summaryrefslogtreecommitdiff
path: root/docs/textdocs
diff options
context:
space:
mode:
Diffstat (limited to 'docs/textdocs')
-rw-r--r--docs/textdocs/ADS-HOWTO.txt142
-rw-r--r--docs/textdocs/Application_Serving.txt56
-rw-r--r--docs/textdocs/BROWSING-Config.txt215
-rw-r--r--docs/textdocs/DHCP-Server-Configuration.txt240
-rw-r--r--docs/textdocs/Faxing.txt220
-rw-r--r--docs/textdocs/GOTCHAS.txt68
-rw-r--r--docs/textdocs/HINTS.txt212
-rw-r--r--docs/textdocs/README.DCEDFS78
-rw-r--r--docs/textdocs/Recent-FAQs.txt286
-rw-r--r--docs/textdocs/UNIX_SECURITY.txt54
10 files changed, 0 insertions, 1571 deletions
diff --git a/docs/textdocs/ADS-HOWTO.txt b/docs/textdocs/ADS-HOWTO.txt
deleted file mode 100644
index 7a066c69ec..0000000000
--- a/docs/textdocs/ADS-HOWTO.txt
+++ /dev/null
@@ -1,142 +0,0 @@
-Samba 3.0 prealpha guide to Kerberos authentication
----------------------------------------------------
-
-Andrew Tridgell
-tridge@samba.org
-
-This is a VERY ROUGH guide to setting up the current (November 2001)
-pre-alpha version of Samba 3.0 with kerberos authentication against a
-Windows2000 KDC. The procedures listed here are likely to change as
-the code develops.
-
-Pieces you need before you begin:
-
-- a Windows 2000 server
-- the latest CVS source code for Samba. See http://cvs.samba.org/ for how to
- fetch this.
-- the MIT kerberos development libraries (either install from the
- above sources or use a package). Under debian you need "libkrb5-dev"
- and "krb5-user". The heimdal libraries will not work.
-- the OpenLDAP development libraries.
-
-On RedHat this means you should have at least:
-
-krb5-workstation (for kinit)
-krb5-libs (for linking with)
-krb5-devel (because you are compiling from source)
-
-in addition to the standard development environment.
-
-Note that these are not standard on a RedHat install, and you may need
-to get them off CD2.
-
-Also check that you have the latest copy of this HOWTO. It is
-available from http://samba.org/ftp/tridge/kerberos/HOWTO
-
-Step 1: Compile Samba
-
- If your kerberos libraries are in a non-standard location then
- remember to add the configure option --with-krb5=DIR.
-
- After you run configure make sure that include/config.h contains
- lines like this:
-
- #define HAVE_KRB5 1
- #define HAVE_LDAP 1
-
- If it doesn't then configure did not find your krb5 libraries or
- your ldap libraries. Look in config.log to figure out why and fix
- it.
-
- Then compile and install Samba as usual. You must use at least the
- following 3 options in smb.conf:
-
- realm = YOUR.KERBEROS.REALM
- ads server = your.kerberos.server
- security = ADS
- encrypt passwords = yes
-
- Strictly speaking, you can omit the realm name and you can use an IP
- address for the ads server. In that case Samba will auto-detect these.
-
- You do *not* need a smbpasswd file, although it won't do any harm
- and if you have one then Samba will be able to fall back to normal
- password security for older clients. I expect that the above
- required options will change soon when we get better active
- directory integration.
-
-
-Step 2: Setup your /etc/krb5.conf
-
- The minimal configuration for krb5.conf is:
-
- [realms]
- YOUR.KERBEROS.REALM = {
- kdc = your.kerberos.server
- }
-
-
- Test your config by doing a "kinit USERNAME@REALM" and making sure that
- your password is accepted by the Win2000 KDC.
-
- NOTE: The realm must be uppercase.
-
- You also must ensure that you can do a reverse DNS lookup on the IP
- address of your KDC. Also, the name that this reverse lookup maps to
- must either be the netbios name of the KDC (ie. the hostname with no
- domain attached) or it can alternatively be the netbios name
- followed by the realm.
-
- The easiest way to ensure you get this right is to add a /etc/hosts
- entry mapping the IP address of your KDC to its netbios name. If you
- don't get this right then you will get a "local error" when you try
- to join the realm.
-
-* If all you want is kerberos support in smbclient then you can skip
-* straight to step 5 now. Step 3 is only needed if you want kerberos
-* support in smbd.
-
-
-Step 3: Create the computer account
-
- Do a "kinit" as a user that has authority to change arbitrary
- passwords on the KDC ("Administrator" is a good choice). Then as a
- user that has write permission on the Samba private directory
- (usually root) run:
-
- net ads join
-
- Possible errors:
- - "bash: kinit: command not found":
- - kinit is in the krb5-workstation RPM on RedHat systems, and is
- in /usr/kerberos/bin, so it won't be in the path until
- you log in again (or open a new terminal)
- - "ADS support not compiled in"
- - Samba must be reconfigured (remove config.cache) and
- recompiled (make clean all install) after the kerberos libs
- and headers are installed.
-
-
-Step 4: Test your server setup
-
- On a Windows 2000 client try "net use * \\server\share". You should
- be logged in with kerberos without needing to know a password. If
- this fails then run "klist tickets". Did you get a ticket for the
- server? Does it have an encoding type of DES-CBC-MD5 ?
-
-Step 5: Testing with smbclient
-
- On your Samba server try to login to a Win2000 server or your Samba
- server using smbclient and kerberos. Use smbclient as usual, but
- specify the -k option to choose kerberos authentication.
-
-
---------
-
-NOTES:
- - must change administrator password at least once after DC install,
- to create the right encoding types
-
- - w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
- their defaults DNS setup. Maybe fixed in service packs?
-
diff --git a/docs/textdocs/Application_Serving.txt b/docs/textdocs/Application_Serving.txt
deleted file mode 100644
index 6a61a99d7e..0000000000
--- a/docs/textdocs/Application_Serving.txt
+++ /dev/null
@@ -1,56 +0,0 @@
-Contributed: January 7, 1997
-Updated: March 24, 1998
-Contributor: John H Terpstra <samba@samba.org>
- Copyright (C) 1997 - John H Terpstra
-Status: Current
-
-Subject: Using a Samba share as an administrative share for MS Office, etc.
-==============================================================================
-
-Problem:
-========
-Microsoft Office products can be installed as an administrative installation
-from which the application can either be run off the administratively installed
-product that resides on a shared resource, or from which that product can be
-installed onto workstation clients.
-
-The general mechanism for implementing an adminstrative installation involves
-running:
- X:\setup /A, where X is the drive letter of either CDROM or floppy
-
-This installation process will NOT install the product for use per se, but
-rather results in unpacking of the compressed distribution files into a target
-shared folder. For this process you need write privilidge to the share and it
-is desirable to enable file locking and share mode operation during this
-process.
-
-Subsequent installation of MS Office from this share will FAIL unless certain
-precautions are taken. This failure will be caused by share mode operation
-which will prevent the MS Office installation process from re-opening various
-dynamic link library files and will cause sporadic file not found problems.
