diff options
Diffstat (limited to 'docs')
-rw-r--r-- | docs/docbook/projdoc/AdvancedNetworkAdmin.sgml | 130 | ||||
-rw-r--r-- | docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml | 2 | ||||
-rw-r--r-- | docs/docbook/projdoc/NT_Security.sgml | 15 | ||||
-rw-r--r-- | docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml | 21 | ||||
-rw-r--r-- | docs/docbook/projdoc/PolicyMgmt.sgml | 89 | ||||
-rw-r--r-- | docs/docbook/projdoc/ProfileMgmt.sgml | 473 | ||||
-rw-r--r-- | docs/docbook/projdoc/ServerType.sgml | 2 | ||||
-rw-r--r-- | docs/docbook/projdoc/VFS.sgml | 13 | ||||
-rw-r--r-- | docs/docbook/projdoc/passdb.sgml | 2 | ||||
-rw-r--r-- | docs/docbook/projdoc/samba-doc.sgml | 12 |
10 files changed, 478 insertions, 281 deletions
diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml index 18fda67123..3c230a9110 100644 --- a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml +++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml @@ -12,23 +12,137 @@ <pubdate>April 3 2003</pubdate> </chapterinfo> -<title>Advanced Network Manangement Information</title> +<title>Advanced Network Manangement</title> + +<para> +This section attempts to document peripheral issues that are of great importance to network +administrators who want to improve network resource access control, to automate the user +environment, and to make their lives a little easier. +</para> <sect1> -<title>Remote Server Administration</title> +<title>Configuring Samba Share Access Controls</title> + +<para> +This section deals with how to configure Samba per share access control restrictions. +By default samba sets no restrictions on the share itself. Restrictions on the share itself +can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can +connect to a share. In the absence of specific restrictions the default setting is to allow +the global user <emphasis>Everyone</emphasis> Full Control (ie: Full control, Change and Read). +</para> + +<para> +At this time Samba does NOT provide a tool for configuring access control setting on the Share +itself. Samba does have the capacity to store and act on access control settings, but the only +way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for +Computer Management. +</para> + +<para> +Samba stores the per share access control settings in a file called <filename>share_info.tdb</filename>. +The location of this file on your system will depend on how samba was compiled. The default location +for samba's tdb files is under <filename>/usr/local/samba/var</filename>. If the <filename>tdbdump</filename> +utility has been compiled and installed on your system then you can examine the contents of this file +by: <filename>tdbdump share_info.tdb</filename>. +</para> + +<sect2> +<title>Share Permissions Management</title> + +<para> +The best tool for the task is platform dependant. Choose the best tool for your environmemt. +</para> +<sect3> +<title>Windows NT4 Workstation/Server</title> +<para> +The tool you need to use to manage share permissions on a Samba server is the NT Server Manager. +Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. +You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below. +</para> <para> -<emphasis>How do I get 'User Manager' and 'Server Manager'</emphasis> +Instructions: </para> + <para> + Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu + select Computer, then click on the Shared Directories entry. + </para> + + <para> + Now click on the share that you wish to manage, then click on the Properties tab, next click on + the Permissions tab. Now you can Add or change access control settings as you wish. + </para> + +</sect3> + +<sect3> +<title>Windows 200x/XP</title> + <para> -Since I don't need to buy an NT Server CD now, how do I get the 'User Manager for Domains', +On MS Windows NT4/200x/XP system access control lists on the share itself are set using native +tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder, +then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows +<emphasis>Everyone</emphasis> Full Control on the Share. +</para> + +<para> +MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the +Microsoft Management Console (MMC). This tool is located by clicking on <filename>Control Panel -> +Administrative Tools -> Computer Management</filename>. +</para> + +<para> +Instructions: +</para> + <para> + After launching the MMC with the Computer Management snap-in, click on the menu item 'Action', + select 'Connect to another computer'. If you are not logged onto a domain you will be prompted + to enter a domain login user identifier and a password. This will authenticate you to the domain. + If you where already logged in with administrative privilidge this step is not offered. + </para> + + <para> + If the Samba server is not shown in the Select Computer box, then type in the name of the target + Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+] + next to 'Shared Folders' in the left panel. + </para> + + <para> + Now in the right panel, double-click on the share you wish to set access control permissions on. + Then click on the tab 'Share Permissions'. It is now possible to add access control entities + to the shared folder. Do NOT forget to set what type of access (full control, change, read) you + wish to assign for each entry. + </para> + + <note> + <para> + Be careful. If you take away all permissions from the Everyone user without removing this user + then effectively no user will be able to access the share. This is a result of what is known as + ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone + will have no access even if this user is given explicit full control access. + </para> + </note> + +</sect3> +</sect2> +</sect1> + +<sect1> +<title>Remote Server Administration</title> + +<para> +<emphasis>How do I get 'User Manager' and 'Server Manager'?