From 2757cde29e2b49c988bcf1d5140bae22f8f0bab2 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 13 Jun 2005 15:29:53 +0000 Subject: Put Johns' changes back in again. (This used to be commit d5a730fc097311f498dd7c3fb2516a1fc0fa1fe7) --- docs/Samba3-ByExample/SBE-500UserNetwork.xml | 12 +- docs/Samba3-ByExample/SBE-AddingUNIXClients.xml | 440 ++++++++++------------- docs/Samba3-ByExample/SBE-Appendix1.xml | 10 +- docs/Samba3-ByExample/SBE-DomainAppsSupport.xml | 4 +- docs/Samba3-ByExample/SBE-HighAvailability.xml | 26 +- docs/Samba3-ByExample/SBE-KerberosFastStart.xml | 22 +- docs/Samba3-ByExample/SBE-MakingHappyUsers.xml | 6 +- docs/Samba3-ByExample/SBE-MigrateNT4Samba3.xml | 6 +- docs/Samba3-ByExample/SBE-MigrateNW4Samba3.xml | 14 +- docs/Samba3-ByExample/SBE-SecureOfficeServer.xml | 12 +- docs/Samba3-ByExample/SBE-SimpleOfficeServer.xml | 6 +- docs/Samba3-ByExample/SBE-UpgradingSamba.xml | 12 +- docs/Samba3-ByExample/SBE-foreword.xml | 32 +- docs/Samba3-ByExample/SBE-inside-cover.xml | 49 +-- 14 files changed, 301 insertions(+), 350 deletions(-) diff --git a/docs/Samba3-ByExample/SBE-500UserNetwork.xml b/docs/Samba3-ByExample/SBE-500UserNetwork.xml index fda931fa0e..357af42453 100644 --- a/docs/Samba3-ByExample/SBE-500UserNetwork.xml +++ b/docs/Samba3-ByExample/SBE-500UserNetwork.xml @@ -642,10 +642,10 @@ root = Administrator /etc/mime.convs application/octet-stream This step, as well as the next one, may be omitted where CUPS version 1.1.18 - or later is in use. Although it does no harm to follow it anyhow, and may - help to avoid later time spent trying to figure out why print jobs may be - disappearing without trace. Look at these two steps as insurance - against lost time. Edit file /etc/cups/mime.convs to + or later is in use. Although it does no harm to follow it anyway, and may + help to avoid time spent later trying to figure out why print jobs may be + disappearing without a trace. Look at these two steps as insurance + against lost time. Edit file /etc/cups/mime.convs to uncomment the line: application/octet-stream application/vnd.cups-raw 0 - @@ -694,7 +694,7 @@ application/octet-stream There are some steps that apply to particular server functionality only. Each step is critical to correct server operation. The following step-by-step installation guidance will assist you - to work through the process of configuring the PDC and then both BDC's. + in working through the process of configuring the PDC and then both BDC's. @@ -893,7 +893,7 @@ Added user username. Configuration Specific to Domain Member Servers: <constant>BLDG1, BLDG2</constant> - The following steps will guide you trough the nuances of imlplementing BDC's for the broadcast + The following steps will guide you through the nuances of implementing BDCs for the broadcast isolated network segments. Remember that if the target installation platform is not Linux, it may be necessary to adapt some commands to the equivalent on the target platform. diff --git a/docs/Samba3-ByExample/SBE-AddingUNIXClients.xml b/docs/Samba3-ByExample/SBE-AddingUNIXClients.xml index 78c76c91eb..7415da34b9 100644 --- a/docs/Samba3-ByExample/SBE-AddingUNIXClients.xml +++ b/docs/Samba3-ByExample/SBE-AddingUNIXClients.xml @@ -113,7 +113,7 @@ accountsauthoritative PDC BDC - A domain controller (PDC or BDC) is always authoritative for all accounts in its Domain. + A domain controller (PDC or BDC) is always authoritative for all accounts in its domain. This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs to the same values that the PDC resolved them to. @@ -190,41 +190,32 @@ casual user. - - winbind enable local accounts - - Domain Member - servers - - Domain Controllers - + + winbind trusted domains only + domain memberservers + domain controllers If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable - of being resolved using) the NSS facility, it is imperative to use the - Yes - in the &smb.conf; file. This parameter specifically applies only to domain controllers, - not to domain member servers. + of being resolved using) the NSS facility, it is possible to use the + Yes + in the &smb.conf; file. This parameter specifically applies to domain controllers, + and to domain member servers. + - - Posix accounts - - Samba accounts - - LDAP - + + Posix accounts + Samba accounts + LDAP For many administrators, it should be plain that the use of an LDAP-based repository for all network accounts (both for POSIX accounts and for Samba accounts) provides the most elegant and controllable facility. You eventually appreciate the decision to use LDAP. - - nss_ldap - - identifiers - - resolve - + + nss_ldap + identifiers + resolve If your network account information resides in an LDAP repository, you should use it ahead of any alternative method. This means that if it is humanly possible to use the nss_ldap tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, because it provides @@ -232,20 +223,13 @@ throughout the network. - - Domain Member - server - - winbind trusted domains only - - getpwnam - - smbd - - Trusted Domains - - External Domains - + + Domain Memberserver + winbind trusted domains only + getpwnam + smbd + Trusted Domains + External Domains In the situation where UNIX accounts are held on the domain member server itself, the only effective way to use them involves the &smb.conf; entry Yes. This forces @@ -254,17 +238,12 @@ disables the use of Samba with trusted domains (i.e., external domains). - - appliance mode - - Domain Member - server - - winbindd - - automatically allocate - - Winbind can be used to create an appliance mode domain member server. In this capacity, winbindd + + appliance mode + Domain Memberserver + winbindd + automatically allocate + Winbind can be used to create an appliance mode domain member server. In this capacity, winbindd is configured to automatically allocate UIDs/GIDs from numeric ranges set in the &smb.conf; file. The allocation is made for all accounts that connect to that domain member server, whether within its own domain or from trusted domains. If not stored in an LDAP backend, each domain member maintains its own unique mapping database. @@ -273,9 +252,8 @@ is stored in the winbindd_idmap.tdb and winbindd_cache.tdb files. - - mapping - + + mapping The use of an LDAP backend for the Winbind IDMAP facility permits Windows domain SIDs mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all domain member servers so configured. This solves one of the major headaches for network administrators who need to copy @@ -287,16 +265,11 @@ Political Issues - - OpenLDAP - - NIS - - yellow pages - NIS - - identity management - + + OpenLDAP + NIS + yellow pagesNIS + identity management One of the most fierce conflicts recently being waged is resistance to the adoption of LDAP, in particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP is different and requires a new approach to the need for a better identity management solution. The more @@ -311,11 +284,9 @@ commercial integration products. But it's not what Active Directory was designed for. - - directory - - management - + + directory + management A number of long-term