From ca5759f796b153f702669942f7e01e498cc1170f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 15 Oct 2002 18:14:31 +0000 Subject: make html (This used to be commit 39034207567c363a257f0aebd8ef22f15d98f451) --- docs/htmldocs/browsing-quick.html | 445 +++++++++++++++++++++++++++++++ docs/htmldocs/bugreport.html | 30 +-- docs/htmldocs/cvs-access.html | 32 +-- docs/htmldocs/diagnosis.html | 93 +++---- docs/htmldocs/domain-security.html | 18 +- docs/htmldocs/groupmapping.html | 6 +- docs/htmldocs/improved-browsing.html | 64 ++--- docs/htmldocs/install.html | 20 +- docs/htmldocs/integrate-ms-networks.html | 96 +++---- docs/htmldocs/msdfs.html | 14 +- docs/htmldocs/other-clients.html | 78 +++--- docs/htmldocs/pam.html | 18 +- docs/htmldocs/portability.html | 41 +-- docs/htmldocs/printing.html | 58 ++-- docs/htmldocs/printingdebug.html | 42 +-- docs/htmldocs/samba-bdc.html | 38 +-- docs/htmldocs/samba-ldap-howto.html | 54 ++-- docs/htmldocs/securitylevels.html | 14 +- docs/htmldocs/speed.html | 64 ++--- docs/htmldocs/unix-permissions.html | 42 +-- docs/htmldocs/winbind.html | 118 ++++---- 21 files changed, 915 insertions(+), 470 deletions(-) create mode 100644 docs/htmldocs/browsing-quick.html diff --git a/docs/htmldocs/browsing-quick.html b/docs/htmldocs/browsing-quick.html new file mode 100644 index 0000000000..340302a102 --- /dev/null +++ b/docs/htmldocs/browsing-quick.html @@ -0,0 +1,445 @@ + +Quick Cross Subnet Browsing / Cross Workgroup Browsing guide
SAMBA Project Documentation
PrevNext

Chapter 16. Quick Cross Subnet Browsing / Cross Workgroup Browsing guide

This document should be read in conjunction with Browsing and may +be taken as the fast track guide to implementing browsing across subnets +and / or across workgroups (or domains). WINS is the best tool for resolution +of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling +except by way of name to address mapping.

16.1. Discussion

Firstly, all MS Windows networking is based on SMB (Server Message +Block) based messaging. SMB messaging is implemented using NetBIOS. Samba +implements NetBIOS by encapsulating it over TCP/IP. MS Windows products can +do likewise. NetBIOS based networking uses broadcast messaging to affect +browse list management. When running NetBIOS over TCP/IP this uses UDP +based messaging. UDP messages can be broadcast or unicast.

Normally, only unicast UDP messaging can be forwarded by routers. The +"remote announce" parameter to smb.conf helps to project browse announcements +to remote network segments via unicast UDP. Similarly, the "remote browse sync" +parameter of smb.conf implements browse list collation using unicast UDP.

Secondly, in those networks where Samba is the only SMB server technology +wherever possible nmbd should be configured on one (1) machine as the WINS +server. This makes it easy to manage the browsing environment. If each network +segment is configured with it's own Samba WINS server, then the only way to +get cross segment browsing to work is by using the "remote announce" and +the "remote browse sync" parameters to your smb.conf file.

If only one WINS server is used then the use of the "remote announce" and the +"remote browse sync" parameters should NOT be necessary.

Samba WINS does not support MS-WINS replication. This means that when setting up +Samba as a WINS server there must only be one nmbd configured as a WINS server +on the network. Some sites have used multiple Samba WINS servers for redundancy +(one server per subnet) and then used "remote browse sync" and "remote announce" +to affect browse list collation across all segments. Note that this means +clients will only resolve local names, and must be configured to use DNS to +resolve names on other subnets in order to resolve the IP addresses of the +servers they can see on other subnets. This setup is not recommended, but is +mentioned as a practical consideration (ie: an 'if all else fails' scenario).

Lastly, take note that browse lists are a collection of unreliable broadcast +messages that are repeated at intervals of not more than 15 minutes. This means +that it will take time to establish a browse list and it can take up to 45 +minutes to stabilise, particularly across network segments.

16.2. Use of the "Remote Announce" parameter

The "remote announce" parameter of smb.conf can be used to forcibly ensure +that all the NetBIOS names on a network get announced to a remote network. +The syntax of the "remote announce" parameter is: +

	remote announce = a.b.c.d [e.f.g.h] ...
+_or_ +
	remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...
+ +where: +

a.b.c.d and e.f.g.h

is either the LMB (Local Master Browser) IP address +or the broadcst address of the remote network. +ie: the LMB is at 192.168.1.10, or the address +could be given as 192.168.1.255 where the netmask +is assumed to be 24 bits (255.255.255.0). +When the remote announcement is made to the broadcast +address of the remote network every host will receive +our announcements. This is noisy and therefore +undesirable but may be necessary if we do NOT know +the IP address of the remote LMB.

WORKGROUP

is optional and can be either our own workgroup +or that of the remote network. If you use the +workgroup name of the remote network then our +NetBIOS machine names will end up looking like +they belong to that workgroup, this may cause +name resolution problems and should be avoided.

16.3. Use of the "Remote Browse Sync" parameter

The "remote browse sync" parameter of smb.conf is used to announce to +another LMB that it must synchronise it's NetBIOS name list with our +Samba LMB. It works ONLY if the Samba server that has this option is +simultaneously the LMB on it's network segment.

The syntax of the "remote browse sync" parameter is: +

	remote browse sync = a.b.c.d
+ +where a.b.c.d is either the IP address of the remote LMB or else is the network broadcast address of the remote segment.

16.4. Use of WINS

Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly +recommended. Every NetBIOS machine registers it's name together with a +name_type value for each of of several types of service it has available. +eg: It registers it's name directly as a unique (the type 0x03) name. +It also registers it's name if it is running the lanmanager compatible +server service (used to make shares and printers available to other users) +by registering the server (the type 0x20) name.

All NetBIOS names are up to 15 characters in length. The name_type variable +is added to the end of the name - thus creating a 16 character name. Any +name that is shorter than 15 characters is padded with spaces to the 15th +character. ie: All NetBIOS names are 16 characters long (including the +name_type information).

WINS can store these 16 character names as they get registered. A client +that wants to log onto the network can ask the WINS server for a list +of all names that have registered the NetLogon service name_type. This saves +broadcast traffic and greatly expedites logon processing. Since broadcast +name resolution can not be used across network segments this type of +information can only be provided via WINS _or_ via statically configured +"lmhosts" files that must reside on all clients in the absence of WINS.

WINS also serves the purpose of forcing browse list synchronisation by all +LMB's. LMB's must synchronise their browse list with the DMB (domain master +browser) and WINS helps the LMB to identify it's DMB. By definition this +will work only within a single workgroup. Note that the domain master browser +has NOTHING to do with what is referred to as an MS Windows NT Domain. The +later is a reference to a security environment while the DMB refers to the +master controller for browse list information only.

Use of WINS will work correctly only if EVERY client TCP/IP protocol stack +has been configured to use the WINS server/s. Any client that has not been +configured to use the WINS server will continue to use only broadcast based +name registration so that WINS may NEVER get to know about it. In any case, +machines that have not registered with a WINS server will fail name to address +lookup attempts by other clients and will therefore cause workstation access +errors.

To configure Samba as a WINS server just add "wins support = yes" to the +smb.conf file [globals] section.

To configure Samba to register with a WINS server just add +"wins server = a.b.c.d" to your smb.conf file [globals] section.

DO NOT EVER use both "wins support = yes" together with "wins server = a.b.c.d" +particularly not using it's own IP address.

16.5. Do NOT use more than one (1) protocol on MS Windows machines

A very common cause of browsing problems results from installing more than +one protocol on an MS Windows machine.

Every NetBIOS machine take part in a process of electing the LMB (and DMB) +every 15 minutes. A set of election criteria is used to determine the order +of precidence for winning this election process. A machine running Samba or +Windows NT will be biased so that the most suitable machine will predictably +win and thus retain it's role.

The election process is "fought out" so to speak over every NetBIOS network +interface. In the case of a Windows 9x machine that has both TCP/IP and IPX +installed and has NetBIOS enabled over both protocols the election will be +decided over both protocols. As often happens, if the Windows 9x machine is +the only one with both protocols then the LMB may be won on the NetBIOS +interface over the IPX protocol. Samba will then lose the LMB role as Windows +9x will insist it knows who the LMB is. Samba will then cease to function +as an LMB and thus browse list operation on all TCP/IP only machines will +fail.

The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!

16.6. Name Resolution Order

Resolution of NetBIOS names to IP addresses can take place using a number +of methods. The only ones that can provide NetBIOS name_type information +are: +

WINS: the best tool!
LMHOSTS: is static and hard to maintain.
Broadcast: uses UDP and can not resolve names across remote segments.

Alternative means of name resolution includes: +

/etc/hosts: is static, hard to maintain, and lacks name_type info
DNS: is a good choice but lacks essential name_type info.

Many sites want to restrict DNS lookups and want to avoid broadcast name +resolution traffic. The "name resolve order" parameter is of great help here. +The syntax of the "name resolve order" parameter is: +

	name resolve order = wins lmhosts bcast host
+_or_ +
	name resolve order = wins lmhosts  	(eliminates bcast and host)
+The default is: +
	name  resolve order = host lmhost wins bcast
. +where "host" refers the the native methods used by the Unix system +to implement the gethostbyname() function call. This is normally +controlled by /etc/host.conf, /etc/nsswitch.conf and /etc/resolv.conf.


PrevHomeNext
Improved browsing in samba Samba performance issues
\ No newline at end of file diff --git a/docs/htmldocs/bugreport.html b/docs/htmldocs/bugreport.html index 53f34c9f0a..b5058f0d61 100644 --- a/docs/htmldocs/bugreport.html +++ b/docs/htmldocs/bugreport.html @@ -8,7 +8,7 @@ NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.77">Chapter 20. Reporting BugsChapter 19. Reporting Bugs

20.1. Introduction

19.1. Introduction

The email address for bug reports is samba@samba.org

20.2. General info

19.2. General info

Before submitting a bug report check your config for silly errors. Look in your log files for obvious messages that tell you that @@ -134,9 +134,9 @@ CLASS="SECT1" >

20.3. Debug levels

19.3. Debug levels

If the bug has anything to do with Samba behaving incorrectly as a server (like refusing to open a file) then the log files will probably @@ -204,9 +204,9 @@ CLASS="SECT1" >

20.4. Internal errors

19.4. Internal errors

If you get a "INTERNAL ERROR" message in your log files it means that Samba got an unexpected signal while running. It is probably a @@ -248,9 +248,9 @@ CLASS="SECT1" >

20.5. Attaching to a running process

19.5. Attaching to a running process

Unfortunately some unixes (in particular some recent linux kernels) refuse to dump a core file if the task has changed uid (which smbd @@ -265,9 +265,9 @@ CLASS="SECT1" >

20.6. Patches

19.6. Patches

The best sort of bug report is one that includes a fix! If you send us patches please use HomePrevChapter 19. HOWTO Access Samba source code via CVSChapter 18. HOWTO Access Samba source code via CVS

19.1. Introduction

18.1. Introduction

Samba is developed in an open environment. Developers use CVS (Concurrent Versioning System) to "checkin" (also known as @@ -99,9 +99,9 @@ CLASS="SECT1" >

19.2. CVS Access to samba.org

18.2. CVS Access to samba.org

The machine samba.org runs a publicly accessible CVS repository for access to the source code of several packages, @@ -112,9 +112,9 @@ CLASS="SECT2" >

19.2.1. Access via CVSweb

18.2.1. Access via CVSweb

You can access the source code via your favourite WWW browser. This allows you to access the contents of @@ -133,9 +133,9 @@ CLASS="SECT2" >

19.2.2. Access via cvs

18.2.2. Access via cvs

You can also access the source code via a normal cvs client. This gives you much more control over you can @@ -253,7 +253,7 @@ WIDTH="33%" ALIGN="left" VALIGN="top" >PrevHomeSamba and other CIFS clientsSamba performance issuesPrevNext 


Chapter 2. Diagnosing your samba serverChapter 23. Diagnosing your samba server

2.1. Introduction

23.1. Introduction

This file contains a list of tests you can perform to validate your Samba server. It also tells you what the likely cause of the problem @@ -99,9 +92,9 @@ CLASS="SECT1" >

2.2. Assumptions

23.2. Assumptions

In all of the tests I assume you have a Samba server called BIGSERVER and a PC called ACLIENT both in workgroup TESTGROUP. I also assume the @@ -140,17 +133,17 @@ CLASS="SECT1" >

2.3. Tests

23.3. Tests

2.3.1. Test 1

23.3.1. Test 1

In the directory in which you store your smb.conf file, run the command "testparm smb.conf". If it reports any errors then your smb.conf @@ -170,9 +163,9 @@ CLASS="SECT2" >

2.3.2. Test 2

23.3.2. Test 2

Run the command "ping BIGSERVER" from the PC and "ping ACLIENT" from the unix box. If you don't get a valid response then your TCP/IP @@ -196,9 +189,9 @@ CLASS="SECT2" >

2.3.3. Test 3

23.3.3. Test 3

Run the command "smbclient -L BIGSERVER" on the unix box. You should get a list of available shares back.

2.3.4. Test 4

23.3.4. Test 4

Run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the IP address of your Samba server back.

2.3.5. Test 5

23.3.5. Test 5

run the command

2.3.6. Test 6

23.3.6. Test 6

Run the command

2.3.7. Test 7

23.3.7. Test 7

Run the command

2.3.8. Test 8

23.3.8. Test 8

On the PC type the command

2.3.9. Test 9

23.3.9. Test 9

Run the command

2.3.10. Test 10

23.3.10. Test 10

Run the command

2.3.11. Test 11

23.3.11. Test 11

From file manager try to browse the server. Your samba server should appear in the browse list of your local workgroup (or the one you @@ -580,9 +573,9 @@ CLASS="SECT1" >

2.4. Still having troubles?

23.4. Still having troubles?

Try the mailing list or newsgroup, or use the ethereal utility to sniff the problem. The official samba mailing list can be reached at @@ -618,7 +611,7 @@ WIDTH="33%" ALIGN="left" VALIGN="top" >PrevHomeNext How to Install and Test SAMBASamba and other CIFS clientsIntegrating MS Windows networks with Samba 

Chapter 10. security = domain in Samba 2.xChapter 9. security = domain in Samba 2.x

10.1. Joining an NT Domain with Samba 2.2

9.1. Joining an NT Domain with Samba 2.2

Assume you have a Samba 2.x server with a NetBIOS name of

10.2. Samba and Windows 2000 Domains

9.2. Samba and Windows 2000 Domains

Many people have asked regarding the state of Samba's ability to participate in a Windows 2000 Domain. Samba 2.2 is able to act as a member server of a Windows @@ -333,9 +333,9 @@ CLASS="SECT1" >

10.3. Why is this better than security = server?

9.3. Why is this better than security = server?

Currently, domain security in Samba doesn't free you from having to create local Unix users to represent the users attaching @@ -444,7 +444,7 @@ WIDTH="34%" ALIGN="center" VALIGN="top" >HomeChapter 21. Group mapping HOWTOChapter 20. Group mapping HOWTO

Starting with Samba 3.0 alpha 2, a new group mapping function is available. The @@ -191,7 +191,7 @@ WIDTH="34%" ALIGN="center" VALIGN="top" >HomeNextChapter 16. Improved browsing in sambaChapter 15. Improved browsing in samba

16.1. Overview of browsing

15.1. Overview of browsing

SMB networking provides a mechanism by which clients can access a list of machines in a network, a so-called "browse list". This list @@ -101,9 +101,9 @@ CLASS="SECT1" >

16.2. Browsing support in samba

15.2. Browsing support in samba

Samba now fully supports browsing. The browsing is supported by nmbd and is also controlled by options in the smb.conf file (see smb.conf(5)).

16.3. Problem resolution

15.3. Problem resolution

If something doesn't work then hopefully the log.nmb file will help you track down the problem. Try a debug level of 2 or 3 for finding @@ -180,9 +180,9 @@ CLASS="SECT1" >

16.4. Browsing across subnets

15.4. Browsing across subnets

With the release of Samba 1.9.17(alpha1 and above) Samba has been updated to enable it to support the replication of browse lists @@ -211,9 +211,9 @@ CLASS="SECT2" >

16.4.1. How does cross subnet browsing work ?

15.4.1. How does cross subnet browsing work ?

Cross subnet browsing is a complicated dance, containing multiple moving parts. It has taken Microsoft several years to get the code @@ -423,9 +423,9 @@ CLASS="SECT1" >

16.5. Setting up a WINS server

15.5. Setting up a WINS server

Either a Samba machine or a Windows NT Server machine may be set up as a WINS server. To set a Samba machine to be a WINS server you must @@ -506,9 +506,9 @@ CLASS="SECT1" >

16.6. Setting up Browsing in a WORKGROUP

15.6. Setting up Browsing in a WORKGROUP

To set up cross subnet browsing on a network containing machines in up to be in a WORKGROUP, not an NT Domain you need to set up one @@ -590,9 +590,9 @@ CLASS="SECT1" >

16.7. Setting up Browsing in a DOMAIN

15.7. Setting up Browsing in a DOMAIN

If you are adding Samba servers to a Windows NT Domain then you must not set up a Samba server as a domain master browser. @@ -641,9 +641,9 @@ CLASS="SECT1" >

16.8. Forcing samba to be the master

15.8. Forcing samba to be the master

Who becomes the "master browser" is determined by an election process using broadcasts. Each election packet contains a number of parameters @@ -689,9 +689,9 @@ CLASS="SECT1" >

16.9. Making samba the domain master

15.9. Making samba the domain master

The domain master is responsible for collating the browse lists of multiple subnets so that browsing can occur between subnets. You can @@ -762,9 +762,9 @@ CLASS="SECT1" >

16.10. Note about broadcast addresses

15.10. Note about broadcast addresses

If your network uses a "0" based broadcast address (for example if it ends in a 0) then you will strike problems. Windows for Workgroups @@ -776,9 +776,9 @@ CLASS="SECT1" >

16.11. Multiple interfaces

15.11. Multiple interfaces

Samba now supports machines with multiple network interfaces. If you have multiple interfaces then you will need to use the "interfaces" @@ -810,7 +810,7 @@ WIDTH="34%" ALIGN="center" VALIGN="top" >HomeNextSamba performance issuesQuick Cross Subnet Browsing / Cross Workgroup Browsing guide

PrevNextPrevHomeNextDiagnosing your samba serverIntegrating MS Windows networks with Samba
PrevChapter 3. Integrating MS Windows networks with SambaChapter 2. Integrating MS Windows networks with Samba

3.1. Agenda

2.1. Agenda

To identify the key functional mechanisms of MS Windows networking to enable the deployment of Samba as a means of extending and/or @@ -145,9 +145,9 @@ CLASS="SECT1" >

3.2. Name Resolution in a pure Unix/Linux world

2.2. Name Resolution in a pure Unix/Linux world

The key configuration files covered in this section are:

3.2.1. 2.2.1. /etc/hosts

3.2.2. 2.2.2. /etc/resolv.conf

3.2.3. 2.2.3. /etc/host.conf

3.2.4. 2.2.4. /etc/nsswitch.conf

3.3. Name resolution as used within MS Windows networking

2.3. Name resolution as used within MS Windows networking

MS Windows networking is predicated about the name each machine is given. This name is known variously (and inconsistently) as @@ -489,9 +489,9 @@ CLASS="SECT2" >

3.3.1. The NetBIOS Name Cache

2.3.1. The NetBIOS Name Cache

All MS Windows machines employ an in memory buffer in which is stored the NetBIOS names and IP addresses for all external @@ -516,9 +516,9 @@ CLASS="SECT2" >

3.3.2. The LMHOSTS file

2.3.2. The LMHOSTS file

This file is usually located in MS Windows NT 4.0 or 2000 in

3.3.3. HOSTS file

2.3.3. HOSTS file

This file is usually located in MS Windows NT 4.0 or 2000 in

3.3.4. DNS Lookup

2.3.4. DNS Lookup

This capability is configured in the TCP/IP setup area in the network configuration facility. If enabled an elaborate name resolution sequence @@ -661,9 +661,9 @@ CLASS="SECT2" >

3.3.5. WINS Lookup

2.3.5. WINS Lookup

A WINS (Windows Internet Name Server) service is the equivaent of the rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores @@ -704,9 +704,9 @@ CLASS="SECT1" >

3.4. How browsing functions and how to deploy stable and +>2.4. How browsing functions and how to deploy stable and dependable browsing using Samba

As stated above, MS Windows machines register their NetBIOS names @@ -771,9 +771,9 @@ CLASS="SECT1" >

3.5. MS Windows security options and how to configure +>2.5. MS Windows security options and how to configure Samba for seemless integration

MS Windows clients may use encrypted passwords as part of a @@ -908,9 +908,9 @@ CLASS="SECT2" >

3.5.1. Use MS Windows NT as an authentication server

2.5.1. Use MS Windows NT as an authentication server

This method involves the additions of the following parameters in the smb.conf file:

3.5.2. Make Samba a member of an MS Windows NT security domain

2.5.2. Make Samba a member of an MS Windows NT security domain

This method involves additon of the following paramters in the smb.conf file:

3.5.3. Configure Samba as an authentication server

2.5.3. Configure Samba as an authentication server

This mode of authentication demands that there be on the Unix/Linux system both a Unix style account as well as an @@ -1044,9 +1044,9 @@ CLASS="SECT3" >

3.5.3.1. Users

2.5.3.1. Users

A user account that may provide a home directory should be created. The following Linux system commands are typical of @@ -1067,9 +1067,9 @@ CLASS="SECT3" >

3.5.3.2. MS Windows NT Machine Accounts

2.5.3.2. MS Windows NT Machine Accounts

These are required only when Samba is used as a domain controller. Refer to the Samba-PDC-HOWTO for more details.

3.6. Conclusions

2.6. Conclusions

Samba provides a flexible means to operate as...

PrevHomeDiagnosing your samba serverHow to Install and Test SAMBAChapter 5. Hosting a Microsoft Distributed File System tree on SambaChapter 4. Hosting a Microsoft Distributed File System tree on Samba

5.1. Instructions

4.1. Instructions

The Distributed File System (or Dfs) provides a means of separating the logical view of files and directories that users @@ -226,9 +226,9 @@ CLASS="SECT2" >

5.1.1. Notes

4.1.1. Notes

    HomePrevNextChapter 18. Samba and other CIFS clientsChapter 22. Samba and other CIFS clients

    This chapter contains client-specific information.

    18.1. Macintosh clients?

    22.1. Macintosh clients?

    Yes.

    18.2. OS2 Client

    22.2. OS2 Client

    18.2.1. How can I configure OS/2 Warp Connect or +>22.2.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?

    A more complete answer to this question can be @@ -192,9 +192,9 @@ CLASS="SECT2" >

    18.2.2. How can I configure OS/2 Warp 3 (not Connect), +>22.2.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?

    You can use the free Microsoft LAN Manager 2.2c Client @@ -236,9 +236,9 @@ CLASS="SECT2" >

    18.2.3. Are there any other issues when OS/2 (any version) +>22.2.3. Are there any other issues when OS/2 (any version) is used as a client?

    When you do a NET VIEW or use the "File and Print @@ -258,9 +258,9 @@ CLASS="SECT2" >

    18.2.4. How do I get printer driver download working +>22.2.4. How do I get printer driver download working for OS/2 clients?

    First, create a share called [PRINTDRV] that is @@ -309,17 +309,17 @@ CLASS="SECT1" >

    18.3. Windows for Workgroups

    22.3. Windows for Workgroups

    18.3.1. Use latest TCP/IP stack from Microsoft

    22.3.1. Use latest TCP/IP stack from Microsoft

    Use the latest TCP/IP stack from microsoft if you use Windows for workgroups.

    18.3.2. Delete .pwl files after password change

    22.3.2. Delete .pwl files after password change

    WfWg does a lousy job with passwords. I find that if I change my password on either the unix box or the PC the safest thing to do is to @@ -359,9 +359,9 @@ CLASS="SECT2" >

    18.3.3. Configure WfW password handling

    22.3.3. Configure WfW password handling

    There is a program call admincfg.exe on the last disk (disk 8) of the WFW 3.11 disk set. To install it @@ -378,9 +378,9 @@ CLASS="SECT2" >

    18.3.4. Case handling of passwords

    22.3.4. Case handling of passwords

    Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the

    18.4. Windows '95/'98

    22.4. Windows '95/'98

    When using Windows 95 OEM SR2 the following updates are recommended where Samba is being used. Please NOTE that the above change will affect you once these @@ -445,9 +445,9 @@ CLASS="SECT1" >

    18.5. Windows 2000 Service Pack 2

    22.5. Windows 2000 Service Pack 2

    There are several annoyances with Windows 2000 SP2. One of which @@ -539,7 +539,7 @@ WIDTH="33%" ALIGN="left" VALIGN="top" >PrevHomeNextSamba performance issuesPortabilityHOWTO Access Samba source code via CVSDiagnosing your samba server

    Chapter 4. Configuring PAM for distributed but centrally +>Chapter 3. Configuring PAM for distributed but centrally managed authentication

    4.1. Samba and PAM

    3.1. Samba and PAM

    A number of Unix systems (eg: Sun Solaris), as well as the xxxxBSD family and Linux, now utilize the Pluggable Authentication @@ -293,9 +293,9 @@ CLASS="SECT1" >

    4.2. Distributed Authentication

    3.2. Distributed Authentication

    The astute administrator will realize from this that the combination of

    4.3. PAM Configuration in smb.conf

    3.3. PAM Configuration in smb.conf

    There is an option in smb.conf called Home Next


    Chapter 22. PortabilityChapter 21. Portability

    Samba works on a wide range of platforms but the interface all the platforms provide is not always compatible. This chapter contains @@ -74,9 +81,9 @@ CLASS="SECT1" >

    22.1. HPUX

    21.1. HPUX

    HP's implementation of supplementary groups is, er, non-standard (for hysterical reasons). There are two group files, /etc/group and @@ -100,9 +107,9 @@ CLASS="SECT1" >

    22.2. SCO Unix

    21.2. SCO Unix

    If you run an old version of SCO Unix then you may need to get important @@ -117,9 +124,9 @@ CLASS="SECT1" >

    22.3. DNIX

    21.3. DNIX

    DNIX has a problem with seteuid() and setegid(). These routines are needed for Samba to work correctly, but they were left out of the DNIX @@ -224,9 +231,9 @@ CLASS="SECT1" >

    22.4. RedHat Linux Rembrandt-II

    21.4. RedHat Linux Rembrandt-II

    By default RedHat Rembrandt-II during installation adds an entry to /etc/hosts as follows: @@ -269,7 +276,7 @@ WIDTH="34%" ALIGN="center" VALIGN="top" >Home Next Samba and other CIFS clients

    Chapter 7. Printing Support in Samba 2.2.xChapter 6. Printing Support in Samba 2.2.x

    7.1. Introduction

    6.1. Introduction

    Beginning with the 2.2.0 release, Samba supports the native Windows NT printing mechanisms implemented via @@ -165,9 +165,9 @@ CLASS="SECT1" >

    7.2. Configuration

    6.2. Configuration

    7.2.1. Creating [print$]

    6.2.1. Creating [print$]

    In order to support the uploading of printer driver files, you must first configure a file share named [print$]. @@ -468,9 +468,9 @@ CLASS="SECT2" >

    7.2.2. Setting Drivers for Existing Printers

    6.2.2. Setting Drivers for Existing Printers

    The initial listing of printers in the Samba host's Printers folder will have no real printer driver assigned @@ -548,9 +548,9 @@ CLASS="SECT2" >

    7.2.3. Support a large number of printers

    6.2.3. Support a large number of printers

    One issue that has arisen during the development phase of Samba 2.2 is the need to support driver downloads for @@ -614,9 +614,9 @@ CLASS="SECT2" >

    7.2.4. Adding New Printers via the Windows NT APW

    6.2.4. Adding New Printers via the Windows NT APW

    By default, Samba offers all printer shares defined in

    7.2.5. Samba and Printer Ports

    6.2.5. Samba and Printer Ports

    Windows NT/2000 print servers associate a port with each printer. These normally take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the @@ -820,9 +820,9 @@ CLASS="SECT1" >

    7.3. The Imprints Toolset

    6.3. The Imprints Toolset

    The Imprints tool set provides a UNIX equivalent of the Windows NT Add Printer Wizard. For complete information, please @@ -838,9 +838,9 @@ CLASS="SECT2" >

    7.3.1. What is Imprints?

    6.3.1. What is Imprints?

    Imprints is a collection of tools for supporting the goals of

    7.3.2. Creating Printer Driver Packages

    6.3.2. Creating Printer Driver Packages

    The process of creating printer driver packages is beyond the scope of this document (refer to Imprints.txt also included @@ -886,9 +886,9 @@ CLASS="SECT2" >

    7.3.3. The Imprints server

    6.3.3. The Imprints server

    The Imprints server is really a database server that may be queried via standard HTTP mechanisms. Each printer @@ -910,9 +910,9 @@ CLASS="SECT2" >

    7.3.4. The Installation Client

    6.3.4. The Installation Client

    More information regarding the Imprints installation client is available in the

    7.4. 6.4. Migration to from Samba 2.0.x to 2.2.x

    HomeChapter 8. Debugging Printing ProblemsChapter 7. Debugging Printing Problems

    8.1. Introduction

    7.1. Introduction

    This is a short description of how to debug printing problems with Samba. This describes how to debug problems with printing from a SMB @@ -152,9 +152,9 @@ CLASS="SECT1" >

    8.2. Debugging printer problems

    7.2. Debugging printer problems

    One way to debug printing problems is to start by replacing these command with shell scripts that record the arguments and the contents @@ -209,9 +209,9 @@ CLASS="SECT1" >

    8.3. What printers do I have?

    7.3. What printers do I have?

    You can use the 'testprns' program to check to see if the printer name you are using is recognized by Samba. For example, you can @@ -238,9 +238,9 @@ CLASS="SECT1" >

    8.4. Setting up printcap and print servers

    7.4. Setting up printcap and print servers

    You may need to set up some printcaps for your Samba system to use. It is strongly recommended that you use the facilities provided by @@ -322,9 +322,9 @@ CLASS="SECT1" >

    8.5. Job sent, no output

    7.5. Job sent, no output

    This is the most frustrating part of printing. You may have sent the job, verified that the job was forwarded, set up a wrapper around @@ -367,9 +367,9 @@ CLASS="SECT1" >

    8.6. Job sent, strange output

    7.6. Job sent, strange output

    Once you have the job printing, you can then start worrying about making it print nicely.

    8.7. Raw PostScript printed

    7.7. Raw PostScript printed

    This is a problem that is usually caused by either the print spooling system putting information at the start of the print job that makes @@ -428,9 +428,9 @@ CLASS="SECT1" >

    8.8. Advanced Printing

    7.8. Advanced Printing

    Note that you can do some pretty magic things by using your imagination with the "print command" option and some shell scripts. @@ -444,9 +444,9 @@ CLASS="SECT1" >

    8.9. Real debugging

    7.9. Real debugging

    If the above debug tips don't help, then maybe you need to bring in the bug guns, system tracing. See Tracing.txt in this directory.

    HomeChapter 13. How to Act as a Backup Domain Controller in a Purely Samba Controlled DomainChapter 12. How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain

    13.1. Prerequisite Reading

    12.1. Prerequisite Reading

    Before you continue reading in this chapter, please make sure that you are comfortable with configuring a Samba PDC @@ -94,9 +94,9 @@ CLASS="SECT1" >

    13.2. Background

    12.2. Background

    What is a Domain Controller? It is a machine that is able to answer logon requests from workstations in a Windows NT Domain. Whenever a @@ -139,9 +139,9 @@ CLASS="SECT1" >

    13.3. What qualifies a Domain Controller on the network?

    12.3. What qualifies a Domain Controller on the network?

    Every machine that is a Domain Controller for the domain SAMBA has to register the NetBIOS group name SAMBA#1c with the WINS server and/or @@ -156,9 +156,9 @@ CLASS="SECT2" >

    13.3.1. How does a Workstation find its domain controller?

    12.3.1. How does a Workstation find its domain controller?

    A NT workstation in the domain SAMBA that wants a local user to be authenticated has to find the domain controller for SAMBA. It does @@ -175,9 +175,9 @@ CLASS="SECT2" >

    13.3.2. When is the PDC needed?

    12.3.2. When is the PDC needed?

    Whenever a user wants to change his password, this has to be done on the PDC. To find the PDC, the workstation does a NetBIOS name query @@ -191,9 +191,9 @@ CLASS="SECT1" >

    13.4. Can Samba be a Backup Domain Controller?

    12.4. Can Samba be a Backup Domain Controller?

    With version 2.2, no. The native NT SAM replication protocols have not yet been fully implemented. The Samba Team is working on @@ -210,9 +210,9 @@ CLASS="SECT1" >

    13.5. How do I set up a Samba BDC?

    12.5. How do I set up a Samba BDC?

    Several things have to be done:

    13.5.1. How do I replicate the smbpasswd file?

    12.5.1. How do I replicate the smbpasswd file?

    Replication of the smbpasswd file is sensitive. It has to be done whenever changes to the SAM are made. Every user's password change is @@ -320,7 +320,7 @@ WIDTH="34%" ALIGN="center" VALIGN="top" >HomeChapter 14. Storing Samba's User/Machine Account information in an LDAP DirectoryChapter 13. Storing Samba's User/Machine Account information in an LDAP Directory

    14.1. Purpose

    13.1. Purpose

    This document describes how to use an LDAP directory for storing Samba user account information traditionally stored in the smbpasswd(5) file. It is @@ -145,9 +145,9 @@ CLASS="SECT1" >

    14.2. Introduction

    13.2. Introduction

    Traditionally, when configuring

    14.3. Supported LDAP Servers

    13.3. Supported LDAP Servers

    The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP 2.0 server and client libraries. The same code should be able to work with @@ -287,9 +287,9 @@ CLASS="SECT1" >

    14.4. Schema and Relationship to the RFC 2307 posixAccount

    13.4. Schema and Relationship to the RFC 2307 posixAccount

    Samba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in

    14.5. Configuring Samba with LDAP

    13.5. Configuring Samba with LDAP

    14.5.1. OpenLDAP configuration

    13.5.1. OpenLDAP configuration

    To include support for the sambaAccount object in an OpenLDAP directory server, first copy the samba.schema file to slapd's configuration directory.

    14.5.2. Configuring Samba

    13.5.2. