diff options
Diffstat (limited to 'docs/textdocs')
-rw-r--r-- | docs/textdocs/ADS-HOWTO.txt | 142 | ||||
-rw-r--r-- | docs/textdocs/Application_Serving.txt | 56 | ||||
-rw-r--r-- | docs/textdocs/BROWSING-Config.txt | 215 | ||||
-rw-r--r-- | docs/textdocs/DHCP-Server-Configuration.txt | 240 | ||||
-rw-r--r-- | docs/textdocs/Faxing.txt | 220 | ||||
-rw-r--r-- | docs/textdocs/GOTCHAS.txt | 68 | ||||
-rw-r--r-- | docs/textdocs/HINTS.txt | 212 | ||||
-rw-r--r-- | docs/textdocs/README.DCEDFS | 78 | ||||
-rw-r--r-- | docs/textdocs/Recent-FAQs.txt | 286 | ||||
-rw-r--r-- | docs/textdocs/UNIX_SECURITY.txt | 54 |
10 files changed, 0 insertions, 1571 deletions
diff --git a/docs/textdocs/ADS-HOWTO.txt b/docs/textdocs/ADS-HOWTO.txt deleted file mode 100644 index 7a066c69ec..0000000000 --- a/docs/textdocs/ADS-HOWTO.txt +++ /dev/null @@ -1,142 +0,0 @@ -Samba 3.0 prealpha guide to Kerberos authentication ---------------------------------------------------- - -Andrew Tridgell -tridge@samba.org - -This is a VERY ROUGH guide to setting up the current (November 2001) -pre-alpha version of Samba 3.0 with kerberos authentication against a -Windows2000 KDC. The procedures listed here are likely to change as -the code develops. - -Pieces you need before you begin: - -- a Windows 2000 server -- the latest CVS source code for Samba. See http://cvs.samba.org/ for how to - fetch this. -- the MIT kerberos development libraries (either install from the - above sources or use a package). Under debian you need "libkrb5-dev" - and "krb5-user". The heimdal libraries will not work. -- the OpenLDAP development libraries. - -On RedHat this means you should have at least: - -krb5-workstation (for kinit) -krb5-libs (for linking with) -krb5-devel (because you are compiling from source) - -in addition to the standard development environment. - -Note that these are not standard on a RedHat install, and you may need -to get them off CD2. - -Also check that you have the latest copy of this HOWTO. It is -available from http://samba.org/ftp/tridge/kerberos/HOWTO - -Step 1: Compile Samba - - If your kerberos libraries are in a non-standard location then - remember to add the configure option --with-krb5=DIR. - - After you run configure make sure that include/config.h contains - lines like this: - - #define HAVE_KRB5 1 - #define HAVE_LDAP 1 - - If it doesn't then configure did not find your krb5 libraries or - your ldap libraries. Look in config.log to figure out why and fix - it. - - Then compile and install Samba as usual. You must use at least the - following 3 options in smb.conf: - - realm = YOUR.KERBEROS.REALM - ads server = your.kerberos.server - security = ADS - encrypt passwords = yes - - Strictly speaking, you can omit the realm name and you can use an IP - address for the ads server. In that case Samba will auto-detect these. - - You do *not* need a smbpasswd file, although it won't do any harm - and if you have one then Samba will be able to fall back to normal - password security for older clients. I expect that the above - required options will change soon when we get better active - directory integration. - - -Step 2: Setup your /etc/krb5.conf - - The minimal configuration for krb5.conf is: - - [realms] - YOUR.KERBEROS.REALM = { - kdc = your.kerberos.server - } - - - Test your config by doing a "kinit USERNAME@REALM" and making sure that - your password is accepted by the Win2000 KDC. - - NOTE: The realm must be uppercase. - - You also must ensure that you can do a reverse DNS lookup on the IP - address of your KDC. Also, the name that this reverse lookup maps to - must either be the netbios name of the KDC (ie. the hostname with no - domain attached) or it can alternatively be the netbios name - followed by the realm. - - The easiest way to ensure you get this right is to add a /etc/hosts - entry mapping the IP address of your KDC to its netbios name. If you - don't get this right then you will get a "local error" when you try - to join the realm. - -* If all you want is kerberos support in smbclient then you can skip -* straight to step 5 now. Step 3 is only needed if you want kerberos -* support in smbd. - - -Step 3: Create the computer account - - Do a "kinit" as a user that has authority to change arbitrary - passwords on the KDC ("Administrator" is a good choice). Then as a - user that has write permission on the Samba private directory - (usually root) run: - - net ads join - - Possible errors: - - "bash: kinit: command not found": - - kinit is in the krb5-workstation RPM on RedHat systems, and is - in /usr/kerberos/bin, so it won't be in the path until - you log in again (or open a new terminal) - - "ADS support not compiled in" - - Samba must be reconfigured (remove config.cache) and - recompiled (make clean all install) after the kerberos libs - and headers are installed. - - -Step 4: Test your server setup - - On a Windows 2000 client try "net use * \\server\share". You should - be logged in with kerberos without needing to know a password. If - this fails then run "klist tickets". Did you get a ticket for the - server? Does it have an encoding type of DES-CBC-MD5 ? - -Step 5: Testing with smbclient - - On your Samba server try to login to a Win2000 server or your Samba - server using smbclient and kerberos. Use smbclient as usual, but - specify the -k option to choose kerberos authentication. - - --------- - -NOTES: - - must change administrator password at least once after DC install, - to create the right encoding types - - - w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in - their defaults DNS setup. Maybe fixed in service packs? - diff --git a/docs/textdocs/Application_Serving.txt b/docs/textdocs/Application_Serving.txt deleted file mode 100644 index 6a61a99d7e..0000000000 --- a/docs/textdocs/Application_Serving.txt +++ /dev/null @@ -1,56 +0,0 @@ -Contributed: January 7, 1997 -Updated: March 24, 1998 -Contributor: John H Terpstra <samba@samba.org> - Copyright (C) 1997 - John H Terpstra -Status: Current - -Subject: Using a Samba share as an administrative share for MS Office, etc. -============================================================================== - -Problem: -======== -Microsoft Office products can be installed as an administrative installation -from which the application can either be run off the administratively installed -product that resides on a shared resource, or from which that product can be -installed onto workstation clients. - -The general mechanism for implementing an adminstrative installation involves -running: - X:\setup /A, where X is the drive letter of either CDROM or floppy - -This installation process will NOT install the product for use per se, but -rather results in unpacking of the compressed distribution files into a target -shared folder. For this process you need write privilidge to the share and it -is desirable to enable file locking and share mode operation during this -process. - -Subsequent installation of MS Office from this share will FAIL unless certain -precautions are taken. This failure will be caused by share mode operation -which will prevent the MS Office installation process from re-opening various -dynamic link library files and will cause sporadic file not found problems. - -Solution: -========= -1. As soon as the administrative installation (unpacking) has completed - set the following parameters on the share containing it: - [MSOP95] - path = /where_you_put_it - comment = Your comment - volume = "The_CD_ROM_Label" - read only = yes - available = yes - share modes = no - locking = no - browseable = yes - public = yes - -2. Now you are ready to run the setup program from the Microsoft Windows -workstation as follows:- - \\"Server_Name"\MSOP95\msoffice\setup - -MS Office Sharing - Please note: -================================ - -Workgroup Templates should be stored on an ordinary writable or read-only share -but USER templates MUST be stored on a writable