-
-Solution:
-=========
-1. As soon as the administrative installation (unpacking) has completed
- set the following parameters on the share containing it:
- [MSOP95]
- path = /where_you_put_it
- comment = Your comment
- volume = "The_CD_ROM_Label"
- read only = yes
- available = yes
- share modes = no
- locking = no
- browseable = yes
- public = yes
-
-2. Now you are ready to run the setup program from the Microsoft Windows
-workstation as follows:-
- \\"Server_Name"\MSOP95\msoffice\setup
-
-MS Office Sharing - Please note:
-================================
-
-Workgroup Templates should be stored on an ordinary writable or read-only share
-but USER templates MUST be stored on a writable share _OR_ on the users' local
-machine.
diff --git a/docs/textdocs/BROWSING-Config.txt b/docs/textdocs/BROWSING-Config.txt
deleted file mode 100644
index ba0f399f48..0000000000
--- a/docs/textdocs/BROWSING-Config.txt
+++ /dev/null
@@ -1,215 +0,0 @@
-Date: July 5, 1998
-Contributor: John H Terpstra <jht@samba.org>
-
-Subject: Cross Subnet Browsing / Cross Workgroup Browsing
-===============================================================================
-
-OVERVIEW:
-=========
-
-This document should be read in conjunction with BROWSING.txt and may
-be taken as the fast track guide to implementing browsing across subnets
-and / or across workgroups (or domains). WINS is the best tool for resolution
-of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling
-except by way of name to address mapping.
-
-
-DISCUSSION:
-===========
-
-Firstly, all MS Windows networking is based on SMB (Server Message
-Block) based messaging. SMB messaging is implemented using NetBIOS. Samba
-implements NetBIOS by encapsulating it over TCP/IP. MS Windows products can
-do likewise. NetBIOS based networking uses broadcast messaging to affect
-browse list management. When running NetBIOS over TCP/IP this uses UDP
-based messaging. UDP messages can be broadcast or unicast.
-
-Normally, only unicast UDP messaging can be forwarded by routers. The
-"remote announce" parameter to smb.conf helps to project browse announcements
-to remote network segments via unicast UDP. Similarly, the "remote browse sync"
-parameter of smb.conf implements browse list collation using unicast UDP.
-
-Secondly, in those networks where Samba is the only SMB server technology
-wherever possible nmbd should be configured on one (1) machine as the WINS
-server. This makes it easy to manage the browsing environment. If each network
-segment is configured with it's own Samba WINS server, then the only way to
-get cross segment browsing to work is by using the "remote announce" and
-the "remote browse sync" parameters to your smb.conf file.
-
-If only one WINS server is used then the use of the "remote announce" and the
-"remote browse sync" parameters should NOT be necessary.
-
-Samba WINS does not support MS-WINS replication. This means that when setting up
-Samba as a WINS server there must only be one nmbd configured as a WINS server
-on the network. Some sites have used multiple Samba WINS servers for redundancy
-(one server per subnet) and then used "remote browse sync" and "remote announce"
-to affect browse list collation across all segments. Note that this means
-clients will only resolve local names, and must be configured to use DNS to
-resolve names on other subnets in order to resolve the IP addresses of the
-servers they can see on other subnets. This setup is not recommended, but is
-mentioned as a practical consideration (ie: an 'if all else fails' scenario).
-
-Lastly, take note that browse lists are a collection of unreliable broadcast
-messages that are repeated at intervals of not more than 15 minutes. This means
-that it will take time to establish a browse list and it can take up to 45
-minutes to stabilise, particularly across network segments.
-
-
-A) Use of the "Remote Announce" parameter
-------------------------------------------
-The "remote announce" parameter of smb.conf can be used to forcibly ensure
-that all the NetBIOS names on a network get announced to a remote network.
-The syntax of the "remote announce" parameter is:
-
- remote announce = a.b.c.d [e.f.g.h] ...
-_or_
- remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...
-
-where:
- a.b.c.d: is either the LMB (Local Master Browser) IP address
- e.f.g.h: or the broadcst address of the remote network.
- ie: the LMB is at 192.168.1.10, or the address
- could be given as 192.168.1.255 where the netmask
- is assumed to be 24 bits (255.255.255.0).
- When the remote announcement is made to the broadcast
- address of the remote network every host will receive
- our announcements. This is noisy and therefore
- undesirable but may be necessary if we do NOT know
- the IP address of the remote LMB.
-
- WORKGROUP: is optional and can be either our own workgroup
- or that of the remote network. If you use the
- workgroup name of the remote network then our
- NetBIOS machine names will end up looking like
- they belong to that workgroup, this may cause
- name resolution problems and should be avoided.
-
-
-B) Use of the "Remote Browse Sync" parameter
---------------------------------------------
-
-The "remote browse sync" parameter of smb.conf is used to announce to
-another LMB that it must synchronise it's NetBIOS name list with our
-Samba LMB. It works ONLY if the Samba server that has this option is
-simultaneously the LMB on it's network segment.
-
-The syntax of the "remote browse sync" parameter is:
-
- remote browse sync = a.b.c.d
-
-where:
- a.b.c.d: is either the IP address of the remote LMB or else
- is the network broadcast address of the remote segment.
-
-
-C) Use of WINS
---------------
-
-Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly
-recommended. Every NetBIOS machine registers it's name together with a
-name_type value for each of of several types of service it has available.
-eg: It registers it's name directly as a unique (the type 0x03) name.
-It also registers it's name if it is running the lanmanager compatible
-server service (used to make shares and printers available to other users)
-by registering the server (the type 0x20) name.
-
-All NetBIOS names are up to 15 characters in length. The name_type variable
-is added to the end of the name - thus creating a 16 character name. Any
-name that is shorter than 15 characters is padded with spaces to the 15th
-character. ie: All NetBIOS names are 16 characters long (including the
-name_type information).
-
-WINS can store these 16 character names as they get registered. A client
-that wants to log onto the network can ask the WINS server for a list
-of all names that have registered the NetLogon service name_type. This saves
-broadcast traffic and greatly expedites logon processing. Since broadcast
-name resolution can not be used across network segments this type of
-information can only be provided via WINS _or_ via statically configured
-"lmhosts" files that must reside on all clients in the absence of WINS.
-
-WINS also serves the purpose of forcing browse list synchronisation by all
-LMB's. LMB's must synchronise their browse list with the DMB (domain master
-browser) and WINS helps the LMB to identify it's DMB. By definition this
-will work only within a single workgroup. Note that the domain master browser
-has NOTHING to do with what is referred to as an MS Windows NT Domain. The
-later is a reference to a security environment while the DMB refers to the
-master controller for browse list information only.
-
-Use of WINS will work correctly only if EVERY client TCP/IP protocol stack
-has been configured to use the WINS server/s. Any client that has not been
-configured to use the WINS server will continue to use only broadcast based
-name registration so that WINS may NEVER get to know about it. In any case,
-machines that have not registered with a WINS server will fail name to address
-lookup attempts by other clients and will therefore cause workstation access
-errors.
-
-To configure Samba as a WINS server just add "wins support = yes" to the
-smb.conf file [globals] section.
-
-To configure Samba to register with a WINS server just add
-"wins server = a.b.c.d" to your smb.conf file [globals] section.
-
-DO NOT EVER use both "wins support = yes" together with "wins server = a.b.c.d"
-particularly not using it's own IP address.
-
-
-D) Do NOT use more than one (1) protocol on MS Windows machines
----------------------------------------------------------------
-
-A very common cause of browsing problems results from installing more than
-one protocol on an MS Windows machine.
-
-Every NetBIOS machine take part in a process of electing the LMB (and DMB)
-every 15 minutes. A set of election criteria is used to determine the order
-of precidence for winning this election process. A machine running Samba or
-Windows NT will be biased so that the most suitable machine will predictably
-win and thus retain it's role.