</emphasis> +</para> + +<para> +Since I don't need to buy an NT4 Server, how do I get the 'User Manager for Domains', the 'Server Manager'? </para> <para> -Microsoft distributes a version of these tools called nexus for installation on Windows 95 +Microsoft distributes a version of these tools called nexus for installation on Windows 9x / Me systems. The tools set includes: </para> @@ -52,6 +166,12 @@ from <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">ftp://ft </para> </sect1> +<sect1> +<title>Network Logon Script Magic</title> + +<para> +Lots of blah blah here. +</para> </chapter> diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml index 06c1d3a87e..a2d16541ef 100644 --- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml +++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml @@ -6,7 +6,7 @@ </author> </chapterinfo> -<title>Group mapping HOWTO</title> +<title>Configuring Group Mapping</title> <para> Starting with Samba 3.0 alpha 2, a new group mapping function is available. The diff --git a/docs/docbook/projdoc/NT_Security.sgml b/docs/docbook/projdoc/NT_Security.sgml index a68a820b76..c5e3b9b9f9 100644 --- a/docs/docbook/projdoc/NT_Security.sgml +++ b/docs/docbook/projdoc/NT_Security.sgml @@ -1,5 +1,4 @@ <chapter id="unix-permissions"> - <chapterinfo> <author> <firstname>Jeremy</firstname><surname>Allison</surname> @@ -10,12 +9,9 @@ </address> </affiliation> </author> - - <pubdate>12 Apr 1999</pubdate> </chapterinfo> - <title>UNIX Permission Bits and Windows NT Access Control Lists</title> <sect1> @@ -29,6 +25,17 @@ the security of the UNIX host Samba is running on, and still obeys all the file permission rules that a Samba administrator can set.</para> + + <note> + <para> + All access to Unix/Linux system file via Samba is controlled at + the operating system file access control level. When trying to + figure out file access problems it is vitally important to identify + the identity of the Windows user as it is presented by Samba at + the point of file access. This can best be determined from the + Samba log files. + </para> + </note> </sect1> <sect1> diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml index 7608f821cf..f2a6fc06ac 100644 --- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml +++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml @@ -1,6 +1,4 @@ <chapter id="pam"> - - <chapterinfo> <author> <firstname>John</firstname><surname>Terpstra</surname> @@ -14,8 +12,7 @@ <pubdate> (Jun 21 2001) </pubdate> </chapterinfo> -<title>Configuring PAM for distributed but centrally -managed authentication</title> +<title>PAM Configuration for Centrally Managed Authentication</title> <sect1> <title>Samba and PAM</title> @@ -139,10 +136,10 @@ Linux system. The default condition uses <filename>pam_pwdb.so</filename>. #%PAM-1.0 # The PAM configuration file for the `samba' service # - auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit - account required /lib/security/pam_pwdb.so audit nodelay - session required /lib/security/pam_pwdb.so nodelay - password required /lib/security/pam_pwdb.so shadow md5 + auth required pam_pwdb.so nullok nodelay shadow audit + account required pam_pwdb.so audit nodelay + session required pam_pwdb.so nodelay + password required pam_pwdb.so shadow md5 </programlisting></para> <para> @@ -157,10 +154,10 @@ program. #%PAM-1.0 # The PAM configuration file for the `samba' service # - auth required /lib/security/pam_smbpass.so nodelay - account required /lib/security/pam_pwdb.so audit nodelay - session required /lib/security/pam_pwdb.so nodelay - password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf + auth required pam_smbpass.so nodelay + account required pam_pwdb.so audit nodelay + session required pam_pwdb.so nodelay + password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf </programlisting></para> <note><para>PAM allows stacking of authentication mechanisms. It is diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml index 6eb3a09a97..1dc4dd435d 100644 --- a/docs/docbook/projdoc/PolicyMgmt.sgml +++ b/docs/docbook/projdoc/PolicyMgmt.sgml @@ -11,10 +11,10 @@ </author> <pubdate>April 3 2003</pubdate> </chapterinfo> -<title>Policy Management - Hows and Whys</title> +<title>System and Account Policies</title> <sect1> -<title>System Policies</title> +<title>Creating and Managing System Policies</title> <para> Under MS Windows platforms, particularly those following the release of MS Windows @@ -36,7 +36,7 @@ a part of the MS Windows Me Resource Kit. <para> MS Windows NT4 Server products include the <emphasis>System Policy Editor</emphasis> -under the <filename>Start->Programs->Administrative Tools</filename> menu item. +under the <filename>Start -> Programs -> Administrative Tools</filename> menu item. For MS Windows NT4 and later clients this file must be called <filename>NTConfig.POL</filename>. </para> @@ -51,9 +51,9 @@ be a step forward, but improved functionality comes at a great price. <para> Before embarking on the configuration of network and system policies it is highly -advisable to read the documentation available from Microsoft's web site from +advisable to