share _OR_ on the users' local -machine. diff --git a/docs/textdocs/BROWSING-Config.txt b/docs/textdocs/BROWSING-Config.txt deleted file mode 100644 index ba0f399f48..0000000000 --- a/docs/textdocs/BROWSING-Config.txt +++ /dev/null @@ -1,215 +0,0 @@ -Date: July 5, 1998 -Contributor: John H Terpstra <jht@samba.org> - -Subject: Cross Subnet Browsing / Cross Workgroup Browsing -=============================================================================== - -OVERVIEW: -========= - -This document should be read in conjunction with BROWSING.txt and may -be taken as the fast track guide to implementing browsing across subnets -and / or across workgroups (or domains). WINS is the best tool for resolution -of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling -except by way of name to address mapping. - - -DISCUSSION: -=========== - -Firstly, all MS Windows networking is based on SMB (Server Message -Block) based messaging. SMB messaging is implemented using NetBIOS. Samba -implements NetBIOS by encapsulating it over TCP/IP. MS Windows products can -do likewise. NetBIOS based networking uses broadcast messaging to affect -browse list management. When running NetBIOS over TCP/IP this uses UDP -based messaging. UDP messages can be broadcast or unicast. - -Normally, only unicast UDP messaging can be forwarded by routers. The -"remote announce" parameter to smb.conf helps to project browse announcements -to remote network segments via unicast UDP. Similarly, the "remote browse sync" -parameter of smb.conf implements browse list collation using unicast UDP. - -Secondly, in those networks where Samba is the only SMB server technology -wherever possible nmbd should be configured on one (1) machine as the WINS -server. This makes it easy to manage the browsing environment. If each network -segment is configured with it's own Samba WINS server, then the only way to -get cross segment browsing to work is by using the "remote announce" and -the "remote browse sync" parameters to your smb.conf file. - -If only one WINS server is used then the use of the "remote announce" and the -"remote browse sync" parameters should NOT be necessary. - -Samba WINS does not support MS-WINS replication. This means that when setting up -Samba as a WINS server there must only be one nmbd configured as a WINS server -on the network. Some sites have used multiple Samba WINS servers for redundancy -(one server per subnet) and then used "remote browse sync" and "remote announce" -to affect browse list collation across all segments. Note that this means -clients will only resolve local names, and must be configured to use DNS to -resolve names on other subnets in order to resolve the IP addresses of the -servers they can see on other subnets. This setup is not recommended, but is -mentioned as a practical consideration (ie: an 'if all else fails' scenario). - -Lastly, take note that browse lists are a collection of unreliable broadcast -messages that are repeated at intervals of not more than 15 minutes. This means -that it will take time to establish a browse list and it can take up to 45 -minutes to stabilise, particularly across network segments. - - -A) Use of the "Remote Announce" parameter ------------------------------------------- -The "remote announce" parameter of smb.conf can be used to forcibly ensure -that all the NetBIOS names on a network get announced to a remote network. -The syntax of the "remote announce" parameter is: - - remote announce = a.b.c.d [e.f.g.h] ... -_or_ - remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ... - -where: - a.b.c.d: is either the LMB (Local Master Browser) IP address - e.f.g.h: or the broadcst address of the remote network. - ie: the LMB is at 192.168.1.10, or the address - could be given as 192.168.1.255 where the netmask - is assumed to be 24 bits (255.255.255.0). - When the remote announcement is made to the broadcast - address of the remote network every host will receive - our announcements. This is noisy and therefore - undesirable but may be necessary if we do NOT know - the IP address of the remote LMB. - - WORKGROUP: is optional and can be either our own workgroup - or that of the remote network. If you use the - workgroup name of the remote network then our - NetBIOS machine names will end up looking like - they belong to that workgroup, this may cause - name resolution problems and should be avoided. - - -B) Use of the "Remote Browse Sync" parameter --------------------------------------------- - -The "remote browse sync" parameter of smb.conf is used to announce to -another LMB that it must synchronise it's NetBIOS name list with our -Samba LMB. It works ONLY if the Samba server that has this option is -simultaneously the LMB on it's network segment. - -The syntax of the "remote browse sync" parameter is: - - remote browse sync = a.b.c.d - -where: - a.b.c.d: is either the IP address of the remote LMB or else - is the network broadcast address of the remote segment. - - -C) Use of WINS --------------- - -Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly -recommended. Every NetBIOS machine registers it's name together with a -name_type value for each of of several types of service it has available. -eg: It registers it's name directly as a unique (the type 0x03) name. -It also registers it's name if it is running the lanmanager compatible -server service (used to make shares and printers available to other users) -by registering the server (the type 0x20) name. - -All NetBIOS names are up to 15 characters in length. The name_type variable -is added to the end of the name - thus creating a 16 character name. Any -name that is shorter than 15 characters is padded with spaces to the 15th -character. ie: All NetBIOS names are 16 characters long (including the -name_type information). - -WINS can store these 16 character names as they get registered. A client -that wants to log onto the network can ask the WINS server for a list -of all names that have registered the NetLogon service name_type. This saves -broadcast traffic and greatly expedites logon processing. Since broadcast -name resolution can not be used across network segments this type of -information can only be provided via WINS _or_ via statically configured -"lmhosts" files that must reside on all clients in the absence of WINS. - -WINS also serves the purpose of forcing browse list synchronisation by all -LMB's. LMB's must synchronise their browse list with the DMB (domain master -browser) and WINS helps the LMB to identify it's DMB. By definition this -will work only within a single workgroup. Note that the domain master browser -has NOTHING to do with what is referred to as an MS Windows NT Domain. The -later is a reference to a security environment while the DMB refers to the -master controller for browse list information only. - -Use of WINS will work correctly only if EVERY client TCP/IP protocol stack -has been configured to use the WINS server/s. Any client that has not been -configured to use the WINS server will continue to use only broadcast based -name registration so that WINS may NEVER get to know about it. In any case, -machines that have not registered with a WINS server will fail name to address -lookup attempts by other clients and will therefore cause workstation access -errors. - -To configure Samba as a WINS server just add "wins support = yes" to the -smb.conf file [globals] section. - -To configure Samba to register with a WINS server just add -"wins server = a.b.c.d" to your smb.conf file [globals] section. - -DO NOT EVER use both "wins support = yes" together with "wins server = a.b.c.d" -particularly not using it's own IP address. - - -D) Do NOT use more than one (1) protocol on MS Windows machines ---------------------------------------------------------------- - -A very common cause of browsing problems results from installing more than -one protocol on an MS Windows machine. - -Every