-
-The election process is "fought out" so to speak over every NetBIOS network
-interface. In the case of a Windows 9x machine that has both TCP/IP and IPX
-installed and has NetBIOS enabled over both protocols the election will be
-decided over both protocols. As often happens, if the Windows 9x machine is
-the only one with both protocols then the LMB may be won on the NetBIOS
-interface over the IPX protocol. Samba will then lose the LMB role as Windows
-9x will insist it knows who the LMB is. Samba will then cease to function
-as an LMB and thus browse list operation on all TCP/IP only machines will
-fail.
-
-The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!
-
-
-E) Name Resolution Order
-========================
-
-Resolution of NetBIOS names to IP addresses can take place using a number
-of methods. The only ones that can provide NetBIOS name_type information
-are:
- WINS: the best tool!
- LMHOSTS: is static and hard to maintain.
- Broadcast: uses UDP and can not resolve names across
- remote segments.
-
-Alternative means of name resolution includes:
- /etc/hosts: is static, hard to maintain, and lacks name_type info.
- DNS: is a good choice but lacks essential name_type info.
-
-Many sites want to restrict DNS lookups and want to avoid broadcast name
-resolution traffic. The "name resolve order" parameter is of great help here.
-The syntax of the "name resolve order" parameter is:
-
- name resolve order = wins lmhosts bcast host
-_or_
- name resolve order = wins lmhosts (eliminates bcast and host)
-
-the default is:
- name resolve order = host lmhost wins bcast
-
-where:
- "host" refers the the native methods used by the Unix system
- to implement the gethostbyname() function call. This is normally
- controlled by:
- /etc/host.conf
- /etc/nsswitch.conf
- /etc/resolv.conf
-
-===============================================================================
diff --git a/docs/textdocs/DHCP-Server-Configuration.txt b/docs/textdocs/DHCP-Server-Configuration.txt
deleted file mode 100644
index 499706955f..0000000000
--- a/docs/textdocs/DHCP-Server-Configuration.txt
+++ /dev/null
@@ -1,240 +0,0 @@
-Subject: DHCP Server Configuration for SMB Clients
-Date: March 1, 1998
-Updated: May 15, 2001
-Contributor: John H Terpstra <jht@samba.org>
-Support: This is an unsupported document. Refer to documentation that is
- supplied with the ISC DHCP Server. Do NOT email the contributor
- for ANY assistance.
-===============================================================================
-
-Background:
-===========
-
-We wish to help those folks who wish to use the ISC DHCP Server and provide
-sample configuration settings. Most operating systems today come ship with
-the ISC DHCP Server. ISC DHCP is available from:
- ftp://ftp.isc.org/isc/dhcp
-
-Incorrect configuration of MS Windows clients (Windows9X, Windows ME, Windows
-NT/2000) will lead to problems with browsing and with general network
-operation. Windows 9X/ME users often report problems where the TCP/IP and related
-network settings will inadvertantly become reset at machine start-up resulting
-in loss of configuration settings. This results in increased maintenance
-overheads as well as serious user frustration.
-
-In recent times users on one mailing list incorrectly attributed the cause of
-network operating problems to incorrect configuration of Samba.
-
-One user insisted that the only way to provent Windows95 from periodically
-performing a full system reset and hardware detection process on start-up was
-to install the NetBEUI protocol in addition to TCP/IP. This assertion is not
-correct.
-
-In the first place, there is NO need for NetBEUI. All Microsoft Windows clients
-natively run NetBIOS over TCP/IP, and that is the only protocol that is
-recognised by Samba. Installation of NetBEUI and/or NetBIOS over IPX will
-cause problems with browse list operation on most networks. Even Windows NT
-networks experience these problems when incorrectly configured Windows95
-systems share the same name space. It is important that only those protocols
-that are strictly needed for site specific reasons should EVER be installed.
-
-Secondly, and totally against common opinion, DHCP is NOT an evil design but is
-an extension of the BOOTP protocol that has been in use in Unix environments
-for many years without any of the melt-down problems that some sensationalists
-would have us believe can be experienced with DHCP. In fact, DHCP in covered by
-rfc1541 and is a very safe method of keeping an MS Windows desktop environment
-under control and for ensuring stable network operation.
-
-Please note that MS Windows systems as of MS Windows NT 3.1 and MS Windows 95
-store all network configuration settings a registry. There are a few reports
-from MS Windows network administrators that warrant mention here. It would appear
-that when one sets certain MS TCP/IP protocol settings (either directly or via
-DHCP) that these do get written to the registry. Even though a subsequent
-change of setting may occur the old value may persist in the registry. This
-has been known to create serious networking problems.
-
-An example of this occurs when a manual TCP/IP environment is configured to
-include a NetBIOS Scope. In this event, when the administrator then changes the
-configuration of the MS TCP/IP protocol stack, without first deleting the
-current settings, by simply checking the box to configure the MS TCP/IP stack
-via DHCP then the NetBIOS Scope that is still persistent in the registry WILL be
-applied to the resulting DHCP offered settings UNLESS the DHCP server also sets
-a NetBIOS Scope. It may therefore be prudent to forcibly apply a NULL NetBIOS
-Scope from your DHCP server. The can be done in the dhcpd.conf file with the
-parameter:
- option netbios-scope "";
-
-While it is true that the Microsoft DHCP server that comes with Windows NT
-Server provides only a sub-set of rfc1533 functionality this is hardly an issue
-in those sites that already have a large investment and commitment to Unix
-systems and technologies. The current state of the art of the DHCP Server
-specification in covered in rfc2132.
-
-This document aims to provide enough background information so that the
-majority of site can without too much hardship get the Internet Software
-Consortium's (ISC) DHCP Server into operation. The key benefits of using DHCP
-includes:
-
-1) Automated IP Address space management and maximised re-use of available IP
-Addresses,
-
-2) Automated control of MS Windows client TCP/IP network configuration,
-
-3) Automatic recovery from start-up and run-time problems with Windows95.
-
-
-
-Client Configuration for SMB Networking:
-========================================
-SMB network clients need to be configured so that all standard TCP/IP name to
-address resolution works correctly. Once this has been achieved the SMB
-environment provides additional tools and services that act as helper agents in
-the translation of SMB (NetBIOS) names to their appropriate IP Addresses. One
-such helper agent is the NetBIOS Name Server (NBNS) or as Microsoft called it
-in their Windows NT Server implementation WINS (Windows Internet Name Server).
-
-A client needs to be configured so that it has a unique Machine (Computer)
-Name.
-
-This can be done, but needs a few NT registry hacks and you need to be able to
-speak UNICODE, which is of course no problem for a True Wizzard(tm) :)
-Instructions on how to do this (including a small util for less capable
-Wizzards) can be found at
-
- http://www.unixtools.org/~nneul/sw/nt/dhcp-netbios-hostname.html
-
-
-All remaining TCP/IP networking parameters can be assigned via DHCP. These include:
-
-a) IP Address,
-b) Netmask,
-c) Gateway (Router) Address,
-d) DNS Domain Name,
-e) DNS Server addresses,
-f) WINS (NBNS) Server addresses,
-g) IP Forwarding,
-h) Timezone offset,
-i) Node Type,
-j) NetBIOS Scope
-
-Other assignments can be made from a DHCP server too, but the above cover the
-major needs.
-
-Note: IF ever an entry has has been made to the NetBIOS Scope field of the
-TCP/IP configuration panel on an MS Windows machine, and it has then been
-committed, then that setting may become persistent. In such a c ase it is better
-to configure the DHCP server with a NetBIOS Scope consisting of an empty string
-(ie: A NULL scope).
