict +access from unwanted users. </P +></DD +><DT +>-U|--user=username[%password]</DT +><DD +><P +>Sets the SMB username or username and password. </P +><P +>If %password is not specified, the user will be prompted. The +client will first check the <VAR +CLASS="ENVAR" +>USER</VAR +> environment variable, then the +<VAR +CLASS="ENVAR" +>LOGNAME</VAR +> variable and if either exists, the +string is uppercased. If these environmental variables are not +found, the username <CODE +CLASS="CONSTANT" +>GUEST</CODE +> is used. </P +><P +>A third option is to use a credentials file which +contains the plaintext of the username and password. This +option is mainly provided for scripts where the admin does not +wish to pass the credentials on the command line or via environment +variables. If this method is used, make certain that the permissions +on the file restrict access from unwanted users. See the +<VAR +CLASS="PARAMETER" +>-A</VAR +> for more details. </P +><P +>Be cautious about including passwords in scripts. Also, on +many systems the command line of a running process may be seen +via the <B +CLASS="COMMAND" +>ps</B +> command. To be safe always allow +<B +CLASS="COMMAND" +>rpcclient</B +> to prompt for a password and type +it in directly. </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN128" +></A +><H2 +>QUOTA_SET_COMAND</H2 +><P +>The format of an ACL is one or more ACL entries separated by + either commas or newlines. An ACL entry is one of the following: </P +><P +> for user setting quotas for the specified by -u or the current username: + </P +><P +><KBD +CLASS="USERINPUT" +> UQLIM:<username><softlimit><hardlimit> + </KBD +></P +><P +> for setting the share quota defaults limits: + </P +><P +><KBD +CLASS="USERINPUT" +> FSQLIM:<softlimit><hardlimit> + </KBD +></P +><P +> for changing the share quota settings: + </P +><P +><KBD +CLASS="USERINPUT" +> FSQFLAGS:QUOTA_ENABLED/DENY_DISK/LOG_SOFTLIMIT/LOG_HARD_LIMIT + </KBD +></P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN140" +></A +><H2 +>EXIT STATUS</H2 +><P +>The <B +CLASS="COMMAND" +>smbcquotas</B +> program sets the exit status + depending on the success or otherwise of the operations performed. + The exit status may be one of the following values. </P +><P +>If the operation succeeded, smbcquotas returns an exit + status of 0. If <B +CLASS="COMMAND" +>smbcquotas</B +> couldn't connect to the specified server, + or when there was an error getting or setting the quota(s), an exit status + of 1 is returned. If there was an error parsing any command line + arguments, an exit status of 2 is returned. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN146" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 3.0 of the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN149" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +><B +CLASS="COMMAND" +>smbcacls</B +> was written by Stefan Metzmacher.</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbtree.1.html b/docs/htmldocs/smbtree.1.html new file mode 100644 index 0000000000..e3edbc8681 --- /dev/null +++ b/docs/htmldocs/smbtree.1.html @@ -0,0 +1,304 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>smbtree</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMBTREE.1" +></A +>smbtree</H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbtree -- A text based smb network browser + </DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbtree</B +> [-b] [-D] [-S]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN14" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <SPAN +CLASS="CITEREFENTRY" +><SPAN +CLASS="REFENTRYTITLE" +>Samba</SPAN +>(7)</SPAN +> suite.</P +><P +><B +CLASS="COMMAND" +>smbtree</B +> is a smb browser program + in text mode. It is similar to the "Network Neighborhood" found + on Windows computers. It prints a tree with all + the known domains, the servers in those domains and + the shares on the servers. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN22" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-b</DT +><DD +><P +>Query network nodes by sending requests + as broadcasts instead of querying the (domain) master browser. + </P +></DD +><DT +>-D</DT +><DD +><P +>Only print a list of all + the domains known on broadcast or by the + master browser</P +></DD +><DT +>-S</DT +><DD +><P +>Only print a list of + all the domains and servers responding on broadcast or + known by the master browser. + </P +></DD +><DT +>-V</DT +><DD +><P +>Prints the version number for +<B +CLASS="COMMAND" +>smbd</B +>.</P +></DD +><DT +>-s <configuration file></DT +><DD +><P +>The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +> for more information. +The default configuration file name is determined at +compile time.</P +></DD +><DT +>-d|--debug=debuglevel</DT +><DD +><P +><VAR +CLASS="REPLACEABLE" +>debuglevel</VAR +> is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.</P +><P +>The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day to day running - it generates a small amount of +information about operations carried out.