NetBIOS machine take part in a process of electing the LMB (and DMB) -every 15 minutes. A set of election criteria is used to determine the order -of precidence for winning this election process. A machine running Samba or -Windows NT will be biased so that the most suitable machine will predictably -win and thus retain it's role. - -The election process is "fought out" so to speak over every NetBIOS network -interface. In the case of a Windows 9x machine that has both TCP/IP and IPX -installed and has NetBIOS enabled over both protocols the election will be -decided over both protocols. As often happens, if the Windows 9x machine is -the only one with both protocols then the LMB may be won on the NetBIOS -interface over the IPX protocol. Samba will then lose the LMB role as Windows -9x will insist it knows who the LMB is. Samba will then cease to function -as an LMB and thus browse list operation on all TCP/IP only machines will -fail. - -The safest rule of all to follow it this - USE ONLY ONE PROTOCOL! - - -E) Name Resolution Order -======================== - -Resolution of NetBIOS names to IP addresses can take place using a number -of methods. The only ones that can provide NetBIOS name_type information -are: - WINS: the best tool! - LMHOSTS: is static and hard to maintain. - Broadcast: uses UDP and can not resolve names across - remote segments. - -Alternative means of name resolution includes: - /etc/hosts: is static, hard to maintain, and lacks name_type info. - DNS: is a good choice but lacks essential name_type info. - -Many sites want to restrict DNS lookups and want to avoid broadcast name -resolution traffic. The "name resolve order" parameter is of great help here. -The syntax of the "name resolve order" parameter is: - - name resolve order = wins lmhosts bcast host -_or_ - name resolve order = wins lmhosts (eliminates bcast and host) - -the default is: - name resolve order = host lmhost wins bcast - -where: - "host" refers the the native methods used by the Unix system - to implement the gethostbyname() function call. This is normally - controlled by: - /etc/host.conf - /etc/nsswitch.conf - /etc/resolv.conf - -=============================================================================== diff --git a/docs/textdocs/DHCP-Server-Configuration.txt b/docs/textdocs/DHCP-Server-Configuration.txt deleted file mode 100644 index 499706955f..0000000000 --- a/docs/textdocs/DHCP-Server-Configuration.txt +++ /dev/null @@ -1,240 +0,0 @@ -Subject: DHCP Server Configuration for SMB Clients -Date: March 1, 1998 -Updated: May 15, 2001 -Contributor: John H Terpstra <jht@samba.org> -Support: This is an unsupported document. Refer to documentation that is - supplied with the ISC DHCP Server. Do NOT email the contributor - for ANY assistance. -=============================================================================== - -Background: -=========== - -We wish to help those folks who wish to use the ISC DHCP Server and provide -sample configuration settings. Most operating systems today come ship with -the ISC DHCP Server. ISC DHCP is available from: - ftp://ftp.isc.org/isc/dhcp - -Incorrect configuration of MS Windows clients (Windows9X, Windows ME, Windows -NT/2000) will lead to problems with browsing and with general network -operation. Windows 9X/ME users often report problems where the TCP/IP and related -network settings will inadvertantly become reset at machine start-up resulting -in loss of configuration settings. This results in increased maintenance -overheads as well as serious user frustration. - -In recent times users on one mailing list incorrectly attributed the cause of -network operating problems to incorrect configuration of Samba. - -One user insisted that the only way to provent Windows95 from periodically -performing a full system reset and hardware detection process on start-up was -to install the NetBEUI protocol in addition to TCP/IP. This assertion is not -correct. - -In the first place, there is NO need for NetBEUI. All Microsoft Windows clients -natively run NetBIOS over TCP/IP, and that is the only protocol that is -recognised by Samba. Installation of NetBEUI and/or NetBIOS over IPX will -cause problems with browse list operation on most networks. Even Windows NT -networks experience these problems when incorrectly configured Windows95 -systems share the same name space. It is important that only those protocols -that are strictly needed for site specific reasons should EVER be installed. - -Secondly, and totally against common opinion, DHCP is NOT an evil design but is -an extension of the BOOTP protocol that has been in use in Unix environments -for many years without any of the melt-down problems that some sensationalists -would have us believe can be experienced with DHCP. In fact, DHCP in covered by -rfc1541 and is a very safe method of keeping an MS Windows desktop environment -under control and for ensuring stable network operation. - -Please note that MS Windows systems as of MS Windows NT 3.1 and MS Windows 95 -store all network configuration settings a registry. There are a few reports -from MS Windows network administrators that warrant mention here. It would appear -that when one sets certain MS TCP/IP protocol settings (either directly or via -DHCP) that these do get written to the registry. Even though a subsequent -change of setting may occur the old value may persist in the registry. This -has been known to create serious networking problems. - -An example of this occurs when a manual TCP/IP environment is configured to -include a NetBIOS Scope. In this event, when the administrator then changes the -configuration of the MS TCP/IP protocol stack, without first deleting the -current settings, by simply checking the box to configure the MS TCP/IP stack -via DHCP then the NetBIOS Scope that is still persistent in the registry WILL be -applied to the resulting DHCP offered settings UNLESS the DHCP server also sets -a NetBIOS Scope. It may therefore be prudent to forcibly apply a NULL NetBIOS -Scope from your DHCP server. The can be done in the dhcpd.conf file with the -parameter: - option netbios-scope ""; - -While it is true that the Microsoft DHCP server that comes with Windows NT -Server provides only a sub-set of rfc1533 functionality this is hardly an issue -in those sites that already have a large investment and commitment to Unix -systems and technologies. The current state of the art of the DHCP Server -specification in covered in rfc2132. - -This document aims to provide enough background information so that the -majority of site can without too much hardship get the Internet Software -Consortium's (ISC) DHCP Server into operation. The key benefits of using DHCP -includes: - -1) Automated IP Address space management and maximised re-use of available IP -Addresses, - -2) Automated control of MS Windows client TCP/IP network configuration, - -3) Automatic recovery from start-up and run-time problems with Windows95. - - - -Client Configuration for SMB Networking: -======================================== -SMB network clients need to be configured so that all standard TCP/IP name to -address resolution works correctly. Once this has been achieved the SMB -environment provides additional tools and services that act as helper agents in -the translation of SMB (NetBIOS) names to their appropriate IP Addresses. One -such helper agent is the NetBIOS Name Server (NBNS) or as Microsoft called it -in their Windows NT Server implementation WINS (Windows Internet Name Server). - -A client needs to be configured so that it has a unique Machine (Computer) -Name. - -This can be done, but needs a few NT registry hacks and you need to be able to -speak UNICODE, which is of course no problem for a True Wizzard(tm) :) -Instructions on how to do this (including a small util for less capable -Wizzards) can be found at - - http://www.unixtools.org/~nneul/sw/nt/dhcp-netbios-hostname.html - - -All remaining TCP/IP networking parameters can be assigned via DHCP. These include: - -a) IP Address, -b) Netmask, -c) Gateway (Router) Address, -d) DNS Domain Name, -e) DNS Server addresses, -f) WINS (NBNS) Server addresses, -g) IP Forwarding, -h) Timezone offset, -i) Node Type, -j) NetBIOS Scope - -Other assignments can be made from a DHCP server too, but the above cover the -major needs. - -Note: IF ever an entry has has been made to the NetBIOS Scope field of the -TCP/IP configuration panel on an MS Windows machine, and it has then been -committed, then that setting may become persistent. In such a c ase it is better -to configure the DHCP server with a NetBIOS Scope consisting of an empty string -(ie: A NULL scope). - - -DHCP Server Installation: -========================= -It is assumed that you will have obtained a copy of the GPL'd ISC DHCP server -source files from ftp://ftp.isc.org/isc/dhcp, it is also assumed that you have -compiled the sources and have installed the binary files. - -The following simply serves to provide sample configuration files to enable -dhcpd to operate. The sample files assume that your site is configured to use -private IP network address space using the Class B range of 172.16.1.0 - -172.16.1.255 and is using a netmask of 255.255.255.0 (ie:24 bits). It is -assumed that your router to the outside world is at 172.16.1.254 and that your -Internet Domain Name is bestnet.com.au. The IP Address range 172.16.1.100 to -172.16.1.240 has been set aside as your dynamically allocated range. In -addition, bestnet.com.au have two print servers that need to obtain settings -via BOOTP. The machine linux.bestnet.com.au has IP address 172.16.1.1 and is -you primary Samba server with WINS support enabled by adding the parameter to -the /etc/smb.conf file: [globals] wins support = yes. The dhcp lease time will -be set to 20 hours. - -Configuration Files: -==================== -Before dhcpd will run you need to install a file that speifies the -configuration settings, and another that holds the database of issued IP -addresses. On many systems these are stored in the /etc directory on the Unix -system. - -Example /etc/dhcpd.conf: -======================== -server-identifier linux.bestnet.com.au; - -subnet 172.16.1.0 netmask 255.255.255.0 { - range 172.16.1.100 172.16.1.240; - default-lease-time 72000; - max-lease-time 144000; - option subnet-mask 255.255.255.0; - option broadcast-address 172.16.1.255; - option routers 172.16.1.254; - option domain-name-servers 172.16.1.1, 172.16.1.2; - option domain-name "bestnet.com.au"; - option time-offset 39600; - option ip-forwarding off; - option netbios-name-servers 172.16.0.1, 172.16.0.1; - option netbios-dd-server 172.16.0.1; - option netbios-node-type 8; - option netbios-scope ""; -} - -; Note: The above netbios-scope is purposely an empty (NULL) string. - -group { - next-server 172.16.1.10; - option subnet-mask 255.255.255.0; - option domain-name "bestnet.com.au"; - option domain-name-servers 172.16.1.1, 172.16.0.2; - option netbios-name-servers 172.16.0.1, 172.16.0.1; - option netbios-dd-server 172.16.0.1; - option netbios-node-type 8; - option netbios-scope "SomeCrazyScope"; - option routers 172.16.1.240; - option time-offset 39600; - host lexmark1 { - hardware ethernet 06:07:08:09:0a:0b; - fixed-address 172.16.1.245; - } - host epson4 { - hardware ethernet 01:02:03:04:05:06; - fixed-address 172.16.1.242; - } -} - - -Creating the /etc/dhcpd.leases file: -==================================== -At a Unix shell create an empty dhcpd.leases file in the /etc directory. -You can do this by typing: cp /dev/null /etc/dhcpd.leases - - -Setting up a route table for all-ones addresses: -================================================ -Quoting from the README file that comes with the ISC DHCPD Server: - - BROADCAST - -In order for dhcpd to work correctly with picky DHCP clients (e.g., -Windows 95), it must be able to send packets with an IP destination -address of 255.255.255.255. Unfortunately, Linux insists on changing -255.255.255.255 into the local subnet broadcast address (here, that's -192.5.5.223). This results in a DHCP protocol violation, and while -many DHCP clients don't notice the problem, some (e.g., all Microsoft -DHCP clients) do. Clients that have this problem will appear not to -see DHCPOFFER messages from the server. - -It is possible to work around this problem on some versions of Linux -by creating a host route from your network interface address to -255.255.255.255. The command you need to use to do this on Linux -varies from version to version. The easiest version is: - - route add -host 255.255.255.255 dev eth0 - -On some older Linux systems, you will get an error if you try to do -this. On those systems, try adding the following entry to your -/etc/hosts file: - -255.255.255.255 all-ones - -Then, try: - - route add -host all-ones dev eth0 - - -For more information please refer to the ISC DHCPD Server documentation. diff --git a/docs/textdocs/Faxing.txt b/docs/textdocs/Faxing.txt deleted file mode 100644 index 0703d75cc3..0000000000 --- a/docs/textdocs/Faxing.txt +++ /dev/null @@ -1,220 +0,0 @@ -Contributor: Gerhard Zuber <zuber@berlin.snafu.de> -Date: August 5th 1997. -Status: Current - -Subject: F A X I N G with S A M B A -========================================================================== - -This text describes how to turn your SAMBA-server into a fax-server -for any environment, especially for Windows. - Author: Gerhard Zuber <zuber@berlin.snafu.de> - Version: 1.4 - Date: 04. Aug. 1997 - -Requirements: - UNIX box (Linux preferred) with SAMBA and a faxmodem - ghostscript package - mgetty+sendfax package - pbm package (portable bitmap tools) - -FTP sites: - sunsite.unc.edu:/pub/Linux/system/Serial/mgetty+sendfax* - tsx-11.mit.edu:/pub/linux/sources/sbin/mgetty+sendfax - ftp.leo.org:/pub/comp/networking/communication/modem/mgetty/mgetty1.1.6-May05.tar.gz - - pbm10dec91.tgz - ftp.leo.org:/pub/comp/networking/communication/modem/mgetty/pbm10dec91.tgz - sunsite.unc.edu: ..../apps/graphics/convert/pbmplus-10dec91-bin.tar.gz - ftp.gwdg.de/pub/linux/grafik/pbmplus.src.tar.Z (this is 10dec91 source) - or ??? pbm10dec91.tgz pbmplus10dec91.tgz - - -making mgetty+sendfax running: -============================== - - go to source tree: /usr/src/mgetty+sendfax - cp policy.h-dist policy.h - - change your settings: valid tty ports, modem initstring, Station-Id - -#define MODEM_INIT_STRING "AT &F S0=0 &D3 &K3 &C1\\\\N2" - -#define FAX_STATION_ID "49 30 12345678" - -#define FAX_MODEM_TTYS "ttyS1:ttyS2:ttyS3" - - Modem initstring is for rockwell based modems - if you want to use mgetty+sendfax as PPP-dialin-server, - define AUTO_PPP in Makefile: - -CFLAGS=-O2 -Wall -pipe -DAUTO_PPP - - compile it and install the package. - edit your /etc/inittab and let mgetty running on your preferred - ports: - -s3:45:respawn:/usr/local/sbin/mgetty ttyS2 vt100 - - now issue a - kill -HUP 1 - and enjoy with the lightning LEDs on your modem - your now are ready to receive faxes ! - - - if you want a PPP dialin-server, edit - /usr/local/etc/mgetty+sendfax/login.config - -/AutoPPP/ - ppp /usr/sbin/pppd auth debug passive modem - - - Note: this package automatically decides between a fax call and - a modem call. In case of modem call you get a login prompt ! - -Tools for printing faxes: -========================= - - your incomed faxes are in: - /var/spool/fax/incoming - - print it with: - - for i in * - do - g3cat $i | g3tolj | lpr -P hp - done - - in case of low resolution use instead: - - g3cat $i | g3tolj -aspect 2 | lpr -P hp - - - g3cat is in the tools-section, g3tolj is in the contrib-section - for printing to HP lasers. - - If you want to produce files for displaying and printing with Windows, use - some tools from the pbm-package like follow - - g3cat $i | g3topbm - | ppmtopcx - >$i.pcx - - and view it with your favourite Windows