-
-
-DHCP Server Installation:
-=========================
-It is assumed that you will have obtained a copy of the GPL'd ISC DHCP server
-source files from ftp://ftp.isc.org/isc/dhcp, it is also assumed that you have
-compiled the sources and have installed the binary files.
-
-The following simply serves to provide sample configuration files to enable
-dhcpd to operate. The sample files assume that your site is configured to use
-private IP network address space using the Class B range of 172.16.1.0 -
-172.16.1.255 and is using a netmask of 255.255.255.0 (ie:24 bits). It is
-assumed that your router to the outside world is at 172.16.1.254 and that your
-Internet Domain Name is bestnet.com.au. The IP Address range 172.16.1.100 to
-172.16.1.240 has been set aside as your dynamically allocated range. In
-addition, bestnet.com.au have two print servers that need to obtain settings
-via BOOTP. The machine linux.bestnet.com.au has IP address 172.16.1.1 and is
-you primary Samba server with WINS support enabled by adding the parameter to
-the /etc/smb.conf file: [globals] wins support = yes. The dhcp lease time will
-be set to 20 hours.
-
-Configuration Files:
-====================
-Before dhcpd will run you need to install a file that speifies the
-configuration settings, and another that holds the database of issued IP
-addresses. On many systems these are stored in the /etc directory on the Unix
-system.
-
-Example /etc/dhcpd.conf:
-========================
-server-identifier linux.bestnet.com.au;
-
-subnet 172.16.1.0 netmask 255.255.255.0 {
- range 172.16.1.100 172.16.1.240;
- default-lease-time 72000;
- max-lease-time 144000;
- option subnet-mask 255.255.255.0;
- option broadcast-address 172.16.1.255;
- option routers 172.16.1.254;
- option domain-name-servers 172.16.1.1, 172.16.1.2;
- option domain-name "bestnet.com.au";
- option time-offset 39600;
- option ip-forwarding off;
- option netbios-name-servers 172.16.0.1, 172.16.0.1;
- option netbios-dd-server 172.16.0.1;
- option netbios-node-type 8;
- option netbios-scope "";
-}
-
-; Note: The above netbios-scope is purposely an empty (NULL) string.
-
-group {
- next-server 172.16.1.10;
- option subnet-mask 255.255.255.0;
- option domain-name "bestnet.com.au";
- option domain-name-servers 172.16.1.1, 172.16.0.2;
- option netbios-name-servers 172.16.0.1, 172.16.0.1;
- option netbios-dd-server 172.16.0.1;
- option netbios-node-type 8;
- option netbios-scope "SomeCrazyScope";
- option routers 172.16.1.240;
- option time-offset 39600;
- host lexmark1 {
- hardware ethernet 06:07:08:09:0a:0b;
- fixed-address 172.16.1.245;
- }
- host epson4 {
- hardware ethernet 01:02:03:04:05:06;
- fixed-address 172.16.1.242;
- }
-}
-
-
-Creating the /etc/dhcpd.leases file:
-====================================
-At a Unix shell create an empty dhcpd.leases file in the /etc directory.
-You can do this by typing: cp /dev/null /etc/dhcpd.leases
-
-
-Setting up a route table for all-ones addresses:
-================================================
-Quoting from the README file that comes with the ISC DHCPD Server:
-
- BROADCAST
-
-In order for dhcpd to work correctly with picky DHCP clients (e.g.,
-Windows 95), it must be able to send packets with an IP destination
-address of 255.255.255.255. Unfortunately, Linux insists on changing
-255.255.255.255 into the local subnet broadcast address (here, that's
-192.5.5.223). This results in a DHCP protocol violation, and while
-many DHCP clients don't notice the problem, some (e.g., all Microsoft
-DHCP clients) do. Clients that have this problem will appear not to
-see DHCPOFFER messages from the server.
-
-It is possible to work around this problem on some versions of Linux
-by creating a host route from your network interface address to
-255.255.255.255. The command you need to use to do this on Linux
-varies from version to version. The easiest version is:
-
- route add -host 255.255.255.255 dev eth0
-
-On some older Linux systems, you will get an error if you try to do
-this. On those systems, try adding the following entry to your
-/etc/hosts file:
-
-255.255.255.255 all-ones
-
-Then, try:
-
- route add -host all-ones dev eth0
-
-
-For more information please refer to the ISC DHCPD Server documentation.
diff --git a/docs/textdocs/Faxing.txt b/docs/textdocs/Faxing.txt
deleted file mode 100644
index 0703d75cc3..0000000000
--- a/docs/textdocs/Faxing.txt
+++ /dev/null
@@ -1,220 +0,0 @@
-Contributor: Gerhard Zuber <zuber@berlin.snafu.de>
-Date: August 5th 1997.
-Status: Current
-
-Subject: F A X I N G with S A M B A
-==========================================================================
-
-This text describes how to turn your SAMBA-server into a fax-server
-for any environment, especially for Windows.
- Author: Gerhard Zuber <zuber@berlin.snafu.de>
- Version: 1.4
- Date: 04. Aug. 1997
-
-Requirements:
- UNIX box (Linux preferred) with SAMBA and a faxmodem
- ghostscript package
- mgetty+sendfax package
- pbm package (portable bitmap tools)
-
-FTP sites:
- sunsite.unc.edu:/pub/Linux/system/Serial/mgetty+sendfax*
- tsx-11.mit.edu:/pub/linux/sources/sbin/mgetty+sendfax
- ftp.leo.org:/pub/comp/networking/communication/modem/mgetty/mgetty1.1.6-May05.tar.gz
-
- pbm10dec91.tgz
- ftp.leo.org:/pub/comp/networking/communication/modem/mgetty/pbm10dec91.tgz
- sunsite.unc.edu: ..../apps/graphics/convert/pbmplus-10dec91-bin.tar.gz
- ftp.gwdg.de/pub/linux/grafik/pbmplus.src.tar.Z (this is 10dec91 source)
- or ??? pbm10dec91.tgz pbmplus10dec91.tgz
-
-
-making mgetty+sendfax running:
-==============================
-
- go to source tree: /usr/src/mgetty+sendfax
- cp policy.h-dist policy.h
-
- change your settings: valid tty ports, modem initstring, Station-Id
-
-#define MODEM_INIT_STRING "AT &F S0=0 &D3 &K3 &C1\\\\N2"
-
-#define FAX_STATION_ID "49 30 12345678"
-
-#define FAX_MODEM_TTYS "ttyS1:ttyS2:ttyS3"
-
- Modem initstring is for rockwell based modems
- if you want to use mgetty+sendfax as PPP-dialin-server,
- define AUTO_PPP in Makefile:
-
-CFLAGS=-O2 -Wall -pipe -DAUTO_PPP
-
- compile it and install the package.
- edit your /etc/inittab and let mgetty running on your preferred
- ports:
-
-s3:45:respawn:/usr/local/sbin/mgetty ttyS2 vt100
-
- now issue a
- kill -HUP 1
- and enjoy with the lightning LEDs on your modem
- your now are ready to receive faxes !
-
-
- if you want a PPP dialin-server, edit
- /usr/local/etc/mgetty+sendfax/login.config
-
-/AutoPPP/ - ppp /usr/sbin/pppd auth debug passive modem
-
-
- Note: this package automatically decides between a fax call and
- a modem call. In case of modem call you get a login prompt !