</P +><P +>Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.</P +><P +>Note that specifying this parameter here will +override the <A +HREF="smb.conf.5.html#loglevel" +TARGET="_top" +>log +level</A +> parameter in the <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +> file.</P +></DD +><DT +>-l|--logfile=logbasename</DT +><DD +><P +>File name for log/debug files. The extension +<CODE +CLASS="CONSTANT" +>".client"</CODE +> will be appended. The log file is +never removed by the client.</P +></DD +><DT +>-N</DT +><DD +><P +>If specified, this parameter suppresses the normal +password prompt from the client to the user. This is useful when +accessing a service that does not require a password. </P +><P +>Unless a password is specified on the command line or +this parameter is specified, the client will request a +password.</P +></DD +><DT +>-k</DT +><DD +><P +>Try to authenticate with kerberos. Only useful in +an Active Directory environment.</P +></DD +><DT +>-A|--authfile=filename</DT +><DD +><P +>This option allows +you to specify a file from which to read the username and +password used in the connection. The format of the file is</P +><P +><PRE +CLASS="PROGRAMLISTING" +>username = <value> +password = <value> +domain = <value></PRE +></P +><P +>Make certain that the permissions on the file restrict +access from unwanted users. </P +></DD +><DT +>-U|--user=username[%password]</DT +><DD +><P +>Sets the SMB username or username and password. </P +><P +>If %password is not specified, the user will be prompted. The +client will first check the <VAR +CLASS="ENVAR" +>USER</VAR +> environment variable, then the +<VAR +CLASS="ENVAR" +>LOGNAME</VAR +> variable and if either exists, the +string is uppercased. If these environmental variables are not +found, the username <CODE +CLASS="CONSTANT" +>GUEST</CODE +> is used. </P +><P +>A third option is to use a credentials file which +contains the plaintext of the username and password. This +option is mainly provided for scripts where the admin does not +wish to pass the credentials on the command line or via environment +variables. If this method is used, make certain that the permissions +on the file restrict access from unwanted users. See the +<VAR +CLASS="PARAMETER" +>-A</VAR +> for more details. </P +><P +>Be cautious about including passwords in scripts. Also, on +many systems the command line of a running process may be seen +via the <B +CLASS="COMMAND" +>ps</B +> command. To be safe always allow +<B +CLASS="COMMAND" +>rpcclient</B +> to prompt for a password and type +it in directly. </P +></DD +><DT +>-h|--help</DT +><DD +><P +>Print a summary of command line options.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN97" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 3.0 of the Samba + suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN100" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The smbtree man page was written by Jelmer Vernooij. </P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/swat.html b/docs/htmldocs/swat.html new file mode 100644 index 0000000000..b6f36034a8 --- /dev/null +++ b/docs/htmldocs/swat.html @@ -0,0 +1,233 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>SWAT - The Samba Web Admininistration Tool</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Appendixes" +HREF="appendixes.html"><LINK +REL="PREVIOUS" +TITLE="Samba and other CIFS clients" +HREF="other-clients.html"><LINK +REL="NEXT" +TITLE="Samba performance issues" +HREF="speed.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="other-clients.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="speed.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="SWAT" +></A +>Chapter 31. SWAT - The Samba Web Admininistration Tool</H1 +><P +>This is a rough guide to SWAT.</P +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN4624" +>31.1. SWAT Features and Benefits</A +></H1 +><P +>You must use at least the following ...</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN4627" +>31.1.1. The SWAT Home Page</A +></H2 +><P +>Blah blah here.</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN4630" +>31.1.2. Global Settings</A +></H2 +><P +>Document steps right here!</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN4633" +>31.1.3. The SWAT Wizard</A +></H2 +><P +>Lots of blah blah here.</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN4636" +>31.1.4. Share Settings</A +></H2 +><P +>Document steps right here!</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN4639" +>31.1.5. Printing Settings</A +></H2 +><P +>Document steps right here!</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN4642" +>31.1.6. The Status Page</A +></H2 +><P +>Document steps right here!</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN4645" +>31.1.7. The Password Change Page</A +></H2 +><P +>Document steps right here!</P +></DIV +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="other-clients.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="speed.