tool (maybe paintbrush) - - -Now making the fax-server: -=========================== - - fetch the file - mgetty+sendfax/frontends/winword/faxfilter - - and place it in - - /usr/local/etc/mgetty+sendfax/ - - prepare your faxspool file as mentioned in this file - edit fax/faxspool.in and reinstall or change the final - /usr/local/bin/faxspool too. - - if [ "$user" = "root" -o "$user" = "fax" -o \ - "$user" = "lp" -o "$user" = "daemon" -o "$user" = "bin" ] - - find the first line and change the second. - - make sure you have pbmtext (from the pbm-package). This is - needed for creating the small header line on each page. - Notes on pbmplus: - Some peoples had problems with precompiled binaries (especially - at linux) with a shared lib libgr.so.x.x. The better way is - to fetch the source and compile it. One needs only pbmtext for - generating the small line on top of each page /faxheader). Install - only the individual programs you need. If you install the full - package then install pbmplus first and then mgetty+sendfax, because - this package has some changed programs by itself (but not pbmtext). - - make sure your ghostscript is functional. You need fonts ! - I prefer these from the OS/2 disks - - prepare your faxheader - /usr/local/etc/mgetty+sendfax/faxheader - - edit your /etc/printcap file: - -# FAX -lp3|fax:\ - :lp=/dev/null:\ - :sd=/usr/spool/lp3:\ - :if=/usr/local/etc/mgetty+sendfax/faxfilter:sh:sf:mx#0:\ - :lf=/usr/spool/lp3/fax-log: - - - - - edit your /usr/local/samba/lib/smb.conf - - so you have a smb based printer named "fax" - - -The final step: -=============== - - Now you have a printer called "fax" which can be used via - TCP/IP-printing (lpd-system) or via SAMBA (windows printing). - - On every system you are able to produce postscript-files you - are ready to fax. - - On Windows 3.1 95 and NT: - - Install a printer wich produces postscript output, - e.g. apple laserwriter - - connect the "fax" to your printer - - - Now write your first fax. Use your favourite wordprocessor, - write, winword, notepad or whatever you want, and start - with the headerpage. - - Usually each fax has a header page. It carries your name, - your address, your phone/fax-number. - - It carries also the recipient, his address and his *** fax - number ***. Now here is the trick: - - Use the text: - Fax-Nr: 123456789 - as the recipients fax-number. Make sure this text does not - occur in regular text ! Make sure this text is not broken - by formatting information, e.g. format it as a single entity. - (Windows Write and Win95 Wordpad are functional, maybe newer - versions of Winword are breaking formatting information). - - The trick is that postscript output is human readable and - the faxfilter program scans the text for this pattern and - uses the found number as the fax-destination-number. - - Now print your fax through the fax-printer and it will be - queued for later transmission. Use faxrunq for sending the - queue out. - - Notes of SAMBA smb.conf: - Simply use fall through from the samba printer to the unix - printer. Sample: - - - printcap name = /etc/printcap - print command = /usr/bin/lpr -r -P %p %s - lpq command = /usr/bin/lpq -P %p - lprm command = /usr/bin/lprm -P %p %j - - -[fax] - comment = FAX (mgetty+sendfax) - path = /tmp - printable = yes - public = yes - writable = no - create mode = 0700 - browseable = yes - guest ok = no - - - diff --git a/docs/textdocs/GOTCHAS.txt b/docs/textdocs/GOTCHAS.txt deleted file mode 100644 index bc5c6dae85..0000000000 --- a/docs/textdocs/GOTCHAS.txt +++ /dev/null @@ -1,68 +0,0 @@ -This file lists Gotchas to watch out for: -========================================================================= -Item Number: 1.0 -Description: Problem Detecting Interfaces -Symptom: Workstations do NOT see Samba server in Browse List -OS: RedHat - Rembrandt Beta 2 -Platform: Intel -Date: August 16, 1996 -Submitted By: John H Terpstra -Details: - By default RedHat Rembrandt-II during installation adds an - entry to /etc/hosts as follows:- - 127.0.0.1 loopback "hostname"."domainname" - - This causes Samba to loop back onto the loopback interface. - The result is that Samba fails to communicate correctly with - the world and therefor may fail to correctly negotiate who - is the master browse list holder and who is the master browser. - -Corrective Action: Delete the entry after the word loopback - in the line starting 127.0.0.1 -========================================================================= -Item Number: 2.0 -Description: Problems with MS Windows NT Server network logon service -Symptom: Loss of Domain Logon Services and failed Windows NT / 95 - logon attempts. -OS: All Unix systems with Windows NT Domain Control environments. -Platform: All -Date: February 1, 1997 -Submitted By: John H Terpstra -Details: - Samba is configured for Domain logon control in a network - where a Windows NT Domain Primary Controller is running. - - Case 1: - The Windows NT Server is shut down, then restarted. Then - the Samba server is reconfigured so that it NO LONGER offers - Domain logon services. Windows NT and 95 workstations can no - longer log onto the domain. Ouch!!! - - Case 2: - The Windows NT Server which is running the Network logon - Service is shut down and restarted while Samba is a domain - controller offering the Domain LogOn service. Windows NT - Workstation and Server can no longer log onto the network. - - Cause: - Windows NT checks at start up to see if any domain logon - controllers are already running within the domain. It finds - Samba claiming to offer the service and therefore does NOT - start its Network Logon Service. - - Windows NT needs the Windows NT network logon service to gain - from its Domain controller's SAM database the security - identifier for the user loging on. - -Work-around: Stop the Samba nmbd and smbd processes, then on the Windows - NT Primary Domain Controller start the Network Logon Service. - Now restart the Samba nmbd and smbd services. - - Better still: DO NOT CONFIGURE SAMBA AS THE NETWORK LOGON - SERVER, DO NOT SET SAMBA TO BE THE DOMAIN MASTER, DO NOT - SET SAMBA TO OS LEVEL GREATER THAN 0. - - ie: Let Windows NT Server be the Domain Logon server, the - domain master browser and do NOT interfere with any aspect - of Microsoft Windows NT Domain Control. -========================================================================= diff --git a/docs/textdocs/HINTS.txt b/docs/textdocs/HINTS.txt deleted file mode 100644 index 877640108c..0000000000 --- a/docs/textdocs/HINTS.txt +++ /dev/null @@ -1,212 +0,0 @@ -Contributor: Many -Updated: Not for a long time! - -Subject: A collection of hints -Status: May be useful information but NOT current -=============================================================================== - -Here are some random hints that you may find useful. These really -should be incorporated in the main docs someday. - - ----------------------- -HINT: Always test your smb.conf with testparm before using it - -If your smb.conf file is invalid then samba will fail to load. Run -testparm over it before you install it just to make sure there aren't -any basic syntax or logical errors. - - ----------------------- -HINT: Try printing with smbclient first - -If you have problems printing, test with smbclient first. Just connect using -"smbclient '\\server\printer' -P" and use the "print" command. - -Once this works, you know that Samba is setup correctly for printing, -and you should be able to get it to work from your PCs. - -This particularly helps in getting the "print command" right. - - ----------------------- -HINT: Mount cdroms with conv=binary - -Some OSes (notably Linux) default to auto detection of file type on -cdroms and do cr/lf translation. This is a very bad idea when use with -Samba. It causes all sorts of stuff ups. - -To overcome this problem use conv=binary when mounting the cdrom -before exporting it with