-
-Tools for printing faxes:
-=========================
-
- your incomed faxes are in:
- /var/spool/fax/incoming
-
- print it with:
-
- for i in *
- do
- g3cat $i | g3tolj | lpr -P hp
- done
-
- in case of low resolution use instead:
-
- g3cat $i | g3tolj -aspect 2 | lpr -P hp
-
-
- g3cat is in the tools-section, g3tolj is in the contrib-section
- for printing to HP lasers.
-
- If you want to produce files for displaying and printing with Windows, use
- some tools from the pbm-package like follow
-
- g3cat $i | g3topbm - | ppmtopcx - >$i.pcx
-
- and view it with your favourite Windows tool (maybe paintbrush)
-
-
-Now making the fax-server:
-===========================
-
- fetch the file
- mgetty+sendfax/frontends/winword/faxfilter
-
- and place it in
-
- /usr/local/etc/mgetty+sendfax/
-
- prepare your faxspool file as mentioned in this file
- edit fax/faxspool.in and reinstall or change the final
- /usr/local/bin/faxspool too.
-
- if [ "$user" = "root" -o "$user" = "fax" -o \
- "$user" = "lp" -o "$user" = "daemon" -o "$user" = "bin" ]
-
- find the first line and change the second.
-
- make sure you have pbmtext (from the pbm-package). This is
- needed for creating the small header line on each page.
- Notes on pbmplus:
- Some peoples had problems with precompiled binaries (especially
- at linux) with a shared lib libgr.so.x.x. The better way is
- to fetch the source and compile it. One needs only pbmtext for
- generating the small line on top of each page /faxheader). Install
- only the individual programs you need. If you install the full
- package then install pbmplus first and then mgetty+sendfax, because
- this package has some changed programs by itself (but not pbmtext).
-
- make sure your ghostscript is functional. You need fonts !
- I prefer these from the OS/2 disks
-
- prepare your faxheader
- /usr/local/etc/mgetty+sendfax/faxheader
-
- edit your /etc/printcap file:
-
-# FAX
-lp3|fax:\
- :lp=/dev/null:\
- :sd=/usr/spool/lp3:\
- :if=/usr/local/etc/mgetty+sendfax/faxfilter:sh:sf:mx#0:\
- :lf=/usr/spool/lp3/fax-log:
-
-
-
-
- edit your /usr/local/samba/lib/smb.conf
-
- so you have a smb based printer named "fax"
-
-
-The final step:
-===============
-
- Now you have a printer called "fax" which can be used via
- TCP/IP-printing (lpd-system) or via SAMBA (windows printing).
-
- On every system you are able to produce postscript-files you
- are ready to fax.
-
- On Windows 3.1 95 and NT:
-
- Install a printer wich produces postscript output,
- e.g. apple laserwriter
-
- connect the "fax" to your printer
-
-
- Now write your first fax. Use your favourite wordprocessor,
- write, winword, notepad or whatever you want, and start
- with the headerpage.
-
- Usually each fax has a header page. It carries your name,
- your address, your phone/fax-number.
-
- It carries also the recipient, his address and his *** fax
- number ***. Now here is the trick:
-
- Use the text:
- Fax-Nr: 123456789
- as the recipients fax-number. Make sure this text does not
- occur in regular text ! Make sure this text is not broken
- by formatting information, e.g. format it as a single entity.
- (Windows Write and Win95 Wordpad are functional, maybe newer
- versions of Winword are breaking formatting information).
-
- The trick is that postscript output is human readable and
- the faxfilter program scans the text for this pattern and
- uses the found number as the fax-destination-number.
-
- Now print your fax through the fax-printer and it will be
- queued for later transmission. Use faxrunq for sending the
- queue out.
-
- Notes of SAMBA smb.conf:
- Simply use fall through from the samba printer to the unix
- printer. Sample:
-
-
- printcap name = /etc/printcap
- print command = /usr/bin/lpr -r -P %p %s
- lpq command = /usr/bin/lpq -P %p
- lprm command = /usr/bin/lprm -P %p %j
-
-
-[fax]
- comment = FAX (mgetty+sendfax)
- path = /tmp
- printable = yes
- public = yes
- writable = no
- create mode = 0700
- browseable = yes
- guest ok = no
-
-
-
diff --git a/docs/textdocs/GOTCHAS.txt b/docs/textdocs/GOTCHAS.txt
deleted file mode 100644
index bc5c6dae85..0000000000
--- a/docs/textdocs/GOTCHAS.txt
+++ /dev/null
@@ -1,68 +0,0 @@
-This file lists Gotchas to watch out for:
-=========================================================================
-Item Number: 1.0
-Description: Problem Detecting Interfaces
-Symptom: Workstations do NOT see Samba server in Browse List
-OS: RedHat - Rembrandt Beta 2
-Platform: Intel
-Date: August 16, 1996
-Submitted By: John H Terpstra
-Details:
- By default RedHat Rembrandt-II during installation adds an
- entry to /etc/hosts as follows:-
- 127.0.0.1 loopback "hostname"."domainname"
-
- This causes Samba to loop back onto the loopback interface.
- The result is that Samba fails to communicate correctly with
- the world and therefor may fail to correctly negotiate who
- is the master browse list holder and who is the master browser.
-
-Corrective Action: Delete the entry after the word loopback
- in the line starting 127.0.0.1
-=========================================================================
-Item Number: 2.0
-Description: Problems with MS Windows NT Server network logon service
-Symptom: Loss of Domain Logon Services and failed Windows NT / 95
- logon attempts.
-OS: All Unix systems with Windows NT Domain Control environments.
-Platform: All
-Date: February 1, 1997
-Submitted By: John H Terpstra
-Details:
- Samba is configured for Domain logon control in a network
- where a Windows NT Domain Primary Controller is running.
-
- Case 1:
- The Windows NT Server is shut down, then restarted. Then
- the Samba server is reconfigured so that it NO LONGER offers
- Domain logon services. Windows NT and 95 workstations can no
- longer log onto the domain. Ouch!!!
-
- Case 2:
- The Windows NT Server which is running the Network logon
- Service is shut down and restarted while Samba is a domain
- controller offering the Domain LogOn service. Windows NT
- Workstation and Server can no longer log onto the network.
-
- Cause:
- Windows NT checks at start up to see if any domain logon
- controllers are already running within the domain. It finds
- Samba claiming to offer the service and therefore does NOT
- start its Network Logon Service.
-
- Windows NT needs the Windows NT network logon service to gain
- from its Domain controller's SAM database the security
- identifier for the user loging on.
-
-Work-around: Stop the Samba nmbd and smbd processes, then on the Windows
- NT Primary Domain Controller start the Network Logon Service.
- Now restart the Samba nmbd and smbd services.
-
- Better still: DO NOT CONFIGURE SAMBA AS THE NETWORK LOGON
- SERVER, DO NOT SET SAMBA TO BE THE DOMAIN MASTER, DO NOT
- SET SAMBA TO OS LEVEL GREATER THAN 0.
-
- ie: Let Windows NT Server be the Domain Logon server, the
- domain master browser and do NOT interfere with any aspect
- of Microsoft Windows NT Domain Control.
-=========================================================================
diff --git a/docs/textdocs/HINTS.txt b/docs/textdocs/HINTS.txt
deleted file mode 100644
index 877640108c..0000000000
--- a/docs/textdocs/HINTS.txt
+++ /dev/null
@@ -1,212 +0,0 @@
-Contributor: Many
-Updated: Not for a long time!