read the documentation available from Microsoft's web site regarding <ulink url="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp"> -Implementing Profiles and Policies in Windows NT 4.0</ulink> available from Microsoft. +Implementing Profiles and Policies in Windows NT 4.0 from http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp</ulink> available from Microsoft. There are a large number of documents in addition to this old one that should also be read and understood. Try searching on the Microsoft web site for "Group Policies". </para> @@ -64,22 +64,22 @@ here is incomplete - you are warned. </para> <sect2> -<title>Creating and Managing Windows 9x/Me Policies</title> +<title>Windows 9x/Me Policies</title> <para> You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me. It can be found on the Original full product Win98 installation CD under -<filename>tools/reskit/netadmin/poledit</filename>. You install this using the +<filename>tools/reskit/netadmin/poledit</filename>. Install this using the Add/Remove Programs facility and then click on the 'Have Disk' tab. </para> <para> Use the Group Policy Editor to create a policy file that specifies the location of -user profiles and/or the <filename>My Documents</filename> etc. stuff. You then +user profiles and/or the <filename>My Documents</filename> etc. stuff. Then save these settings in a file called <filename>Config.POL</filename> that needs to -be placed in the root of the [NETLOGON] share. If your Win98 is configured to log onto +be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto the Samba Domain, it will automatically read this file and update the Win9x/Me registry -of the machine that is logging on. +of the machine as it logs on. </para> <para> @@ -87,7 +87,7 @@ Further details are covered in the Win98 Resource Kit documentation. </para> <para> -If you do not do it this way, then every so often Win9x/Me will check the +If you do not take the right steps, then every so often Win9x/Me will check the integrity of the registry and will restore it's settings from the back-up copy of the registry it stores on each Win9x/Me machine. Hence, you will occasionally notice things changing back to the original settings. @@ -104,7 +104,7 @@ Win9x/Me machine that uses group policies. </sect2> <sect2> -<title>Creating and Managing Windows NT4 Style Policy Files</title> +<title>Windows NT4 Style Policy Files</title> <para> To create or edit <filename>ntconfig.pol</filename> you must use the NT Server @@ -136,20 +136,20 @@ location is with the Zero Administration Kit available for download from Microso <sect3> <title>Registry Tattoos</title> -<para> -With NT4 style registry based policy changes, a large number of settings are not -automatically reversed as the user logs off. Since the settings that were in the -NTConfig.POL file were applied to the client machine registry and that apply to the -hive key HKEY_LOCAL_MACHINE are permanent until explicitly reveresd. This is known -as tattooing. It can have serious consequences down-stream and the administrator must -be extreemly careful not to lock out the ability to manage the machine at a later date. -</para> + <para> + With NT4 style registry based policy changes, a large number of settings are not + automatically reversed as the user logs off. Since the settings that were in the + NTConfig.POL file were applied to the client machine registry and that apply to the + hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known + as tattooing. It can have serious consequences down-stream and the administrator must + be extremely careful not to lock out the ability to manage the machine at a later date. + </para> </sect3> </sect2> <sect2> -<title>Creating and Managing MS Windows 200x Policies</title> +<title>MS Windows 200x / XP Professional Policies</title> <para> Windows NT4 System policies allows setting of registry parameters specific to @@ -201,7 +201,7 @@ exists with NT4 style policy files. </para> <sect3> -<title>Administration of Win2K Policies</title> +<title>Administration of Win2K / XP Policies</title> <para> Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the @@ -212,7 +212,7 @@ executable name poledit.exe), GPOs are created and managed using a Microsoft Man <itemizedlist> <listitem> <para> - Go to the Windows 200x / XP menu <filename>Start->Programs->Adminsitrative Tools</filename> + Go to the Windows 200x / XP menu <filename>Start->Programs->Administrative Tools</filename> and select the MMC snap-in called "Active Directory Users and Computers" <para> </listitem> @@ -258,4 +258,47 @@ use this powerful tool. Please refer to the resource kit manuals for specific us </sect2> </sect1> + +<sect1> +<title>Managing Account/User Policies</title> + +<para> +Document what are user policies (ie: Account Policies) here. +</para> + +<sect2> +<title>With Windows NT4/200x</title> + +<para> +Brief overview of the tools and how to use them. +</para> + +<sect3> +<title>Windows NT4 Tools</title> + +<para> +Blah, blah, blah ... +</para> + +</sect3> + +<sect3> +<title>Windows 200x Tools</title> + +<para> +Blah, blah, blah ... +</para> + +</sect3> +</sect2> + +<sect2> +<title>With a Samba PDC</title> + +<para> +Document the HOWTO here. +</para> + +</sect1> + </chapter> diff --git a/docs/docbook/projdoc/ProfileMgmt.sgml b/docs/docbook/projdoc/ProfileMgmt.sgml index ffbc65f767..72eac8635a 100644 --- a/docs/docbook/projdoc/ProfileMgmt.sgml +++ b/docs/docbook/projdoc/ProfileMgmt.sgml @@ -12,54 +12,71 @@ <pubdate>April 3 2003</pubdate> </chapterinfo> -<title>Profile Management</title> +<title>Desktop Profile Management</title> <sect1> <title>Roaming Profiles</title> <warning> <para> -<emphasis>NOTE!