Samba. - - ----------------------- -HINT: Convert between unix and dos text formats - -Jim barry has written an excellent drag-and-drop cr/lf converter for -windows. Just drag your file onto the icon and it converts the file. - -Get it from -ftp://samba.org/pub/samba/contributed/fixcrlf.zip - -The utilities unix2dos and dos2unix(in the mtools package) should do -the job under unix. - ----------------------- -HINT: Use the "username map" option - -If the usernames used on your PCs don't match those used on the unix -server then you will find the "username map" option useful. - ------------------------ -HINT: Use "security = user" in [global] - -If you have the same usernames on the unix box and the PCs or have -mapped them with the "username map" option then choose "security = -user" in the [global] section of smb.conf. - -This will mean your password is checked only when you first connect, -and subsequent connections to printers, disks etc will go more -smoothly and much faster. - -The main problem with "security = user" if you use WfWg is that you -will ONLY be able to connect as the username that you log into WfWg -with. This is because WfWg silently ignores the password field in the -connect drive dialog box if the server is in user security mode. - ------------------------- -HINT: Make your printers not "guest ok" - -If your printers are not "guest ok" and you are using "security = -user" and have matching unix and PC usernames then you will attach to -the printer without trouble as your own username. This will mean you -will be able to delete print jobs (in 1.8.06 and above) and printer -accounting will be possible. - - ------------------------ -HINT: Use a sensible "guest" account - -Even if all your services are not available to "guest" you will need a -guest account. This is because the browsing is done as guest. In many -cases setting "guest account = ftp" will do the trick. Using the -default guest account or "guest account = nobody" will give problems on -many unixes. If in doubt create another account with minimal -privilages and use it instead. Your users don't need to know the -password of the guest account. - - ------------------------ -HINT: Use the latest TCP/IP stack from microsoft if you use Windows -for workgroups. - -The early TCP/IP stacks had lots of bugs. - -Microsoft has released an incremental upgrade to their TCP/IP 32-Bit -VxD drivers. The latest release can be found on their ftp site at -ftp.microsoft.com, located in /peropsys/windows/public/tcpip/wfwt32.exe. -There is an update.txt file there that describes the problems that were -fixed. New files include WINSOCK.DLL, TELNET.EXE, WSOCK.386, VNBT.386, -WSTCP.386, TRACERT.EXE, NETSTAT.EXE, and NBTSTAT.EXE. - - ------------------------ -HINT: nmbd can act as a "WINS" server - -By default SMB clients use broadcasts to find shares. Recent clients -(such as WfWg) can use a "wins" server instead, whcih reduces your -broadcast traffic and allows you to find names across routers. - -Just point your WfWg, Win95 and NT clients at the Samba box in the WINS option. - -Note: nmbd does not support all WINS operations. Anyone out there have -a spec they could send me? - ------------------------ -HINT: you may need to delete your .pwl files when you change password. - -WfWg does a lousy job with passwords. I find that if I change my -password on either the unix box or the PC the safest thing to do is to -delete the .pwl files in the windows directory. The PC will complain about not finding the files, but will soon get over it, allowing you to enter the new password. - -If you don't do this you may find that WfWg remembers and uses the old -password, even if you told it a new one. - -Often WfWg will totally ignore a password you give it in a dialog box. - ----------------------- -HINT: Using MS Access - -Here are some notes on running MS-Access on a Samba drive from Stefan -Kjellberg <stefank@esi.com.au> - -1. Opening a database in 'exclusive' mode does NOT work. Samba ignores - r/w/share modes on file open. - -2. Make sure that you open the database as 'shared' and to 'lock modified - records' - -3. Of course locking must be enabled for the particular share (smb.conf) - - ---------------------- -HINT: password cacheing in WfWg - -Here is a hint from michael@ecel.uwa.edu.au (Michael Simmons): - -In case people where not aware. There is a program call admincfg.exe -on the last disk (disk 8) of the WFW 3.11 disk set. To install it -type EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE Then add an icon -for it via the "Progam Manager" "New" Menu. This program allows you -to control how WFW handles passwords. ie disable Password Caching etc -for use with "security = user" - - --------------------- -HINT: file descriptor limits - -If you have problems with the limits on the number of open files you -can edit local.h to fix it. - --------------------- -HINT: HPUX initgroups() problem - -here is a hint from Frank Wales [frank@arcglade.demon.co.uk]: - -HP's implementation of supplementary groups is, er, non-standard (for -hysterical reasons). There are two group files, /etc/group and -/etc/logingroup; the system maps UIDs to numbers using the former, but -initgroups() reads the latter. Most system admins who know the ropes -symlink /etc/group to /etc/logingroup (hard link doesn't work for reasons -too stupid to go into here). initgroups() will complain if one of the -groups you're in in /etc/logingroup has what it considers to be an invalid -ID, which means outside the range [0..UID_MAX], where UID_MAX is (I think) -60000 currently on HP-UX. This precludes -2 and 65534, the usual 'nobody' -GIDs. - -Perhaps you could suggest to users that, if they encounter this problem, -they make sure that the programs that are failing to initgroups() be -run as users not in any groups with GIDs outside the allowed range. - -This is documented in the HP manual pages under setgroups(2) and passwd(4). - - ---------------------- -HINT: Patch your SCO system - -If you run SCO Unix then you may need to get important TCP/IP patches -for Samba to work correctly. Try - -Paul_Davis@mindlink.bc.ca writes: - - I was having problems with Accpac using 1.9.02 on SCO Unix. One - posting function reported corrupted data. After installing uod385a, - the problem went away (a restore from backup and then another - run-thru). - - It appears that the uod385a update for SCO may be fairly important for - a lot of different DOS and Windows software under Samba. - - uod385a can be found at ftp.sco.com /SLS/uod385a.Z and uod385a.ltr.Z. - - diff --git a/docs/textdocs/README.DCEDFS b/docs/textdocs/README.DCEDFS deleted file mode 100644 index da9bb2197d..0000000000 --- a/docs/textdocs/README.DCEDFS +++ /dev/null @@ -1,78 +0,0 @@ -Contributor: Jim Doyle <doyle@oec.com> -Date: 06-02-95 -Status: Current but needs updating - -Subject: Basic DCE/DFS Support for SAMBA 1.9.13 -============================================================================= - -Functionality: --------------- - - Per-instance authentication for DCE/DFS. - -Missing Functionality in this Implementation: ---------------------------------------------- - - * No automatic refresh of credentials - - To do so would not be that hard.. One could simply - stash the clear-text key in memory, spawn a key management - thread to wake up right before credentials expire and - refresh the login context. - - * No UNIX Signals support (SIGCLD, SIGPIPE, SIGHUP, SIGBUS, SIGSEGV) - - - There is no support for signal processing in Samba daemons - that need to authenticate with DCE. The explanation for this - is that the smbd is linked against thread-safe libraries in - order to be able to use DCE authentication mechanisms. - Because smbd uses signal() and fork(), it represents the - worst case scenario for DCE portability. In order - to properly support signals in a forked server environment, - some rework of smbd is needed in order to properly - construct, shutdown and reconstruct asynchronous signal - handling threads and synchronous signal traps across the - parent and child. I have not had contiguous time to work - on it, I expect it to be a weeks worth of work to cleanly - integrate thread-safe signal handing into the code and - test it. Until I can get to this task, I will leave it up - to someone adventurous enough to engineer it and negotiate - with Andrew to integrate the changes into the mainline branch. - - The lack of full signal support means that you cannot - rely upon SIGHUP-ing the parent daemon to refresh - the configuration data. Likewise, you cannot take advantage - of the builtin SIGBUS/SIGSEGV traps to diagnose failures. - You will have to halt Samba in order to make changes - and then have them take effect. - - The SMBD server as it stands is suitable to use if you - already have experience with configuring and running - SAMBA. - -Tested Platforms: ------------------ - - HP-UX 9.05 / HP-UX DCE 1.2.1 - AIX 3.2.5 / AIX DCE/6000 1.3 - DEC OSF-1 3.0 / DEC DCE 1.3 - -Building: ---------- - - - Uncomment the the appropriate block in the Makefile - for the platform you wish to build on. - - - Samples of Samba server configuration files for our - DFS environment are included in samples.dcedfs/ - - - -Bugs, Suggestions, etc.. --------------------------- - - Please post them to the mailing list. - That way I will see them and they will become part of - the archives so others can share the knowledge. - diff --git a/docs/textdocs/Recent-FAQs.txt b/docs/textdocs/Recent-FAQs.txt deleted file mode 100644 index feed127827..0000000000 --- a/docs/textdocs/Recent-FAQs.txt +++ /dev/null @@ -1,286 +0,0 @@ -Contributor: Samba-bugs@samba.org -Date: July 5, 1998 -Status: Current - -============================================================================= -Subject: Recent FAQ answers to common questions / problems -============================================================================= -Contents: NetWkstaUserLogon - Not listening for calling name - System Error 1240 - Trapdoor UID - User Access Control - Using NT to Browse Samba Shares - setup.exe and 16 bit programs - smbclient -N - -NetWkstaUserLogon -================= -FAQ answer about the new password server code: - -In 1.9.18 you can disable the NetWkstaUserLogon call at compile time -in local.h and from 1.9.18p3 you can now disable it from an option in -your smb.conf. - -The password server behaviour changed because we discovered that bugs -in some NT servers allowed anyone to login with no password if they -chose an account name that did not exist on the password server. The -NT password server was saying "yes, it's OK to login" even when the -account didn't exist at all! Adding the NetWkstaUserLogon call fixed -the problem, and follows the "recommended" method that MS have -recently documented for pass through authentication. - -The problem now is that some NT servers (in particular NT -workstation?) don't support the NetWkstaUserLogon call. The call also -doesn't work for accounts in trust relationships. - -The eventual solution for this will be to replace the password server -code in Samba with NT domain code as that is developed. For now you -have the choice of compiling Samba either with or without the -NetWkstaUserLogon call in the password server code. - -In 1.9.18p3 the following was added (copied from the 1.9.18p3 release -notes): - -In the [global] section of smb.conf : - -networkstation user login - -This code (submitted by Rob Nielsen) allows the code many people -were having problems with that queries an NT password server to -be turned off at runtime rather than compile time. Please see the -documentation in the smb.conf manual page for details. This is a -security option - it must only be turned off after checks have been -made to ensure that your NT password server does not suffer from the -bug this code was meant to protect against ! - -In 1.9.18 you can enable/disable this call in local.h. In 1.9.17p5 -you could apply the following patch. Applying this patch will make -the password server code behave like the code in earlier versions -of Samba. If you do this then please ensure that you test to see -that users are prevented from logging in if they give a bogus -username/password. You may have a NT server that is affected by the -bug that this code is designed to avoid. - - ---- password.c 1997/10/21 10:09:28 1.25.2.4 -+++ password.c 1997/12/31 06:43:06 -@@ -1619,6 +1619,7 @@ - } - - -+#if 0 - if (!cli_NetWkstaUserLogon(&cli,user,local_machine)) { - DEBUG(1,("password server %s failed NetWkstaUserLogon\n", cli.desthost)); - cli_tdis(&cli); -@@ -1638,6 +1639,7 @@ - cli_tdis(&cli); - return False; - } -+#endif - - DEBUG(3,("password server %s accepted the password\n", cli.desthost)); -=============================================================================== - -Not listening for calling name -============================== - -> Session request failed (131,129) with myname=HOBBES destname=CALVIN -> Not listening for calling name - -If you get this when talking to a Samba box then it means that your -global "hosts allow" or "hosts deny" settings are causing the Samba -server to refuse the connection. - -Look carefully at your "hosts allow" and "hosts deny" lines in the -global section of smb.conf. - -It can also be a problem with reverse DNS lookups not functioning -correctly, leading to the remote host identity not being able to -be confirmed, but that is less likely. -=============================================================================== - -System Error 1240 -================= -System error 1240 means that the client is refusing to talk -to a non-encrypting server. Microsoft changed WinNT in service -pack 3 to refuse to connect to servers that do not support -SMB password encryption. - -There are two main solutions: - -1) enable SMB password encryption in Samba. See ENCRYPTION.txt in the -Samba docs - -2) disable this new behaviour in NT. See WinNT.txt in the -Samba docs -=============================================================================== - -Trapdoor UID -============ -> Log message "you appear to have a trapdoor uid system" - -This can have several causes. It might be because you are using a uid -or gid of 65535 or -1. This is a VERY bad idea, and is a big security -hole. Check carefully in your /etc/passwd file and make sure that no -user has uid 65535 or -1. Especially check the "nobody" user, as many -broken systems are shipped with nobody setup with a uid of 65535. - -It might also mean that your OS has a trapdoor uid/gid system :-) - -This means that once a process changes effective uid from root to -another user it can't go back to root. Unfortunately Samba relies on -being able to change effective uid from root to non-root and back -again to implement its security policy. If your OS has a trapdoor uid -system this won't work, and several things in Samba may break. Less -things will break if you use user or server level security instead of -the default share level security, but you may still strike -problems. - -The problems don't give rise to any security holes, so don't panic, -but it does mean some of Samba's capabilities will be unavailable. -In particular you will not be able to connect to the Samba server as -two different uids at once. This may happen if you try to print as a -"guest" while accessing a share as a normal user. It may also affect -your ability to list the available shares as this is normally done as -the guest user. - -Complain to your OS vendor and ask them to fix their system. - -Note: the reason why 65535 is a VERY bad choice of uid and gid is that -it casts to -1 as a uid, and the setreuid() system call ignores (with -no error) uid changes to -1. This means any daemon attempting to run -as uid 65535 will actually run as root. This is not good! -=============================================================================== - -User Access Control -=================== -> In windows when i set up a share in "user mode" i get the message: -> "You cannot view the list of users at this time. Please try again later." -> -> I know you have lists of users for access and aliasing purposes, but i -> have read nothing to support the idea that these lists control the Domain -> Users List... - -Samba does NOT at this time support user mode access control for Window 9x -of for NT. This is a priority item and requires full implementation of the NT SMB -protocol calls. Samba-1.9.19 will go into alpha in about 2 months time and will -have a more full implementation of the NT SMB protocols to support Domain Client -interoperability. When we can see that this has been succesful we wil then implement -the NT SMB Server components. This will probably be released as Samba-2.0 - -Samba-1.9.18p5 is scheduled to go out within 14 days. This will close off the 1.9.18 -branch and then opens the way to progress 1.9.19. - -I hope this answers your concerns adequately. -=============================================================================== - -Using NT to Browse Samba Shares -=============================== -> WIN-NT workstations (nt4.0, service pack 3) -> samba with -> security = user -> encrypt passwords = yes -> guest account = guest -> -> start the explorer on a win-nt workstation and select network. I find -> my unix server running samba, but I can not see the list of shares -> unless I am a user, who is known in the smbpasswd of the unix machine. -> The guest account "guest" exists on my unix machine. For testing I even -> made him a regular user with a password. -> -> With my network monitor I can see, that the win-nt workstation uses the -> current login, to connect to IPC$ on the samba server -> (for example "administrator"), not the guest account. - -This is exactly how Windows NT works. You MUST have a valid account on the Windows -NT box you are trying to see the resource list on. If your currently logged in -account details do NOT match an account on the NT machine you are trying to access -then you will be presented with a logon box for that machine. When you enter the -name of an account on that machine / domain, together with a valid password then -the resource list is made available. If the account details are not correct then -no resource list is shown. - -Samba follows the behaviour of Windows NT exactly. - -Warning:Warning:Warning: -======================== -Samba can be compiled with the GUEST_SESSION_SETUP option at 0,1 or 2. -The default is 0. If this is set to 1 or 2 then Windows NT machines that DO NOT -have an account on the Samba server will see the resource list. The down side of this -is that legitimate users may then be refused access to their legitimate resources. -Setting this option creates serious security holes. DO NOT DO IT. Samba has the -value of this option set at 0 - NOT WITHOUT REASON!!!! - -******> Warning:Warning:Warning: ****> Do not tamper with this setting!!! -=============================================================================== - -setup.exe and 16 bit programs -============================= -Running 16 bit programs from Windows NT on a Samba mapped drive ---------------------------------------------------------------- - -The Windows NT redirector has a bug when running against a -Samba or Windows 95 mapped drive and attempting to run a -16 bit executable. - -The problem occurs when the pathname to a 16 bit executable -contains a non 8.3 filename complient directory component, -Windows NT will fail to load the program and complain it -cannot find the path to the program. - -It can be verified that this is a bug in Windows NT and -not Samba as the same problem can be reproduced exactly -when attempting to run the same program with the same -pathname from a Windows 95 server (ie. the problem still -exists even with no Samba server involved). - -Microsoft have been made aware of this problem, it is -unknown if they regard it as serious enough to provide -a fix for this. - -One of the reasons this problem is reported frequently -is that InstallShield setup.exe executables are frequently -written as 16 bit programs, and so hit this problem. - -As a workaround, you may create (on a Samba server at -least) a symbolic link with an 8.3 complient name to -the non 8.3 complient directory name, and then the 16 -bit program will run. Alternatively, use the 8.3 -complient mangled name to specify the path to run -the binary. - -This will be fixed when Samba adds the NT-specific -SMB calls (currently targeted for the next major -Samba release), as once the NT SMB calls are used -this problem no longer occurs (which is why the -problem doesn't occur when running against a drive -mapped to a Windows NT server). - -Regards, - - Jeremy Allison. - Samba Team. -=============================================================================== - -smbclient -N -============ -> When getting the list of shares available on a host using the command -> smbclient -N -L <server> -> the program always prompts for the password if the server is a Samba server. -> It also ignores the "-N" argument when querying some (but not all) of our -> NT servers. - -No, it does not ignore -N, it is just that your server rejected the -null password in the connection, so smbclient prompts for a password -to try again. - -To get the behaviour that you probably want use - smbclient -L host -U% - -this will set both the username and password to null, which is -an anonymous login for SMB. Using -N would only set the password -to null, and this is not accepted as an anonymous login for most -SMB servers. -=============================================================================== - diff --git a/docs/textdocs/UNIX_SECURITY.txt b/docs/textdocs/UNIX_SECURITY.txt deleted file mode 100644 index 38705f018a..0000000000 --- a/docs/textdocs/UNIX_SECURITY.txt +++ /dev/null @@ -1,54 +0,0 @@ -Contributor: John H Terpstra <jht@samba.org> -Date: July 5, 1998 -Status: Current - -Subject: SETTING UNIX FILE SYSTEM SECURITY -=============================================================================== -The following excerpt from a bug report demonstrates the need to -understand Unix file system security and to manage it correctly. - -Quote: -====== -> We are unable to keep individual users from mapping to any other user's -> home directory once they have supplied a valid password! They only need -> to enter their own password. I have not found *any* method that I can -> use to configure samba to enforce that only a user may map their own -> home directory. -> -> User xyzzy can map his home directory. Once mapped user xyzzy can also map -> *anyone* elses home directory! - -ANSWER: -======= -This is not a security flaw, it is by design. Samba allows -users to have *exactly* the same access to the UNIX filesystem -as they would if they were logged onto the UNIX box, except -that it only allows such views onto the file system as are -allowed by the defined shares. - -This means that if your UNIX home directories are set up -such that one user can happily cd into another users -directory and do an ls, the UNIX security solution is to -change the UNIX file permissions on the users home directories -such that the cd and ls would be denied. - -Samba tries very hard not to second guess the UNIX administrators -security policies, and trusts the UNIX admin to set -the policies and permissions he or she desires. - -Samba does allow the setup you require when you have set the -"only user = yes" option on the share, is that you have not set the -valid users list for the share. - -Note that only user works in conjunction with the users= list, -so to get the behavior you require, add the line : - -users = %S - -this is equivalent to: - -valid users = %S - -to the definition of the [homes] share, as recommended in -the smb.conf man page. - |