UNIX devotees have recently commented in various communications that the Samba Team is the first application group to almost force network administrators to use LDAP. It should be pointed out that we resisted this for as long as we could. It is not out of laziness or malice that LDAP has @@ -330,25 +301,18 @@ Implementation - - Domain Member - server - - Domain Member - client - - Domain Controller - - The domain Member server and the domain member client are at the center of focus in this chapter. + + Domain Memberserver + Domain Memberclient + Domain Controller + The domain member server and the domain member client are at the center of focus in this chapter. Configuration of Samba-3 domain controller is covered in earlier chapters, so if your interest is in domain controller configuration, you will not find that here. You will find good oil that helps you to add domain member servers and clients. - - Domain Member - workstations - + + Domain Memberworkstations In practice, domain member servers and domain member workstations are very different entities, but in terms of technology they share similar core infrastructure. A technologist would argue that servers and workstations are identical. Many users would argue otherwise, given that in a well-disciplined @@ -357,22 +321,18 @@ but a server is viewed as a core component of the business. - - workstation - + + workstation We can look at this another way. If a workstation breaks down, one user is affected, but if a server breaks down, hundreds of users may not be able to work. The services that a workstation must provide are document- and file-production oriented; a server provides information storage and is distribution oriented. - - authentication process - - logon process - - user identities - + + authentication process + logon process + user identities Why is this important? For starters, we must identify what components of the operating system and its environment must be configured. Also, it is necessary to recognize where the interdependencies between the various services to be used are. @@ -388,52 +348,52 @@ - Samba Domain with Samba Domain Member Server &smbmdash; Using LDAP + Samba Domain with Samba Domain Member Server &smbmdash; Using NSS LDAP - - ldapsam - - ldapsam backend - - IDMAP - - mapping - consistent - - winbindd - - foreign SID - + + ldapsam + ldapsam backend + IDMAP + mappingconsistent + winbindd + foreign SID In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using an LDAP ldapsam backend. We are adding to the LDAP backend database (directory) containers for use by the IDMAP facility. This makes it possible to have globally consistent - mapping of SIDs to and from UIDs and GIDs. This means that you are running winbindd - as part of your configuration. The primary purpose of running winbindd (within - this operational context) is to permit mapping of foreign SIDs (those not originating from our - own domain). Foreign SIDs can come from any external domain or from Windows clients that do not - belong to a domain. + mapping of SIDs to and from UIDs and GIDs. This means that it is necessary to run + winbindd as part of your configuration. The primary purpose of running + winbindd (within this operational context) is to permit mapping of foreign + SIDs (those not originating from the the local Samba server). Foreign SIDs can come from any + domain member client or server, or from Windows clients that do not belong to a domain. Another + way to explain the necessity to run winbindd is that Samba can locally + resolve only accounts that belong to the security context of its own machine SID. Winbind + handles all non-local SIDs and maps them to a local UID/GID value. The UID and GID are allocated + from the parameter values set in the &smb.conf; file for the idmap uid and + idmap gid ranges. Where LDAP is used, the mappings can be stored in LDAP + so that all domain member servers can use a consistent mapping. - - winbindd - - getpwnam - - NSS - - If your installation is accessed only from clients that are members of your own domain, then - it is not necessary to run winbindd as long as all users can be resolved - locally via the getpwnam() system call. On NSS-enabled systems, this condition - is met by having + + winbindd + getpwnam + NSS + If your installation is accessed only from clients that are members of your own domain, and all + user accounts are present in a local passdb backend then it is not necessary to run + winbindd. The local passdb backend can be in smbpasswd, tdbsam, or in ldapsam. + + + + It is possible to use a local passdb backend with any convenient means of resolving the POSIX + user and group account information. The POSIX information is usually obtained using the + getpwnam() system call. On NSS-enabled systems, the actual POSIX account + source can be provided from - - /etc/passwd - - /etc/group - - All accounts in /etc/passwd or in /etc/group. + + /etc/passwd + /etc/group + Accounts in /etc/passwd or in /etc/group. @@ -455,6 +415,12 @@ + + To advoid confusion the use of the term local passdb backend means that + the user account backend is not shared by any other Samba server &smbmdash; instead, it is + used only locally on the Samba domain member server under discussion. + + Identity resolution The diagram in demonstrates the relationship of Samba and system @@ -467,11 +433,9 @@ chap9-SambaDC - - IDMAP - - foreign - + + IDMAP + foreign In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam to obtain authentication and user identity information. The IDMAP information is stored in the LDAP backend so that it can be shared by all domain member servers so that every user will have a @@ -487,25 +451,30 @@ - Configuration of LDAP-Based Identity Resolution + Configuration of NSS_LDAP-Based Identity Resolution Create the &smb.conf; file as shown in . Locate this file in the directory /etc/samba. - - ldap.conf - + + ldap.conf Configure the file that will be used by nss_ldap to locate and communicate with the LDAP server. This file is called ldap.conf. If your implementation of nss_ldap is consistent with the defaults suggested by PADL (the authors), it will be located in the /etc directory. On some systems, the default location is - the /etc/openldap directory. Change the parameters inside - the file that is located on your OS so it matches . - To find the correct location of this file, you can obtain this from the - library that will be used by executing the following: + the /etc/openldap directory, however this file is intended + for use by the OpenLDAP utilities and should not really be used by the nss_ldap + utility since its content and structure serves the specific purpose of enabling + the resolution of user and group IDs via NSS. + + + + Change the parameters inside the file that is located on your OS so it matches + . To find the correct location of this file, you + can obtain this from the library that will be used by executing the following: &rootprompt; strings /lib/libnss_ldap* | grep ldap.conf /etc/ldap.conf @@ -513,15 +482,13 @@ - Configure the NSS control file so it matches the one shown - in . + Configure