</emphasis> Roaming profiles support is different for Win9X and WinNT. +<emphasis>NOTE!</emphasis> Roaming profiles support is different for Win9x / Me +and Windows NT4/200x. </para> </warning> <para> Before discussing how to configure roaming profiles, it is useful to see how -Win9X and WinNT clients implement these features. +Windows 9x / Me and Windows NT4/200x clients implement these features. </para> <para> -Win9X clients send a NetUserGetInfo request to the server to get the user's +Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's profiles location. However, the response does not have room for a separate -profiles location field, only the user's home share. This means that Win9X -profiles are restricted to being in the user's home directory. +profiles location field, only the user's home share. This means that Win9X/Me +profiles are restricted to being stored in the user's home directory. </para> <para> -WinNT clients send a NetSAMLogon RPC request, which contains many fields, +Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields, including a separate field for the location of the user's profiles. -This means that support for profiles is different for Win9X and WinNT. </para> <sect2> -<title>Windows NT Configuration</title> +<title>Samba Configuration for Profile Handling</title> <para> -To support WinNT clients, in the [global] section of smb.conf set the +This section documents how to configure Samba for MS Windows client profile support. +</para> + +<sect3> +<title>NT4/200x User Profiles</title> + +<para> +To support Windowns NT4/200x clients, in the [global] section of smb.conf set the following (for example): </para> -<para><programlisting> -logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath -</programlisting></para> +<para> +<programlisting> + logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath + + This is typically implemented like: + + logon path = \\%L\Profiles\%u + + where: + %L translates to the name of the Samba server + %u translates to the user name +</programlisting> +</para> <para> -The default for this option is \\%N\%U\profile, namely -\\sambaserver\username\profile. The \\N%\%U service is created -automatically by the [homes] service. -If you are using a samba server for the profiles, you _must_ make the -share specified in the logon path browseable. +The default for this option is \\%N\%U\profile, namely \\sambaserver\username\profile. +The \\N%\%U service is created automatically by the [homes] service. If you are using +a samba server for the profiles, you _must_ make the share specified in the logon path +browseable. Please refer to the man page for smb.conf in respect of the different +symantics of %L and %N, as well as %U and %u. </para> <note> @@ -69,45 +86,41 @@ between logons. It is recommended to NOT use the <emphasis>homes</emphasis> meta-service name as part of the profile share path. </para> </note> +</sect3> -</sect2> - -<sect2> -<title>Windows 9X Configuration</title> +<sect3> +<title>Windows 9x / Me User Profiles</title> <para> -To support Win9X clients, you must use the "logon home" parameter. Samba has +To support Windows 9x / Me clients, you must use the "logon home" parameter. Samba has now been fixed so that "net use /home" now works as well, and it, too, relies on the "logon home" parameter. </para> <para> -By using the logon home parameter, you are restricted to putting Win9X +By using the logon home parameter, you are restricted to putting Win9x / Me profiles in the user's home directory. But wait! There is a trick you -can use. If you set the following in the [global] section of your -smb.conf file: +can use. If you set the following in the [global] section of your smb.conf file: </para> <para><programlisting> -logon home = \\%L\%U\.profiles + logon home = \\%L\%U\.profiles </programlisting></para> <para> -then your Win9X clients will dutifully put their clients in a subdirectory +then your Windows 9x / Me clients will dutifully put their clients in a subdirectory of your home directory called .profiles (thus making them hidden). </para> <para> Not only that, but 'net use/home' will also work, because of a feature in -Win9X. It removes any directory stuff off the end of the home directory area +Windows 9x / Me. It removes any directory stuff off the end of the home directory area and only uses the server and share portion. That is, it looks like you specified \\%L\%U for "logon home". </para> +</sect3> - -</sect2> - -<sect2> -<title>Win9X and WinNT Configuration</title> +<sect3> +<title>Mixed Windows 9x / Me and Windows NT4/200x User Profiles</title> <para> You can support profiles for both Win9X and WinNT clients by setting both the @@ -115,20 +128,18 @@ You can support profiles for both Win9X and WinNT clients by setting both the </para> <para><programlisting> -logon home = \\%L\%U\.profiles -logon path = \\%L\profiles\%U + logon home = \\%L\%u\.profiles + logon path = \\%L\profiles\%u </programlisting></para> -<note> -<para> -I have not checked what 'net use /home' does on NT when "logon home" is -set as above. -</para> -</note> +</sect3> </sect2> <sect2> -<title>Windows 9X Profile Setup</title> +<title>Windows Client Profile Configuration Information</title> + +<sect3> +<title>Windows 9x / Me Profile Setup</title> <para> When