-
-Subject: A collection of hints
-Status: May be useful information but NOT current
-===============================================================================
-
-Here are some random hints that you may find useful. These really
-should be incorporated in the main docs someday.
-
-
-----------------------
-HINT: Always test your smb.conf with testparm before using it
-
-If your smb.conf file is invalid then samba will fail to load. Run
-testparm over it before you install it just to make sure there aren't
-any basic syntax or logical errors.
-
-
-----------------------
-HINT: Try printing with smbclient first
-
-If you have problems printing, test with smbclient first. Just connect using
-"smbclient '\\server\printer' -P" and use the "print" command.
-
-Once this works, you know that Samba is setup correctly for printing,
-and you should be able to get it to work from your PCs.
-
-This particularly helps in getting the "print command" right.
-
-
-----------------------
-HINT: Mount cdroms with conv=binary
-
-Some OSes (notably Linux) default to auto detection of file type on
-cdroms and do cr/lf translation. This is a very bad idea when use with
-Samba. It causes all sorts of stuff ups.
-
-To overcome this problem use conv=binary when mounting the cdrom
-before exporting it with Samba.
-
-
-----------------------
-HINT: Convert between unix and dos text formats
-
-Jim barry has written an excellent drag-and-drop cr/lf converter for
-windows. Just drag your file onto the icon and it converts the file.
-
-Get it from
-ftp://samba.org/pub/samba/contributed/fixcrlf.zip
-
-The utilities unix2dos and dos2unix(in the mtools package) should do
-the job under unix.
-
-----------------------
-HINT: Use the "username map" option
-
-If the usernames used on your PCs don't match those used on the unix
-server then you will find the "username map" option useful.
-
------------------------
-HINT: Use "security = user" in [global]
-
-If you have the same usernames on the unix box and the PCs or have
-mapped them with the "username map" option then choose "security =
-user" in the [global] section of smb.conf.
-
-This will mean your password is checked only when you first connect,
-and subsequent connections to printers, disks etc will go more
-smoothly and much faster.
-
-The main problem with "security = user" if you use WfWg is that you
-will ONLY be able to connect as the username that you log into WfWg
-with. This is because WfWg silently ignores the password field in the
-connect drive dialog box if the server is in user security mode.
-
-------------------------
-HINT: Make your printers not "guest ok"
-
-If your printers are not "guest ok" and you are using "security =
-user" and have matching unix and PC usernames then you will attach to
-the printer without trouble as your own username. This will mean you
-will be able to delete print jobs (in 1.8.06 and above) and printer
-accounting will be possible.
-
-
------------------------
-HINT: Use a sensible "guest" account
-
-Even if all your services are not available to "guest" you will need a
-guest account. This is because the browsing is done as guest. In many
-cases setting "guest account = ftp" will do the trick. Using the
-default guest account or "guest account = nobody" will give problems on
-many unixes. If in doubt create another account with minimal
-privilages and use it instead. Your users don't need to know the
-password of the guest account.
-
-
------------------------
-HINT: Use the latest TCP/IP stack from microsoft if you use Windows
-for workgroups.
-
-The early TCP/IP stacks had lots of bugs.
-
-Microsoft has released an incremental upgrade to their TCP/IP 32-Bit
-VxD drivers. The latest release can be found on their ftp site at
-ftp.microsoft.com, located in /peropsys/windows/public/tcpip/wfwt32.exe.
-There is an update.txt file there that describes the problems that were
-fixed. New files include WINSOCK.DLL, TELNET.EXE, WSOCK.386, VNBT.386,
-WSTCP.386, TRACERT.EXE, NETSTAT.EXE, and NBTSTAT.EXE.
-
-
------------------------
-HINT: nmbd can act as a "WINS" server
-
-By default SMB clients use broadcasts to find shares. Recent clients
-(such as WfWg) can use a "wins" server instead, whcih reduces your
-broadcast traffic and allows you to find names across routers.
-
-Just point your WfWg, Win95 and NT clients at the Samba box in the WINS option.
-
-Note: nmbd does not support all WINS operations. Anyone out there have
-a spec they could send me?
-
------------------------
-HINT: you may need to delete your .pwl files when you change password.
-
-WfWg does a lousy job with passwords. I find that if I change my
-password on either the unix box or the PC the safest thing to do is to
-delete the .pwl files in the windows directory. The PC will complain about not finding the files, but will soon get over it, allowing you to enter the new password.
-
-If you don't do this you may find that WfWg remembers and uses the old
-password, even if you told it a new one.
-
-Often WfWg will totally ignore a password you give it in a dialog box.
-
-----------------------
-HINT: Using MS Access
-
-Here are some notes on running MS-Access on a Samba drive from Stefan
-Kjellberg <stefank@esi.com.au>
-
-1. Opening a database in 'exclusive' mode does NOT work. Samba ignores
- r/w/share modes on file open.
-
-2. Make sure that you open the database as 'shared' and to 'lock modified
- records'
-
-3. Of course locking must be enabled for the particular share (smb.conf)
-
-
----------------------
-HINT: password cacheing in WfWg
-
-Here is a hint from michael@ecel.uwa.edu.au (Michael Simmons):
-
-In case people where not aware. There is a program call admincfg.exe
-on the last disk (disk 8) of the WFW 3.11 disk set. To install it
-type EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE Then add an icon
-for it via the "Progam Manager" "New" Menu. This program allows you
-to control how WFW handles passwords. ie disable Password Caching etc
-for use with "security = user"
-
-
---------------------
-HINT: file descriptor limits
-
-If you have problems with the limits on the number of open files you
-can edit local.h to fix it.
-
---------------------
-HINT: HPUX initgroups() problem
-
-here is a hint from Frank Wales [frank@arcglade.demon.co.uk]:
-
-HP's implementation of supplementary groups is, er, non-standard (for
-hysterical reasons). There are two group files, /etc/group and
-/etc/logingroup; the system maps UIDs to numbers using the former, but
-initgroups() reads the latter. Most system admins who know the ropes
-symlink /etc/group to /etc/logingroup (hard link doesn't work for reasons
-too stupid to go into here). initgroups() will complain if one of the
-groups you're in in /etc/logingroup has what it considers to be an invalid
-ID, which means outside the range [0..UID_MAX], where UID_MAX is (I think)
-60000 currently on HP-UX. This precludes -2 and 65534, the usual 'nobody'
-GIDs.
-
-Perhaps you could suggest to users that, if they encounter this problem,
-they make sure that the programs that are failing to initgroups() be
-run as users not in any groups with GIDs outside the allowed range.
-
-This is documented in the HP manual pages under setgroups(2) and passwd(4).
-
-
----------------------
-HINT: Patch your SCO system
-
-If you run SCO Unix then you may need to get important TCP/IP patches
-for Samba to work correctly. Try
-
-Paul_Davis@mindlink.bc.ca writes:
-
- I was having problems with Accpac using 1.9.02 on SCO Unix. One
- posting function reported corrupted data. After installing uod385a,
- the problem went away (a restore from backup and then another
- run-thru).
-
- It appears that the uod385a update for SCO may be fairly important for
- a lot of different DOS and Windows software under Samba.
-
- uod385a can be found at ftp.sco.com /SLS/uod385a.Z and uod385a.ltr.Z.
-
-
diff --git a/docs/textdocs/README.DCEDFS b/docs/textdocs/README.DCEDFS
deleted file mode 100644
index da9bb2197d..0000000000
--- a/docs/textdocs/README.DCEDFS
+++ /dev/null
@@ -1,78 +0,0 @@
-Contributor: Jim Doyle <doyle@oec.com>
-Date: 06-02-95
-Status: Current but needs updating
-
-Subject: Basic DCE/DFS Support for SAMBA 1.9.13
-=============================================================================
-
-Functionality:
---------------
-
- Per-instance authentication for DCE/DFS.
-
-Missing Functionality in this Implementation:
----------------------------------------------
-
- * No automatic refresh of credentials
-
- To do so would not be that hard.. One could simply
- stash the clear-text key in memory, spawn a key management
- thread to wake up right before credentials expire and
- refresh the login context.
-
- * No UNIX Signals support (SIGCLD, SIGPIPE, SIGHUP, SIGBUS, SIGSEGV)
-
-
- There is no support for signal processing in Samba daemons
- that need to authenticate with DCE. The explanation for this
- is that the smbd is linked against thread-safe libraries in
- order to be able to use DCE authentication mechanisms.
- Because smbd uses signal() and fork(), it represents the
- worst case scenario for DCE portability. In order
- to properly support signals in a forked server environment,
- some rework of smbd is needed in order to properly
- construct, shutdown and reconstruct asynchronous signal
- handling threads and synchronous signal traps across the
- parent and child. I have not had contiguous time to work
- on it, I expect it to be a weeks worth of work to cleanly
- integrate thread-safe signal handing into the code and
- test it. Until I can get to this task, I will leave it up
- to someone adventurous enough to engineer it and negotiate
- with Andrew to integrate the changes into the mainline branch.
-
- The lack of full signal support means that you cannot
- rely upon SIGHUP-ing the parent daemon to refresh
- the configuration data. Likewise, you cannot take advantage
- of the builtin SIGBUS/SIGSEGV traps to diagnose failures.
- You will have to halt Samba in order to make changes
- and then have them take effect.
-
- The SMBD server as it stands is suitable to use if you
- already have experience with configuring and running
- SAMBA.
-
-Tested Platforms:
------------------
-
- HP-UX 9.05 / HP-UX DCE 1.2.1
- AIX 3.2.5 / AIX DCE/6000 1.3
- DEC OSF-1 3.0 / DEC DCE 1.3
-
-Building:
----------
-
- - Uncomment the the appropriate block in the Makefile
- for the platform you wish to build on.
-
- - Samples of Samba server configuration files for our
- DFS environment are included in samples.dcedfs/
-
-
-
-Bugs, Suggestions, etc..
---------------------------
-
- Please post them to the mailing list.
- That way I will see them and they will become part of
- the archives so others can share the knowledge.
-
diff --git a/docs/textdocs/Recent-FAQs.txt b/docs/textdocs/Recent-FAQs.txt
deleted file mode 100644
index feed127827..0000000000
--- a/docs/textdocs/Recent-FAQs.txt
+++ /dev/null
@@ -1,286 +0,0 @@
-Contributor: Samba-bugs@samba.org
-Date: July 5, 1998
-Status: Current
-
-=============================================================================
-Subject: Recent FAQ answers to common questions / problems
-=============================================================================
-Contents: NetWkstaUserLogon
- Not listening for calling name
- System Error 1240
- Trapdoor UID
- User Access Control
- Using NT to Browse Samba Shares
- setup.exe and 16 bit programs
- smbclient -N
-
-NetWkstaUserLogon
-=================
-FAQ answer about the new password server code:
-
-In 1.9.18 you can disable the NetWkstaUserLogon call at compile time
-in local.h and from 1.9.18p3 you can now disable it from an option in
-your smb.conf.
-
-The password server behaviour changed because we discovered that bugs
-in some NT servers allowed anyone to login with no password if they
-chose an account name that did not exist on the password server. The
-NT password server was saying "yes, it's OK to login" even when the
-account didn't exist at all! Adding the NetWkstaUserLogon call fixed
-the problem, and follows the "recommended" method that MS have
-recently documented for pass through authentication.
-
-The problem now is that some NT servers (in particular NT
-workstation?) don't support the NetWkstaUserLogon call. The call also
-doesn't work for accounts in trust relationships.
-
-The eventual solution for this will be to replace the password server
-code in Samba with NT domain code as that is developed. For now you
-have the choice of compiling Samba either with or without the
-NetWkstaUserLogon call in the password server code.
-
-In 1.9.18p3 the following was added (copied from the 1.9.18p3 release
-notes):
-
-In the [global] section of smb.conf :
-
-networkstation user login
-
-This code (submitted by Rob Nielsen) allows the code many people
-were having problems with that queries an NT password server to
-be turned off at runtime rather than compile time. Please see the
-documentation in the smb.conf manual page for details. This is a
-security option - it must only be turned off after checks have been
-made to ensure that your NT password server does not suffer from the
-bug this code was meant to protect against !
-
-In 1.9.18 you can enable/disable this call in local.h. In 1.9.17p5
-you could apply the following patch. Applying this patch will make
-the password server code behave like the code in earlier versions
-of Samba. If you do this then please ensure that you test to see
-that users are prevented from logging in if they give a bogus
-username/password. You may have a NT server that is affected by the
-bug that this code is designed to avoid.
-
-
---- password.c 1997/10/21 10:09:28 1.25.2.4
-+++ password.c 1997/12/31 06:43:06
-@@ -1619,6 +1619,7 @@
- }
-
-
-+#if 0
- if (!cli_NetWkstaUserLogon(&cli,user,local_machine)) {
- DEBUG(1,("password server %s failed NetWkstaUserLogon\n", cli.desthost));
- cli_tdis(&cli);
-@@ -1638,6 +1639,7 @@
- cli_tdis(&cli);
- return False;
- }
-+#endif
-
- DEBUG(3,("password server %s accepted the password\n", cli.desthost));
-===============================================================================
-
-Not listening for calling name
-==============================
-
-> Session request failed (131,129) with myname=HOBBES destname=CALVIN
-> Not listening for calling name
-
-If you get this when talking to a Samba box then it means that your
-global "hosts allow" or "hosts deny" settings are causing the Samba
-server to refuse the connection.
-
-Look carefully at your "hosts allow" and "hosts deny" lines in the
-global section of smb.conf.
-
-It can also be a problem with reverse DNS lookups not functioning
-correctly, leading to the remote host identity not being able to
-be confirmed, but that is less likely.
-===============================================================================
-
-System Error 1240
-=================
-System error 1240 means that the client is refusing to talk
-to a non-encrypting server. Microsoft changed WinNT in service
-pack 3 to refuse to connect to servers that do not support
-SMB password encryption.
-
-There are two main solutions:
-
-1) enable SMB password encryption in Samba. See ENCRYPTION.txt in the
-Samba docs
-
-2) disable this new behaviour in NT. See WinNT.txt in the
-Samba docs
-===============================================================================
-
-Trapdoor UID
-============
-> Log message "you appear to have a trapdoor uid system"
-
-This can have several causes. It might be because you are using a uid
-or gid of 65535 or -1. This is a VERY bad idea, and is a big security
-hole. Check carefully in your /etc/passwd file and make sure that no
-user has uid 65535 or -1. Especially check the "nobody" user, as many
-broken systems are shipped with nobody setup with a uid of 65535.
-
-It might also mean that your OS has a trapdoor uid/gid system :-)
-
-This means that once a process changes effective uid from root to
-another user it can't go back to root. Unfortunately Samba relies on
-being able to change effective uid from root to non-root and back
-again to implement its security policy. If your OS has a trapdoor uid
-system this won't work, and several things in Samba may break. Less
-things will break if you use user or server level security instead of
-the default share level security, but you may still strike
-problems.