the NSS control file so it matches the one shown in + . - - Identity resolution - - getent - + + Identity resolution + getent Before proceeding to configure Samba, validate the operation of the NSS identity resolution via LDAP by executing: @@ -556,24 +523,21 @@ Finances:x:1001: PIOps:x:1002: sammy:x:4321: - - secondary group - - primary group - - group membership - + secondary group + primary group + group membership This shows that all is working as it should be. Notice that in the LDAP database the users' primary and secondary group memberships are identical. It is not necessary to add secondary group memberships (in the group database) if the user is already a member via primary group membership in the password database. When using winbind, it is in fact undesirable to do this because it results in - doubling up of group memberships and may break winbind under certain conditions. + doubling up of group memberships and may cause problems with winbind under certain + conditions. It is intended that these limitations with winbind will be resolved soon + after Samba-3.0.20 has been released. - - slapcat - + + slapcat The LDAP directory must have a container object for IDMAP data. There are several ways you can check that your LDAP database is able to receive IDMAP information. One of the simplest is to execute: @@ -582,25 +546,28 @@ sammy:x:4321: dn: ou=Idmap,dc=abmas,dc=biz ou: idmap - - ldapadd - - If the execution of this command does not return IDMAP entries, you need to create an LDIF - template file (see ). You can add the required entries using the following command: + ldapadd + If the execution of this command does not return IDMAP entries, you need to create an LDIF + template file (see ). You can add the required entries using + the following command: &rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ -w not24get < /etc/openldap/idmap.LDIF - Samba automatically populates this LDAP directory container when it needs to. - - net - rpc - join - - Domain join - + + Samba automatically populates the LDAP directory container when it needs to. To permit Samba + write access to the LDAP directory it is necessary to set the LDAP administrative password + in the secrets.tdb file as shown here: + +&rootprompt; smbpasswd -w not24get + + + + + netrpcjoin + Domain join The system is ready to join the domain. Execute the following: &rootprompt; net rpc join -U root%not24get @@ -632,9 +599,9 @@ Joined domain MEGANET2. failed join rejected restrict anonymous - Note: Use "root" for UNIX/Linux and Samba, use "Administrator"for Windows NT4/200X. If the cause of + Note: Use "root" for UNIX/Linux and Samba, use "Administrator" for Windows NT4/200X. If the cause of the failure appears to be related to a rejected or failed NT_SESSION_SETUP* or an error message that - says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the + says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the restrict anonymous setting. Set this to the value 0 so that an anonymous connection can be sustained, then try again. @@ -665,12 +632,12 @@ Join to 'MEGANET2' failed. wbinfo Just joining the domain is not quite enough; you must now provide a privileged set - of credentials through which winbindd can interact with the ADS + of credentials through which winbindd can interact with the domain servers. Execute the following to implant the necessary credentials: &rootprompt; wbinfo --set-auth-user=Administrator%not24get - The configuration is now ready to obtain ADS domain user and group information. + The configuration is now ready to obtain the Samba domain user and group information. @@ -786,7 +753,7 @@ aliases: files - NT4/Samba Domain with Samba Domain Member Server: Using Winbind + NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind You need to use this method for creating a Samba domain member server if any of the following conditions @@ -803,32 +770,27 @@ aliases: files - The Samba domain member server must be part of a Windows NT4 Domain. + The Samba domain member server must be part of a Windows NT4 Domain, or a Samba Domain. - - Windows ADS Domain - - Samba Domain - - LDAP - + + Windows ADS Domain + Samba Domain + LDAP Later in the chapter, you can see how to configure a Samba domain member server for a Windows ADS domain. Right now your objective is to configure a Samba server that can be a member of a Windows NT4-style domain and/or does not use LDAP. - - duplicate accounts - + + duplicate accounts If you use winbind for identity resolution, make sure that there are no duplicate accounts. - - /etc/passwd - + + /etc/passwd For example, do not have more than one account that has UID=0 in the password database. If there is an account called root in the /etc/passwd database, it is okay to have an account called root in the LDAP ldapsam or in the @@ -837,29 +799,20 @@ aliases: files root. - - /etc/passwd - - ldapsam - - tdbsam - + + /etc/passwd + ldapsam + tdbsam Winbind will break if there is an account in /etc/passwd that has the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only. - - credentials - - traverse - - wide-area - - network - wide-area - - tdbdump - + + credentials + traverse + wide-area + networkwide-area + tdbdump The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials. The winbind information is locally cached in the winbindd_cache.tdb winbindd_idmap.tdb files. This provides considerable performance benefits compared with the LDAP solution, particularly @@ -876,32 +829,26 @@ aliases: files shown in . - - /etc/nsswitch.conf - + + /etc/nsswitch.conf Edit the /etc/nsswitch.conf so it has the entries shown in . - - net - rpc - join - + + netrpcjoin The system is ready to join the domain. Execute the following: net rpc join -U root%not2g4et Joined domain MEGANET2. - This indicates that the domain join succeed. + This indicates that the domain join succeed. - - winbind - - wbinfo - + + winbind + wbinfo Validate operation of winbind using the wbinfo tool as follows: @@ -929,13 +876,10 @@ MEGANET2+PIOps This shows that domain groups have been correctly obtained also. - - NSS - - getent - - winbind - + + NSS + getent + winbind The next step verifies that NSS is able to obtain this information correctly from winbind also. @@ -979,6 +923,7 @@ MEGANET2+PIOps:x:10005: The Samba member server of a Windows NT4 domain is ready for use. + @@ -1063,7 +1008,7 @@ MEGANET2+PIOps:x:10005: net rpc join -U root%not24get Joined domain MEGANET2. - This indicates that the domain join succeed. + This indicates that the domain join succeed. @@ -1180,9 +1125,8 @@ Joined domain MEGANET2. Joining a Samba Server as an ADS Domain Member - - smbd - + + smbd Before you try to use Samba-3, you want to know for certain that your executables have support for Kerberos and for LDAP. Execute the following to identify whether or not this build is perhaps suitable for use: @@ -1498,11 +1442,8 @@ Server time offset: 2 In any case, the output we obtained confirms that all systems are operational. - - net - ads - status - + + netadsstatus There is one more action you elect to take, just because you are paranoid and disbelieving, so you execute the following command: @@ -1583,6 +1524,7 @@ Permissions: called FRAN is able to communicate fully with the ADS domain controllers. + @@ -2023,7 +1965,7 @@ ssl no - Configure an LDAP server and initialize the directory with the top level entries needed by IDMAP + Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP as shown in the following LDIF file: dn: dc=snowshow,dc=com @@ -2237,8 +2179,8 @@ hosts: files wins - The following guidelines are pertinent the deployment of winbind-based authentication - and identity resolution with the express purpose of allowing users to log onto UNIX/Linux desktops + The following guidelines are pertinent to the deployment of winbind-based authentication + and identity resolution with the express purpose of allowing users to log on to UNIX/Linux desktops using Windows network domain user credentials (username and password). @@ -2261,7 +2203,7 @@ hosts: files wins PAM Identity resolution NSS - To permit users to log onto a Linux system using Windows network credentials, you need to + To permit users to log on to a Linux system using Windows network credentials, you need to configure identity resolution (NSS) and PAM. This means that the basic steps include those outlined above with the addition of PAM configuration. Given that most workstations (desktop/client) usually do not need to provide file and print services to a group of users, the configuration @@ -2443,7 +2385,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you learned how to integrate such servers so that the UID/GID mappings they use can be consistent across all domain member servers. You also discovered how to implement the ability to use Samba - or Windows domain account credentials to log onto a UNIX/Linux client. + or Windows domain account credentials to log on to a UNIX/Linux client. @@ -2624,7 +2566,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass - Are you suggesting that users should not log onto a domain member server? If so, why? + Are you suggesting that users should not log on to a domain member server? If so, why? diff --git a/docs/Samba3-ByExample/SBE-Appendix1.xml b/docs/Samba3-ByExample/SBE-Appendix1.xml index 5e9fd1f07b..cc22e4ca9d 100644 --- a/docs/Samba3-ByExample/SBE-Appendix1.xml +++ b/docs/Samba3-ByExample/SBE-Appendix1.xml @@ -1224,10 +1224,10 @@ to LAM using only SSL. - The next major release, LAM 0.5, will have less restrictions and support the latest Samba features - (e.g. logon hours). The new plugin based architecture also allows to manage much more different - account types like plain Unix accounts. The upload can now handle groups and hosts, too. Another - important point is the tree view which allows to browse and edit LDAP objects directly. + The next major release, LAM 0.5, will have fewer restrictions and support the latest Samba features + (e.g., logon hours). The new plugin-based architecture also allows management of much more different + account types like plain UNIX accounts. The upload can now handle groups and hosts, too. Another + important point is the tree view which allows browsing and editing LDAP objects directly. @@ -1419,7 +1419,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt Microsoft Access - The best advice that can be given is to carefully read the Microsoft knowledge base articles that + The best advice that can be given is to carefully read the Microsoft knowledgebase articles that cover this area. Examples of relevant documents include: diff --git a/docs/Samba3-ByExample/SBE-DomainAppsSupport.xml b/docs/Samba3-ByExample/SBE-DomainAppsSupport.xml index 4ca9a097a8..2913873692 100644 --- a/docs/Samba3-ByExample/SBE-DomainAppsSupport.xml +++ b/docs/Samba3-ByExample/SBE-DomainAppsSupport.xml @@ -36,7 +36,7 @@ With this acquisition comes new challenges for you and your team. Abmas Snack Foods is a well-developed business with a huge and heterogeneous network. It already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux. - The network is mature and well established, and there is no question of its chosen + The network is mature and well-established, and there is no question of its chosen user authentication scheme being changed for now. You need to take a wise new approach. @@ -792,7 +792,7 @@ group: files winbind - You would be well advised to recognize that all cache-intensive proxying solutions demand a lot of memory. + You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory. Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk. diff --git a/docs/Samba3-ByExample/SBE-HighAvailability.xml b/docs/Samba3-ByExample/SBE-HighAvailability.xml index a309f3aea8..db94af4d2f 100644 --- a/docs/Samba3-ByExample/SBE-HighAvailability.xml +++ b/docs/Samba3-ByExample/SBE-HighAvailability.xml @@ -253,10 +253,10 @@ DNSname lookup resolve A Samba server called FRED in a NetBIOS domain called COLLISION - in a network environment that is part of the fully qualified Internet domain namespace known - as parrots.com results in DNS name lookups for fred.parrots.com + in a network environment that is part of the fully-qualified Internet domain namespace known + as parrots.com, results in DNS name lookups for fred.parrots.com and collision.parrots.com. It is therefore a mistake to name the domain - (workgroup) collision.parrots.com, since this results in DNS lookup + (workgroup) collision.parrots.com, since this results in DNS lookup attempts to resolve fred.parrots.com.parrots.com, which most likely fails given that you probably do not have this in your DNS namespace. @@ -375,7 +375,7 @@ - As the size of the &smb.conf; file grows, the risk of introduction of parsing errors increases also. + As the size of the &smb.conf; file grows, the risk of introducing parsing errors also increases. It is recommended to keep a fully documented &smb.conf; file on hand, and then to operate Samba only with an optimized file. @@ -479,7 +479,7 @@ cannot be set in the smb.conf file. nmbd will abort with this setting. Domain Controller As a general guide, instead of adding domain member servers to a network, you would be better advised to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add - domain member servers. This practice ensures that there is always sufficient domain controllers + domain member servers. This practice ensures that there are always sufficient domain controllers to handle logon requests and authentication traffic. @@ -617,33 +617,33 @@ cannot be set in the smb.conf file. nmbd will abort with this setting. There exist applications that create or manage directories containing many thousands of files. Such - applications typically generate many small files (less than 100 KB). At the best of times under UNIX - listing of the files in a directory that contains many files is slow. By default Windows NT, 200x, + applications typically generate many small files (less than 100 KB). At the best of times, under UNIX, + listing of the files in a directory that contains many files is slow. By default, Windows NT, 200x, and XP Pro cause network file system directory lookups on a Samba server to be performed for both the case preserving file name as well as for the mangled (8.3) file name. This incurs a huge overhead on the Samba server that may slow down the system dramatically. - In an extreme case the performance impact was dramatic. File transfer from the Samba server to a Windows + In an extreme case, the performance impact was dramatic. File transfer from the Samba server to a Windows XP Professional workstation over 1 Gigabit Ethernet for 250-500 KB files was measured at approximately - 30 MB/sec. But when tranfering a directory containng 120,000 files, all from 50KB to 60KB in size, the + 30 MB/sec. But when tranferring a directory containing 120,000 files, all from 50KB to 60KB in size, the transfer rate to the same workstation was measured at approximately 1.5 KB/sec. The net transfer was - of the order of a factor of 20-fold slower. + on the order of a factor of 20-fold slower. The symptoms that will be observed on the Samba server when a large directory is accessed will be that - aggregate I/O (typically blocks read) will be relatively low, yet the wait I/O times will be incredably + aggregate I/O (typically blocks read) will be relatively low, yet the wait I/O times will be incredibly long while at the same time the read queue is large. Close observation will show that the hard drive that the file system is on will be thrashing wildly. - Samba-3.0.12, and later, includes new code that radically improves Samba perfomance. The secret to this is + Samba-3.0.12 and later, includes new code that radically improves Samba perfomance. The secret to this is really in the True line. This tells smbd never to scan for case-insensitive versions of names. So if an application asks for a file called FOO, - and it can not be found by a simple stat call, then smbd will return file not found immediately without + and it can not be found by a simple stat call, then smbd will return "file not found" immediately without scanning the containing directory for a version of a different case. diff --git a/docs/Samba3-ByExample/SBE-KerberosFastStart.xml b/docs/Samba3-ByExample/SBE-KerberosFastStart.xml index 42546c1256..58ac2b6931 100644 --- a/docs/Samba3-ByExample/SBE-KerberosFastStart.xml +++ b/docs/Samba3-ByExample/SBE-KerberosFastStart.xml @@ -292,7 +292,7 @@ You agreed with Stan's recommendations and hired a consultant to help defuse the powder keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able - to support his or her claims, keep emotions to a side, and answer technically. + to support his or her claims, keep emotions to the side, and answer technically. @@ -464,7 +464,7 @@ Windows network administrators may be dismayed to find that winbind exposes all domain users so that they may use their domain account credentials to - log onto a UNIX/Linux system. The fact that all users in the domain can see the + log on to a UNIX/Linux system. The fact that all users in the domain can see the UNIX/Linux server in their Network Neighborhood and can browse the shares on the server seems to excite them further. @@ -676,9 +676,9 @@ The release of Samba-4 is expected around late 2004 to early 2005 and involves a near complete rewrite to permit extensive modularization and to prepare Samba for new - functionality planned for addition during the next-generation series. The Samba Team + functionality planned for addition during the next-generation series. The Samba Team is responsible and can be depended upon; the history to date suggests a high - degree of dependability as well on charter development consistent with published + degree of dependability and on charter development consistent with published roadmap projections. @@ -877,7 +877,7 @@ Kerberos is a network authentication protocol that provides secure authentication for client-server applications by using secret-key cryptography. Firewalls are an insufficient - barrier mechanism in todays networking world; at best they only restrict incoming network + barrier mechanism in today's networking world; at best they only restrict incoming network traffic but cannot prevent network traffic that comes from authorized locations from performing unauthorized activities. @@ -924,7 +924,7 @@ Kerberos was, until recently, a technology that was restricted from being exported from the United States. For many years that hindered global adoption of more secure networking technologies both within the United States - and abroad. A free an unencumbered implementation of MIT Kerberos has been produced in Europe + and abroad. A free and unencumbered implementation of MIT Kerberos has been produced in Europe and is available from the University of Paderborn, Sweden. It is known as the Heimdal Kerberos project. In recent times the U.S. government has removed sanctions affecting the global distribution of MIT Kerberos. It is likely that there will be a significant surge forward in the development of Kerberos-enabled applications @@ -966,7 +966,7 @@ It so happens that Microsoft Windows clients depend on and expect the contents of the unspecified fields in the Kerberos 5 communications data stream for their Windows interoperability, - particularly when Samba is being expected to emulate a Windows Server 200x domain controller. But the interoperability + particularly when Samba is expected to emulate a Windows Server 200x domain controller. But the interoperability issue goes far deeper than this. In the domain control protocols that are used by MS Windows XP Professional, there is a tight interdependency between the Kerberos protocols and the Microsoft distributed computing environment (DCE) RPCs that themselves are an integral part of the SMB/CIFS protocols as used by @@ -1027,7 +1027,7 @@ account - From a Windows 200x/XP Professional workstation, log onto the domain using the Domain Administrator + From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator account (on Samba domains, this is usually the account called root). @@ -1142,7 +1142,7 @@ hierarchy of control - It must be emphasized that the controls here discussed can act as a filter or give rights of passage + It must be emphasized that the controls discussed here can act as a filter or give rights of passage that act as a superstructure over normal directory and file access controls. However, share-level ACLs act at a higher level than do share definition controls because the user must filter through the share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented @@ -1525,7 +1525,7 @@ - From a Windows 200x/XP Professional workstation, log onto the domain using the Domain Administrator + From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator account (on Samba domains, this is usually the account called root). @@ -1728,7 +1728,7 @@ other::r-x inheritance - It is highly recommend that you read the online manual page for the setfacl + It is highly recommended that you read the online manual page for the setfacl and getfacl commands. This provides information regarding how to set/read the default ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent of setting inheritance properties. diff --git a/docs/Samba3-ByExample/SBE-MakingHappyUsers.xml b/docs/Samba3-ByExample/SBE-MakingHappyUsers.xml index d40414eda4..ff22c79201 100644 --- a/docs/Samba3-ByExample/SBE-MakingHappyUsers.xml +++ b/docs/Samba3-ByExample/SBE-MakingHappyUsers.xml @@ -2132,7 +2132,7 @@ Let's start configuring the smbldap-tools scripts ... . workgroup name: name of the domain Samba act as a PDC workgroup name [MEGANET2] > -. netbios name: netbios name of the samba controler +. netbios name: netbios name of the samba controller netbios name [MASSIVE] > . logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:' @@ -3739,8 +3739,8 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ - Before puching out new desktop images for the client workstations, it is perhaps a good idea that - desktop behavior should be returned to the original Microsoft settings. The followin steps achieve + Before punching out new desktop images for the client workstations, it is perhaps a good idea that + desktop behavior should be returned to the original Microsoft settings. The following steps achieve that ojective: diff --git a/docs/Samba3-ByExample/SBE-MigrateNT4Samba3.xml b/docs/Samba3-ByExample/SBE-MigrateNT4Samba3.xml index bcc1181f34..548aee69ea 100644 --- a/docs/Samba3-ByExample/SBE-MigrateNT4Samba3.xml +++ b/docs/Samba3-ByExample/SBE-MigrateNT4Samba3.xml @@ -120,7 +120,7 @@ Do not forget to validate the security descriptors in the profiles share as well as network logon scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this as a good time to update desktop systems also. In all, the extra effort should constitute no - real disruption to users, but rather, with due diligence and care should make their network experience + real disruption to users, but rather, with due diligence and care, should make their network experience a much happier one. @@ -683,7 +683,7 @@ Storing SID S-1-5-21-1385457007-882775198-1210191635 \ Install the Idealx smbldap-tools software package, following the instructions given in . The resulting perl scripts should be located in the /opt/IDEALX/sbin directory. - Change into that location, or whereever the scripts have been installed. Execute the + Change into that location, or wherever the scripts have been installed. Execute the configure.pl script to configure the Idealx package for use. Note: Use the domain SID obtained from the step above. The following is an example configuration session: @@ -1525,7 +1525,7 @@ Users Ordinary users When migrating a smbpasswd file to an LDAP backend, the UID of each account is taken together with the account information in the - /etc/passwd, and both sets of data are used to create the account + /etc/passwd, and both sets of data are used to create the account entry in the LDAP database. diff --git a/docs/Samba3-ByExample/SBE-MigrateNW4Samba3.xml b/docs/Samba3-ByExample/SBE-MigrateNW4Samba3.xml index 9a896e256b..7b290c6de7 100644 --- a/docs/Samba3-ByExample/SBE-MigrateNW4Samba3.xml +++ b/docs/Samba3-ByExample/SBE-MigrateNW4Samba3.xml @@ -29,7 +29,7 @@ migration Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many years who surfaced on the Samba mailing list with a barrage of questions and who - regularly now helps other administrators to solve thorny Samba migration questions. + regularly helps other administrators to solve thorny Samba migration questions. @@ -52,7 +52,7 @@ The priority that Misty faced was one of migration of the data files off the NetWare 4.11 - server and onto a Samba-ased Windows file and print server. This chapter does not pretend + server and onto a Samba-based Windows file and print server. This chapter does not pretend to document all the different methods that could be used to migrate user and group accounts off a NetWare server. Its focus is on migration of data files. @@ -232,7 +232,7 @@ entering everything from the printed company directory. This used only the inetOrgPerson object class from the OpenLDAP schemas. The next step was to write a shell script that would look at the /etc/passwd and /etc/shadow - files on our mail server and create a LDIF file from which the information could be + files on our mail server and create an LDIF file from which the information could be imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3, and SMTP. @@ -971,7 +971,7 @@ The Idealx smbldap-tools package can be configured using a script called configure.pl that is provided as part of the tool. See for an example of its use. Many administrators, like Misty, choose to do this manually so as to maintain greater awareness of how the tool-chain works and possibly to avoid -undesirable actions from occurring un-noticed. +undesirable actions from occurring unnoticed. @@ -1203,7 +1203,7 @@ masterPw="verysecret" The next step was to run the smbldap-populate command, which populates the LDAP tree with the appropriate default users, groups, and UID and GID pools. It creates a user called Administrator with UID=0 and GID=0 matching the - Domain Admins group. This is fine because you can still log on a root to a Windows system, + Domain Admins group. This is fine because you can still log on as root to a Windows system, but it will break cached credentials if you need to log on as the administrator to a system that is not on the network. @@ -1384,7 +1384,7 @@ sambaAcctFlags: [W ] netlogon - So now I could log on with a test user from the machine w2kengrspare. It was all fine and + So now I could log on with a test user from the machine w2kengrspare. It was all well and good, but that user was in no groups yet and so had pretty boring access. I fixed that by writing the login script! To write the login script, I used Kixtart because it will work @@ -1619,7 +1619,7 @@ ENDIF One option is to check the OS as part of the Kixtart script, and if it is Win9x and is the first login, copy a premade autoexec.bat to the C: drive. I - have onlythree such machines, and one is going away in the very near future, + have only three such machines, and one is going away in the very near future, so it was easier to do it by hand. diff --git a/docs/Samba3-ByExample/SBE-SecureOfficeServer.xml b/docs/Samba3-ByExample/SBE-SecureOfficeServer.xml index 1a43987222..ba695994c3 100644 --- a/docs/Samba3-ByExample/SBE-SecureOfficeServer.xml +++ b/docs/Samba3-ByExample/SBE-SecureOfficeServer.xml @@ -1516,9 +1516,9 @@ hosts: files dns wins Printer Configuration - Network administrators who are new to CUPS based printing typically experience some difficulty mastering + Network administrators who are new to CUPS based-printing typically experience some difficulty mastering its powerful features. The steps outlined in this section are designed to navigate around the distractions - of learning CUPS. Instead of implementing smart features and capabilties our approach is to use it as a + of learning CUPS. Instead of implementing smart features and capabilities, our approach is to use it as a transparent print queue that performs no filtering, and only minimal handling of each print job that is submitted to it. In other words, our configuration turns CUPS into a raw-mode print queue. This means that the correct printer driver must be installed on all clients. @@ -1609,7 +1609,7 @@ application/octet-stream Note: If