a user first logs in on Windows 9X, the file user.DAT is created, @@ -150,7 +161,7 @@ and deny them write access to this file. <orderedlist> <listitem> <para> - On the Windows 95 machine, go to Control Panel | Passwords and + On the Windows 9x / Me machine, go to Control Panel -> Passwords and select the User Profiles tab. Select the required level of roaming preferences. Press OK, but do _not_ allow the computer to reboot. @@ -159,8 +170,8 @@ and deny them write access to this file. <listitem> <para> - On the Windows 95 machine, go to Control Panel | Network | - Client for Microsoft Networks | Preferences. Select 'Log on to + On the Windows 9x / Me machine, go to Control Panel -> Network -> + Client for Microsoft Networks -> Preferences. Select 'Log on to NT Domain'. Then, ensure that the Primary Logon is 'Client for Microsoft Networks'. Press OK, and this time allow the computer to reboot. @@ -170,12 +181,12 @@ and deny them write access to this file. </orderedlist> <para> -Under Windows 95, Profiles are downloaded from the Primary Logon. +Under Windows 9x / Me Profiles are downloaded from the Primary Logon. If you have the Primary Logon as 'Client for Novell Networks', then the profiles and logon script will be downloaded from your Novell Server. If you have the Primary Logon as 'Windows Logon', then the profiles will be loaded from the local machine - a bit against the -concept of roaming profiles, if you ask me. +concept of roaming profiles, it would seem! </para> <para> @@ -188,13 +199,13 @@ supports it), user name and user's password. </para> <para> -Once the user has been successfully validated, the Windows 95 machine +Once the user has been successfully validated, the Windows 9x / Me machine will inform you that 'The user has not logged on before' and asks you if you wish to save the user's preferences? Select 'yes'. </para> <para> -Once the Windows 95 client comes up with the desktop, you should be able +Once the Windows 9x / Me client comes up with the desktop, you should be able to examine the contents of the directory specified in the "logon path" on the samba server and verify that the "Desktop", "Start Menu", "Programs" and "Nethood" folders have been created. @@ -202,7 +213,7 @@ on the samba server and verify that the "Desktop", "Start Menu", <para> These folders will be cached locally on the client, and updated when -the user logs off (if you haven't made them read-only by then :-). +the user logs off (if you haven't made them read-only by then). You will find that if the user creates further folders or short-cuts, that the client will merge the profile contents downloaded with the contents of the profile directory already on the local client, taking @@ -211,9 +222,9 @@ the newest folders and short-cuts from each set. <para> If you have made the folders / files read-only on the samba server, -then you will get errors from the w95 machine on logon and logout, as +then you will get errors from the Windows 9x / Me machine on logon and logout, as it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the w95 machine, check the Unix file +you have any errors reported by the Windows 9x / Me machine, check the Unix file permissions and ownership rights on the profile directory contents, on the samba server. </para> @@ -244,71 +255,69 @@ they will be told that they are logging in "for the first time". you will find an entry, for each user, of ProfilePath. Note the contents of this key (likely to be c:\windows\profiles\username), then delete the key ProfilePath for the required user. - </para> - <para> [Exit the registry editor]. + </para> </listitem> -<listitem> + <listitem> <para> <emphasis>WARNING</emphasis> - before deleting the contents of the - directory listed in - the ProfilePath (this is likely to be c:\windows\profiles\username), - ask them if they have any important files stored on their desktop - or in their start menu. delete the contents of the directory - ProfilePath (making a backup if any of the files are needed). + directory listed in the ProfilePath (this is likely to be + <filename>c:\windows\profiles\username)</filename>, ask them if they + have any important files stored on their desktop or in their start menu. + Delete the contents of the directory ProfilePath (making a backup if any + of the files are needed). </para> <para> - This will have the effect of removing the local (read-only hidden - system file) user.DAT in their profile directory, as well as the - local "desktop", "nethood", "start menu" and "programs" folders. + This will have the effect of removing the local (read-only hidden + system file) user.DAT in their profile directory, as well as the + local "desktop", "nethood", "start menu" and "programs" folders. </para> -</listitem> + </listitem> -<listitem> + <listitem> <para> search for the user's .PWL password-caching file in the c:\windows directory, and delete it. </para> -</listitem> - + </listitem> -<listitem> + <listitem> <para> - log off the windows 95 client. + log off the windows 9x / Me client. </para> -</listitem> + </listitem> -<listitem> + <listitem> <para> check the contents of the profile path (see "logon path" described above), and delete the user.DAT or user.MAN file for the user, making a backup if required. </para> -</listitem> + </listitem> </orderedlist> <para> If all else fails, increase samba's debug log levels to between 3 and 10, -and / or run a packet trace program such as tcpdump or netmon.exe, and -look for any error