-
-The problems don't give rise to any security holes, so don't panic,
-but it does mean some of Samba's capabilities will be unavailable.
-In particular you will not be able to connect to the Samba server as
-two different uids at once. This may happen if you try to print as a
-"guest" while accessing a share as a normal user. It may also affect
-your ability to list the available shares as this is normally done as
-the guest user.
-
-Complain to your OS vendor and ask them to fix their system.
-
-Note: the reason why 65535 is a VERY bad choice of uid and gid is that
-it casts to -1 as a uid, and the setreuid() system call ignores (with
-no error) uid changes to -1. This means any daemon attempting to run
-as uid 65535 will actually run as root. This is not good!
-===============================================================================
-
-User Access Control
-===================
-> In windows when i set up a share in "user mode" i get the message:
-> "You cannot view the list of users at this time. Please try again later."
->
-> I know you have lists of users for access and aliasing purposes, but i
-> have read nothing to support the idea that these lists control the Domain
-> Users List...
-
-Samba does NOT at this time support user mode access control for Window 9x
-of for NT. This is a priority item and requires full implementation of the NT SMB
-protocol calls. Samba-1.9.19 will go into alpha in about 2 months time and will
-have a more full implementation of the NT SMB protocols to support Domain Client
-interoperability. When we can see that this has been succesful we wil then implement
-the NT SMB Server components. This will probably be released as Samba-2.0
-
-Samba-1.9.18p5 is scheduled to go out within 14 days. This will close off the 1.9.18
-branch and then opens the way to progress 1.9.19.
-
-I hope this answers your concerns adequately.
-===============================================================================
-
-Using NT to Browse Samba Shares
-===============================
-> WIN-NT workstations (nt4.0, service pack 3)
-> samba with
-> security = user
-> encrypt passwords = yes
-> guest account = guest
->
-> start the explorer on a win-nt workstation and select network. I find
-> my unix server running samba, but I can not see the list of shares
-> unless I am a user, who is known in the smbpasswd of the unix machine.
-> The guest account "guest" exists on my unix machine. For testing I even
-> made him a regular user with a password.
->
-> With my network monitor I can see, that the win-nt workstation uses the
-> current login, to connect to IPC$ on the samba server
-> (for example "administrator"), not the guest account.
-
-This is exactly how Windows NT works. You MUST have a valid account on the Windows
-NT box you are trying to see the resource list on. If your currently logged in
-account details do NOT match an account on the NT machine you are trying to access
-then you will be presented with a logon box for that machine. When you enter the
-name of an account on that machine / domain, together with a valid password then
-the resource list is made available. If the account details are not correct then
-no resource list is shown.
-
-Samba follows the behaviour of Windows NT exactly.
-
-Warning:Warning:Warning:
-========================
-Samba can be compiled with the GUEST_SESSION_SETUP option at 0,1 or 2.
-The default is 0. If this is set to 1 or 2 then Windows NT machines that DO NOT
-have an account on the Samba server will see the resource list. The down side of this
-is that legitimate users may then be refused access to their legitimate resources.
-Setting this option creates serious security holes. DO NOT DO IT. Samba has the
-value of this option set at 0 - NOT WITHOUT REASON!!!!
-
-******> Warning:Warning:Warning: ****> Do not tamper with this setting!!!
-===============================================================================
-
-setup.exe and 16 bit programs
-=============================
-Running 16 bit programs from Windows NT on a Samba mapped drive
----------------------------------------------------------------
-
-The Windows NT redirector has a bug when running against a
-Samba or Windows 95 mapped drive and attempting to run a
-16 bit executable.
-
-The problem occurs when the pathname to a 16 bit executable
-contains a non 8.3 filename complient directory component,
-Windows NT will fail to load the program and complain it
-cannot find the path to the program.
-
-It can be verified that this is a bug in Windows NT and
-not Samba as the same problem can be reproduced exactly
-when attempting to run the same program with the same
-pathname from a Windows 95 server (ie. the problem still
-exists even with no Samba server involved).
-
-Microsoft have been made aware of this problem, it is
-unknown if they regard it as serious enough to provide
-a fix for this.
-
-One of the reasons this problem is reported frequently
-is that InstallShield setup.exe executables are frequently
-written as 16 bit programs, and so hit this problem.
-
-As a workaround, you may create (on a Samba server at
-least) a symbolic link with an 8.3 complient name to
-the non 8.3 complient directory name, and then the 16
-bit program will run. Alternatively, use the 8.3
-complient mangled name to specify the path to run
-the binary.
-
-This will be fixed when Samba adds the NT-specific
-SMB calls (currently targeted for the next major
-Samba release), as once the NT SMB calls are used
-this problem no longer occurs (which is why the
-problem doesn't occur when running against a drive
-mapped to a Windows NT server).
-
-Regards,
-
- Jeremy Allison.
- Samba Team.
-===============================================================================
-
-smbclient -N
-============
-> When getting the list of shares available on a host using the command
-> smbclient -N -L <server>
-> the program always prompts for the password if the server is a Samba server.
-> It also ignores the "-N" argument when querying some (but not all) of our
-> NT servers.
-
-No, it does not ignore -N, it is just that your server rejected the
-null password in the connection, so smbclient prompts for a password
-to try again.
-
-To get the behaviour that you probably want use
- smbclient -L host -U%
-
-this will set both the username and password to null, which is
-an anonymous login for SMB. Using -N would only set the password
-to null, and this is not accepted as an anonymous login for most
-SMB servers.
-===============================================================================
-
diff --git a/docs/textdocs/UNIX_SECURITY.txt b/docs/textdocs/UNIX_SECURITY.txt
deleted file mode 100644
index 38705f018a..0000000000
--- a/docs/textdocs/UNIX_SECURITY.txt
+++ /dev/null
@@ -1,54 +0,0 @@
-Contributor: John H Terpstra <jht@samba.org>
-Date: July 5, 1998
-Status: Current
-
-Subject: SETTING UNIX FILE SYSTEM SECURITY
-===============================================================================
-The following excerpt from a bug report demonstrates the need to
-understand Unix file system security and to manage it correctly.
-
-Quote:
-======
-> We are unable to keep individual users from mapping to any other user's
-> home directory once they have supplied a valid password! They only need
-> to enter their own password. I have not found *any* method that I can
-> use to configure samba to enforce that only a user may map their own
-> home directory.
->
-> User xyzzy can map his home directory. Once mapped user xyzzy can also map
-> *anyone* elses home directory!
-
-ANSWER:
-=======
-This is not a security flaw, it is by design. Samba allows
-users to have *exactly* the same access to the UNIX filesystem
-as they would if they were logged onto the UNIX box, except
-that it only allows such views onto the file system as are
-allowed by the defined shares.
-
-This means that if your UNIX home directories are set up
-such that one user can happily cd into another users
-directory and do an ls, the UNIX security solution is to
-change the UNIX file permissions on the users home directories
-such that the cd and ls would be denied.
-
-Samba tries very hard not to second guess the UNIX administrators
-security policies, and trusts the UNIX admin to set
-the policies and permissions he or she desires.
-
-Samba does allow the setup you require when you have set the
-"only user = yes" option on the share, is that you have not set the
-valid users list for the share.
-
-Note that only user works in conjunction with the users= list,
-so to get the behavior you require, add the line :
-
-users = %S
-
-this is equivalent to:
-
-valid users = %S
-
-to the definition of the [homes] share, as recommended in
-the smb.conf man page.
-