the parameter cups options = Raw is specified in the &smb.conf; file, - the last two steps can be omitted where CUPS version 1.1.18, or later. + the last two steps can be omitted with CUPS version 1.1.18, or later. @@ -1826,7 +1826,7 @@ hosts: files dns wins &rootprompt; testparm -s Load smb config files from smb.conf -rocessing section "[homes]" +Processing section "[homes]" Processing section "[printers]" Processing section "[netlogon]" Processing section "[profiles]" @@ -2298,14 +2298,14 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds - Log onto the machine as the local Administrator (the only option), and join the machine to + Log on to the machine as the local Administrator (the only option), and join the machine to the Domain, following the procedure set out in Appendix A, . The system is now ready for the user to log on, provided you have created a network logon account for that user, of course. - Instruct all users to log onto the workstation using their assigned username and password. + Instruct all users to log on to the workstation using their assigned username and password. diff --git a/docs/Samba3-ByExample/SBE-SimpleOfficeServer.xml b/docs/Samba3-ByExample/SBE-SimpleOfficeServer.xml index 1c41ec9811..9ba4d867de 100644 --- a/docs/Samba3-ByExample/SBE-SimpleOfficeServer.xml +++ b/docs/Samba3-ByExample/SBE-SimpleOfficeServer.xml @@ -10,7 +10,7 @@ is the end of the road because their needs will have been adequately met. For others, this chapter is the beginning of a journey that will take them well past the contents of this book. This book provides example configurations of, for the greater part, complete networking solutions. The intent of this book - is to help you to get your Samba installation working with least amount of pain and aggravation. + is to help you to get your Samba installation working with the least amount of pain and aggravation. @@ -570,12 +570,12 @@ Password changed Install the &smb.conf; file shown in in the /etc/samba directory. This newer &smb.conf; file uses user-mode security - and is more suited to the mode of operation of Samba-3 that the older share-mode security + and is more suited to the mode of operation of Samba-3 than the older share-mode security configuration that was shown in the first edition of this book. - Note: If you want to use the older style configuration that uses share-mode security, you + Note: If you want to use the older-style configuration that uses share-mode security, you can install the file shown in in the /etc/samba directory. diff --git a/docs/Samba3-ByExample/SBE-UpgradingSamba.xml b/docs/Samba3-ByExample/SBE-UpgradingSamba.xml index ded03bcba5..1bc1f1f7ed 100644 --- a/docs/Samba3-ByExample/SBE-UpgradingSamba.xml +++ b/docs/Samba3-ByExample/SBE-UpgradingSamba.xml @@ -83,7 +83,7 @@ to perform a major upgrade. Many administrators have experienced the consequence of failure to take adequate precautions. So what is adequate? That is simple! If data is lost during an upgrade or update and it can not be restored, the precautions taken were inadequate. If a backup was not needed, but was available, -precaution was on the side of the victor. +caution was on the side of the victor. @@ -127,7 +127,7 @@ precaution was on the side of the victor. There is an old axiom that says, The greater the volume of the documentation, the greater the risk that noone will read it, but where there is no documentation, noone can read it! While true, some documentation is an evil necessity. - It is to be hoped that this update to the documentation will avoid both extremes. + It is hoped that this update to the documentation will avoid both extremes. @@ -965,7 +965,7 @@ that are compatible with the original OS vendor's practices. binary package binary files -If you are not sure whether or a binary package complies with the OS +If you are not sure whether a binary package complies with the OS vendor's practices, it is better to ask the package maintainer via email than to waste much time dealing with the nuances. Alternately, just diagnose the paths specified by the binary files following @@ -1116,8 +1116,8 @@ back to searching the 'ldap suffix' in some cases. is stored in the smbpasswd or in the tdbsam format, the user and group account information for UNIX accounts that match the Samba accounts will reside in the system - /etc/passwd, /etc/shadow, and - /etc/group files. In this case be sure to copy these + /etc/passwd, /etc/shadow, and + /etc/group files. In this case, be sure to copy these account entries to the new target server. @@ -1152,7 +1152,7 @@ back to searching the 'ldap suffix' in some cases. Where UNIX (POSIX) user and group accounts are stored in the system - /etc/passwd, /etc/shadow, and + /etc/passwd, /etc/shadow, and /etc/group files, be sure to add the same accounts with identical UID and GID values for each user. diff --git a/docs/Samba3-ByExample/SBE-foreword.xml b/docs/Samba3-ByExample/SBE-foreword.xml index e8fa80ce31..d90aead066 100644 --- a/docs/Samba3-ByExample/SBE-foreword.xml +++ b/docs/Samba3-ByExample/SBE-foreword.xml @@ -19,14 +19,14 @@ of open-source software solutions globally, and in particular within the United The OSSI has global affiliations with like-minded organizations. Our affiliate in the United Kingdom is the Open Source Consortium. Both the OSSI and the OSC share a common objective to expand the use of open-source -software in federal, state and municipal government agencies and in academic institutions. We represent +software in federal, state, and municipal government agencies; and in academic institutions. We represent businesses that provide professional support services that answer the needs of our target organizational -information technology consumers in an effective and cost efficient manner. +information technology consumers in an effective and cost-efficient manner. Open source software has matured greatly over the past 5 years with the result that an increasing number of -people who hold key influential decision-making positions want to know how the business model works. They +people who hold key decision-making positions want to know how the business model works. They want to understand how problems get resolved, how questions get answered, and how the development model is sustained. Information and Communications Technology directors in defense organizations, and in other government agencies that deal with sensitive information, want to become familiar with development road-maps @@ -36,38 +36,38 @@ and, in particular, seek to evaluate the track record of the main-stream open-so Wherever the OSSI gains entrance to new opportunities we find that Microsoft Windows technologies are the benchmark against which open-source software solutions are measured. Two open-source software projects -are key to our ability to present a structured, and convincing, proposition that there are alternatives -to the incumbent proprietary means of meeting information technology needs. They are the Apache Web server +are key to our ability to present a structured and convincing proposition that there are alternatives +to the incumbent proprietary means of meeting information technology needs. They are the Apache Web Server and Samba. -Just as the Apache web server is the standard in web serving technology, Samba is the definitive standard -for providing inter-operability with UNIX systems and other non-Microsoft operating system platforms. Both +Just as the Apache Web Server is the standard in web serving technology, Samba is the definitive standard +for providing interoperability with UNIX systems and other non-Microsoft operating system platforms. Both open-source applications have a truly remarkable track record that extends well over a decade. Both have -demonstrated unique capacity to innovate and to maintain a level of development that has not only kept -pace with demands, but in many areas each project has also proven to be an industry leader. +demonstrated the unique capacity to innovate and maintain a level of development that has not only kept +pace with demands, but, in many areas, each project has also proven to be an industry leader. One of the areas in which the Samba project has demonstrated key leadership is in documentation. The OSSI -was delighted when we saw the Samba Team, and John H. Terpstra in particular, release two amazingly well -written books to help Samba software users to deploy, maintain and trouble-shoot Windows networking +was delighted when we saw the Samba Team, and John H. Terpstra in particular, release two amazingly +well-written books to help Samba software users deploy, maintain, and troubleshoot Windows networking installations. We were concerned that, given the large volume of documentation, the challenge to maintain it and keep it current might prove difficult. -This second edition of the book, Samba-3 by Example barely one year following the release -of the first edition has removed all concerns and is proof that open-source solutions are a compelling choice. +This second edition of the book, Samba-3 by Example, barely one year following the release +of the first edition, has removed all concerns and is proof that open-source solutions are a compelling choice. The first edition was released shortly following the release of Samba version 3.0 itself, and has become the authoritative instrument for training and for guiding deployment. -I am personally aware how much effort has gone into this second edition. John Terpstra has worked with +I am personally aware of how much effort has gone into this second edition. John Terpstra has worked with government bodies and with large organizations that have deployed Samba-3 since it was released. He also -worked to ensure that this book gained community following. He asked those who have worked at the coal-face +worked to ensure that this book gained community following. He asked those who have worked at the coalface of large and small organizations alike, to contribute their experiences. He has captured that in this book and has succeeded yet again. His recipe is persistence, intuition, and a high level of respect for the people who use Samba. @@ -77,7 +77,7 @@ who use Samba. This book is the first source you should turn to before you deploy Samba and as you are mastering its deployment. I am proud and excited to be associated in a small way with such a useful tool. This book has reached maturity that is demonstrated by reiteration that every step in deployment must be validated. -This book makes it easy to succeed, and difficulty to fail to gain a stable network environment. +This book makes it easy to succeed, and difficult to fail, to gain a stable network environment. diff --git a/docs/Samba3-ByExample/SBE-inside-cover.xml b/docs/Samba3-ByExample/SBE-inside-cover.xml index b55a333f9e..492a581cf5 100644 --- a/docs/Samba3-ByExample/SBE-inside-cover.xml +++ b/docs/Samba3-ByExample/SBE-inside-cover.xml @@ -4,32 +4,41 @@ About the Cover Artwork - The cover artwork of this book continues a theme chosen for the book, - The Official Samba-3 HOWTO and Reference Guide, - the cover of which features a Confederate scene. Samba has had a major - impact on the network deployment of Microsoft Windows desktop systems. - The cover artwork of the two official Samba books tells of events that - likewise had a major impact on the future. + The cover artwork of this book continues the freedom theme of the first + edition of Samba-3 by Example. The history of civilization + demonstrates the fragile nature of freedom. It can be lost in a moment, + and once lost, the cost of recovering liberty can be incredible. The last + edition cover featured Alfred the Great who liberated England from the + constant assault of Vikings and Norsemen. Events in England that + that finally liberated the common people came about in small steps, but + the result should not be under-estimated. Today, as always, freedom and + liberty are seldom appreciated until they are lost. If we can not quantify + what is the value of freedom, we shall be little motivated to protect it. - Samba-3 by Example Cover Artwork: King Alfred the Great - (born 849, ruled 871-899) was one of the most amazing kings ever to - rule England. He defended Anglo-Saxon England from Viking raids, formulated - a code of laws, and fostered a rebirth of religious and scholarly activity. - His reign exhibits military skill and innovation, sound governance and the - ability to inspire men to plan for the future. Alfred liberated England - at a time when all resistence seemed futile. + Samba-3 by Example Cover Artwork: The British houses + of parliament are a symbol of the Westminster system of government. This form + of government permits the people to govern themselves at the lowest level, yet + it provides for courts of appeal that are designed to protect freedom and to + hold back all forces of tyranny. The clock is a pertinent symbol of the + importance of time and place. - Samba is a network interoperability solution that provides real choice for network - administrators. It is an adjunct to Microsoft Windows networks that provides - interoperability of UNIX systems with Microsoft Windows desktop and server systems. - You may use Samba to realize the freedom it provides for your network environment - thanks to a dedicated team who work behind the scenes to give you a better choice. - The efforts of these few dedicated developers continues to shape the future of - the Windows interoperability landscape. Enjoy! + The information technology industry is being challenged by the imposition of + new laws, hostile litigation, and the imposition of significant constraint + of practice that threatens to remove the freedom to develop and deploy open + source software solutions. Samba is a software solution that epitomizes freedom + of choice in network interoperability for Microsoft Windows clients. + + + + I hope you will take the time needed to deploy it well, and that you may realize + the greatest benefits may be obtained. You are free to use it in ways never + considered, but in doing so there may be some obstacles. Every obstacle that is + overcome adds to the freedom you can enjoy. Use Samba well, and it will serve + you well. -- cgit