reports. +and / or run a packet trace program such as ethereal or netmon.exe, and +look for error messages. </para> <para> -If you have access to an NT server, then first set up roaming profiles -and / or netlogons on the NT server. Make a packet trace, or examine -the example packet traces provided with NT server, and see what the +If you have access to an Windows NT4/200x server, then first set up roaming profiles +and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine +the example packet traces provided with Windows NT4/200x server, and see what the differences are with the equivalent samba trace. </para> -</sect2> +</sect3> -<sect2> -<title>Windows NT Workstation 4.0</title> +<sect3> +<title>Windows NT4 Workstation</title> <para> When a user first logs in to a Windows NT Workstation, the profile @@ -318,12 +327,12 @@ through the "logon path" parameter. <para> There is a parameter that is now available for use with NT Profiles: -"logon drive". This should be set to "h:" or any other drive, and +"logon drive". This should be set to <filename>H:</filename> or any other drive, and should be used in conjunction with the new "logon home" parameter. </para> <para> -The entry for the NT 4.0 profile is a _directory_ not a file. The NT +The entry for the NT4 profile is a _directory_ not a file. The NT help on profiles mentions that a directory is also created with a .PDS extension. The user, while logging in, must have write permission to create the full profile path (and the folder with the .PDS extension @@ -331,8 +340,8 @@ for those situations where it might be created.) </para> <para> -In the profile directory, NT creates more folders than 95. It creates -"Application Data" and others, as well as "Desktop", "Nethood", +In the profile directory, Windows NT4 creates more folders than Windows 9x / Me. +It creates "Application Data" and others, as well as "Desktop", "Nethood", "Start Menu" and "Programs". The profile itself is stored in a file NTuser.DAT. Nothing appears to be stored in the .PDS directory, and its purpose is currently unknown. @@ -350,19 +359,131 @@ turns a profile into a mandatory one. The case of the profile is significant. The file must be called NTuser.DAT or, for a mandatory profile, NTuser.MAN. </para> +</sect3> -</sect2> +<sect3> +<title>Windows 2000/XP Professional</title> -<sect2> -<title>Windows NT/200x Server</title> +<para> +You must first convert the profile from a local profile to a domain +profile on the MS Windows workstation as follows: +</para> + +<itemizedlist> +<listitem><para> +Log on as the LOCAL workstation administrator. +</para></listitem> + +<listitem><para> +Right click on the 'My Computer' Icon, select 'Properties' +</para></listitem> + +<listitem><para> +Click on the 'User Profiles' tab +</para></listitem> + +<listitem><para> +Select the profile you wish to convert (click on it once) +</para></listitem> + +<listitem><para> +Click on the button 'Copy To' +</para></listitem> + +<listitem><para> +In the "Permitted to use" box, click on the 'Change' button. +</para></listitem> + +<listitem><para> +Click on the 'Look in" area that lists the machine name, when you click +here it will open up a selection box. Click on the domain to which the +profile must be accessible. +</para> + +<note><para>You will need to log on if a logon box opens up. Eg: In the connect +as: MIDEARTH\root, password: mypassword.</para></note> +</listitem> + +<listitem><para> +To make the profile capable of being used by anyone select 'Everyone' +</para></listitem> + +<listitem><para> +Click OK. The Selection box will close. +</para></listitem> + +<listitem><para> +Now click on the 'Ok' button to create the profile in the path you +nominated. +</para></listitem> +</itemizedlist> <para> -There is nothing to stop you specifying any path that you like for the -location of users' profiles. Therefore, you could specify that the -profile be stored on a samba server, or any other SMB server, as long as -that SMB server supports encrypted passwords. +Done. You now have a profile that can be editted using the samba-3.0.0 +profiles tool. </para> +<note> +<para> +Under NT/2K the use of mandotory profiles forces the use of MS Exchange +storage of mail data. That keeps desktop profiles usable. +</para> +</note> + +<note> +<itemizedlist> +<listitem><para> +This is a security check new to Windows XP (or maybe only +Windows XP service pack 1). It can be disabled via a group policy in +Active Directory. The policy is:</para> + +<para>"Computer Configuration\Administrative Templates\System\User +Profiles\Do not check for user ownership of Roaming Profile Folders"</para> + +<para>...and it should be set to "Enabled". +Does the new version of samba have an Active Directory analogue? If so, +then you may be able to set the policy through this. +</para> + +<para> +If you cannot set group policies in samba, then you may be able to set +the policy locally on each machine. If you want to try this, then do +the following (N.B. I don't know for sure that this will work in the +same way as a domain group policy): +</para> + +</listitem> + +<listitem><para> +On the XP workstation log in with an Administrator account. +</para></listitem> + +<listitem><para>Click: "Start", "Run"</para></listitem> +<listitem><para>Type: "mmc"</para></listitem> +<listitem><para>Click: "OK"</para></listitem> + +<listitem><para>A Microsoft Management Console should appear.</para></listitem> +<listitem><para>Click: File, "Add/Remove Snap-in...", "Add"</para></listitem> +<listitem><para>Double-Click: "Group Policy"</para></listitem> +<listitem><para>Click: "Finish", "Close"</para></listitem> +<listitem><para>Click: "OK"</para></listitem> + +<listitem><para>In the "Console Root" window:</para></listitem> +<listitem><para>Expand: "Local Computer Policy", "Computer Configuration",</para></listitem> +<listitem><para>"Administrative Templates", "System", "User Profiles"</para></listitem> +<listitem><para>Double-Click: "Do not check for user ownership of Roaming Profile</para></listitem> +<listitem><para>Folders"</para></listitem> +<listitem><para>Select: "Enabled"</para></listitem> +<listitem><para>Click: OK"</para></listitem> + +<listitem><para>Close the whole console. You do not need to save the settings (this +refers to the console settings rather than the policies you have +changed).</para></listitem> + +<listitem><para>Reboot</para></listitem> +</itemizedlist> +</note> +</sect3> </sect2> <sect2> @@ -393,12 +514,22 @@ NTuser.DAT files in the same profile directory. </sect2> - <sect2> -<title>Windows NT 4</title> +<title>Profile Migration from Windows NT4/200x Server to Samba</title> + +<para> +There is nothing to stop you specifying any path that you like for the +location of users' profiles. Therefore, you could specify that the +profile be stored on a samba server, or any other SMB server, as long as +that SMB server supports encrypted passwords. +</para> + +<sect3> +<title>Windows NT4 Profile Management Tools</title> <para> -Unfortunately, the Resource Kit info is Win NT4 or 200x specific. +Unfortunately, the Resource Kit information is specific to the version of MS Windows +NT4/200x. The correct resource kit is required for each platform. </para> <para> @@ -422,17 +553,17 @@ profile you copy this to. That is what you need to do, since your samba domain is not a member of a trust relationship with your NT4 PDC.</para></note> </listitem> -<listitem><para>Click the 'Copy To' button.</para></listitem> + <listitem><para>Click the 'Copy To' button.</para></listitem> -<listitem><para>In the box labelled 'Copy Profile to' add your new path, eg: -<filename>c:\temp\foobar</filename></para></listitem> + <listitem><para>In the box labelled 'Copy Profile to' add your new path, eg: + <filename>c:\temp\foobar</filename></para></listitem> -<listitem><para>Click on the button labelled 'Change' in the "Permitted to use" box.</para></listitem> + <listitem><para>Click on the button labelled 'Change' in the "Permitted to use" box.</para></listitem> -<listitem><para>Click on the group 'Everyone' and then click OK. This closes the -'chose user' box.</para></listitem> + <listitem><para>Click on the group 'Everyone' and then click OK. This closes the + 'chose user' box.</para></listitem> -<listitem><para>Now click OK.</para></listitem> + <listitem><para>Now click OK.</para></listitem> </itemizedlist> <para> @@ -454,16 +585,6 @@ settings as well as all your users. </sect3> -<sect3> -<title>Mandatory profiles</title> - -<para> -The above method can be used to create mandatory profiles also. To convert -a group profile into a mandatory profile simply locate the NTUser.DAT file -in the copied profile and rename it to NTUser.MAN. -</para> - -</sect3> <sect3> <title>moveuser.exe</title> @@ -499,133 +620,25 @@ subkey, you will see a string value named ProfileImagePath. </para> </sect3> - </sect2> +</sect1> -<sect2> -<title>Windows 2000/XP</title> - -<para> -You must first convert the profile from a local profile to a domain -profile on the MS Windows workstation as follows: -</para> - -<itemizedlist> -<listitem><para> -Log on as the LOCAL workstation administrator. -</para></listitem> - -<listitem><para> -Right click on the 'My Computer' Icon, select 'Properties' -</para></listitem> - -<listitem><para> -Click on the 'User Profiles' tab -</para></listitem> - -<listitem><para> -Select the profile you wish to convert (click on it once) -</para></listitem> - -<listitem><para> -Click on the button 'Copy To' -</para></listitem> - -<listitem><para> -In the "Permitted to use" box, click on the 'Change' button. -</para></listitem> - -<listitem><para> -Click on the 'Look in" area that lists the machine name, when you click -here it will open up a selection box. Click on the domain to which the -profile must be accessible. -</para> - - -<note><para>You will need to log on if a logon box opens up. Eg: In the connect -as: MIDEARTH\root, password: mypassword.</para></note> -</listitem> - -<listitem><para> -To make the profile capable of being used by anyone select 'Everyone' -</para></listitem> - -<listitem><para> -Click OK. The Selection box will close. -</para></listitem> - -<listitem><para> -Now click on the 'Ok' button to create the profile in the path you -nominated. -</para></listitem> -</itemizedlist> - -<para> -Done. You now have a profile that can be editted using the samba-3.0.0 -profiles tool. -</para> +<sect1> +<title>Mandatory profiles</title> -<note> <para> -Under NT/2K the use of mandotory profiles forces the use of MS Exchange -storage of mail data. That keeps desktop profiles usable. +The above method can be used to create mandatory profiles also. To convert +a group profile into a mandatory profile simply locate the NTUser.DAT file +in the copied profile and rename it to NTUser.MAN. </para> -</note> -<note> -<itemizedlist> -<listitem><para> -This is a security check new to Windows XP (or maybe only -Windows XP service pack 1). It can be disabled via a group policy in -Active Directory. The policy is:</para> - -<para>"Computer Configuration\Administrative Templates\System\User -Profiles\Do not check for user ownership of Roaming Profile Folders"</para> +</sect1> -<para>...and it should be set to "Enabled". -Does the new version of samba have an Active Directory analogue? If so, -then you may be able to set the policy through this. -</para> +<sect1> +<title>Creating/Managing Group Profiles</title> <para> -If you cannot set group policies in samba, then you may be able to set -the policy locally on each machine. If you want to try this, then do -the following (N.B. I don't know for sure that this will work in the -same way as a domain group policy): +Blah goes here. </para> - -</listitem> - -<listitem><para> -On the XP workstation log in with an Administrator account. -</para></listitem> - -<listitem><para>Click: "Start", "Run"</para></listitem> -<listitem><para>Type: "mmc"</para></listitem> -<listitem><para>Click: "OK"</para></listitem> - -<listitem><para>A Microsoft Management Console should appear.</para></listitem> -<listitem><para>Click: File, "Add/Remove Snap-in...", "Add"</para></listitem> -<listitem><para>Double-Click: "Group Policy"</para></listitem> -<listitem><para>Click: "Finish", "Close"</para></listitem> -<listitem><para>Click: "OK"</para></listitem> - -<listitem><para>In the "Console Root" window:</para></listitem> -<listitem><para>Expand: "Local Computer Policy", "Computer Configuration",</para></listitem> -<listitem><para>"Administrative Templates", "System", "User Profiles"</para></listitem> -<listitem><para>Double-Click: "Do not check for user ownership of Roaming Profile</para></listitem> -<listitem><para>Folders"</para></listitem> -<listitem><para>Select: "Enabled"</para></listitem> -<listitem><para>Click: OK"</para></listitem> - -<listitem><para>Close the whole console. You do not need to save the settings (this -refers to the console settings rather than the policies you have -changed).</para></listitem> - -<listitem><para>Reboot</para></listitem> -</itemizedlist> -</note> - -</sect2> </sect1> </chapter> diff --git a/docs/docbook/projdoc/ServerType.sgml b/docs/docbook/projdoc/ServerType.sgml index 91478740d6..239880160e 100644 --- a/docs/docbook/projdoc/ServerType.sgml +++ b/docs/docbook/projdoc/ServerType.sgml @@ -80,7 +80,7 @@ of a domain security context. This means by definition that all user authenticat will be done from a centrally defined authentication regime. The authentication regime may come from an NT3/4 style (old domain technology) server, or it may be provided from an Active Directory server (ADS) running on MS Windows 2000 or later. ->/para> +</para> <para><emphasis> Of course it should be clear that the authentication back end itself could be from any diff --git a/docs/docbook/projdoc/VFS.sgml b/docs/docbook/projdoc/VFS.sgml index 66b9be1dbd..7aa280f4ef 100644 --- a/docs/docbook/projdoc/VFS.sgml +++ b/docs/docbook/projdoc/VFS.sgml @@ -4,6 +4,7 @@ <author><firstname>Alexander</firstname><surname>Bokovoy</surname></author> <author><firstname>Tim</firstname><surname>Potter</surname></author> <author><firstname>Simo</firstname><surname>Sorce</surname></author> + <author><firstname>John H</firstname><surname>Terpstra</surname></author> </chapterinfo> <title>Stackable VFS modules</title> @@ -67,6 +68,18 @@ facility. The following operations are logged: </sect2> <sect2> +<title>extd_audit</title> +<para> +This module is identical with the <emphasis>audit</emphasis> module above except +that it sends audit logs to both syslog as well as the smbd log file/s. The +loglevel for this module is set in the smb.conf file. At loglevel = 0, only file +and directory deletions and directory and file creations are logged. At loglevel = 1 +file opens are renames and permission changes are logged , while at loglevel = 2 file +open and close calls are logged also. +</para> +</sect2> + +<sect2> <title>recycle</title> <para> A recycle-bin like modules. When used any unlink call diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml index 8e7a409167..7e4b9bcbd0 100644 --- a/docs/docbook/projdoc/passdb.sgml +++ b/docs/docbook/projdoc/passdb.sgml @@ -180,7 +180,7 @@ only things you can do to stop this is to use SMB encryption. </member> - <member>Encrypted password support allows auto-matic share + <member>Encrypted password support allows automatic share (resource) reconnects.</member> </simplelist> </sect2> diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index db421bc690..7a8c4b6d06 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -29,6 +29,8 @@ <!ENTITY AdvancedNetworkAdmin SYSTEM "AdvancedNetworkAdmin.sgml"> <!ENTITY PolicyMgmt SYSTEM "PolicyMgmt.sgml"> <!ENTITY ProfileMgmt SYSTEM "ProfileMgmt.sgml"> +<!ENTITY NT4Migration SYSTEM "NT4Migration.sgml"> +<!ENTITY SWAT SYSTEM "SWAT.sgml"> ]> <book id="Samba-HOWTO-Collection"> @@ -110,25 +112,27 @@ for various environments. <para>Samba has several features that you might want or might not want to use. The chapters in this part each cover one specific feature.</para> </partintro> -&AdvancedNetworkAdmin; &NT-Security; &GROUP-MAPPING-HOWTO; -&Samba-PAM; &PRINTER-DRIVER2; &CUPS; &WINBIND; +&AdvancedNetworkAdmin; &PolicyMgmt; &ProfileMgmt; +&Samba-PAM; +&VFS; +&MS-Dfs-Setup; &IntegratingWithWindows; &BROWSING; -&MS-Dfs-Setup; -&VFS; &SecuringSamba; &unicode; </part> <part id="Appendixes"> <title>Appendixes</title> +&SWAT; +&NT4Migration; &SPEED; &Portability; &Other-Clients; |