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Samba and other CIFS clients</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="appendixes.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Samba performance issues</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/unicode.html b/docs/htmldocs/unicode.html new file mode 100644 index 0000000000..89a70cbee8 --- /dev/null +++ b/docs/htmldocs/unicode.html @@ -0,0 +1,301 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Unicode/Charsets</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Advanced Configuration" +HREF="optional.html"><LINK +REL="PREVIOUS" +TITLE="Securing Samba" +HREF="securing-samba.html"><LINK +REL="NEXT" +TITLE="Appendixes" +HREF="appendixes.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="securing-samba.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="appendixes.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="UNICODE" +></A +>Chapter 26. Unicode/Charsets</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>26.1. <A +HREF="unicode.html#AEN4127" +>What are charsets and unicode?</A +></DT +><DT +>26.2. <A +HREF="unicode.html#AEN4136" +>Samba and charsets</A +></DT +><DT +>26.3. <A +HREF="unicode.html#AEN4155" +>Conversion from old names</A +></DT +></DL +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN4127" +>26.1. What are charsets and unicode?</A +></H1 +><P +>Computers communicate in numbers. In texts, each number will be +translated to a corresponding letter. The meaning that will be assigned +to a certain number depends on the <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>character set(charset)</I +></SPAN +> that is used. +A charset can be seen as a table that is used to translate numbers to +letters. Not all computers use the same charset (there are charsets +with German umlauts, Japanese characters, etc). Usually a charset contains +256 characters, which means that storing a character with it takes +exactly one byte. </P +><P +>There are also charsets that support even more characters, +but those need twice(or even more) as much storage space. These +charsets can contain <B +CLASS="COMMAND" +>256 * 256 = 65536</B +> characters, which +is more then all possible characters one could think of. They are called +multibyte charsets (because they use more then one byte to +store one character). </P +><P +>A standardised multibyte charset is unicode, info available at +<A +HREF="http://www.unicode.org/" +TARGET="_top" +>www.unicode.org</A +>. +Big advantage of using a multibyte charset is that you only need one; no +need to make sure two computers use the same charset when they are +communicating.</P +><P +>Old windows clients used to use single-byte charsets, named +'codepages' by microsoft. However, there is no support for +negotiating the charset to be used in the smb protocol. Thus, you +have to make sure you are using the same charset when talking to an old client. +Newer clients (Windows NT, 2K, XP) talk unicode over the wire.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN4136" +>26.2. Samba and charsets</A +></H1 +><P +>As of samba 3.0, samba can (and will) talk unicode over the wire. Internally, +samba knows of three kinds of character sets: </P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>unix charset</DT +><DD +><P +> This is the charset used internally by your operating system. + The default is <CODE +CLASS="CONSTANT" +>ASCII</CODE +>, which is fine for most + systems. + </P +></DD +><DT +>display charset</DT +><DD +><P +>This is the charset samba will use to print messages + on your screen. It should generally be the same as the <B +CLASS="COMMAND" +>unix charset</B +>. + </P +></DD +><DT +>dos charset</DT +><DD +><P +>This is the charset samba uses when communicating with + DOS and Windows 9x clients. It will talk unicode to all newer clients. + The default depends on the charsets you have installed on your system. + Run <B +CLASS="COMMAND" +>testparm -v | grep "dos charset"</B +> to see + what the default is on your system. + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN4155" +>26.3. Conversion from old names</A +></H1 +><P +>Because previous samba versions did not do any charset conversion, +characters in filenames are usually not correct in the unix charset but only +for the local charset used by the DOS/Windows clients.</P +><P +>The following script from Steve Langasek converts all +filenames from CP850 to the iso8859-15 charset.</P +><P +><SAMP +CLASS="PROMPT" +>#</SAMP +><KBD +CLASS="USERINPUT" +>find <VAR +CLASS="REPLACEABLE" +>/path/to/share</VAR +> -type f -exec bash -c 'CP="{}"; ISO=`echo -n "$CP" | iconv -f cp850 \ + -t iso8859-15`; if [ "$CP" != "$ISO" ]; then mv "$CP" "$ISO"; fi' \;</KBD +></P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="securing-samba.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="appendixes.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Securing Samba</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="optional.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Appendixes</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file |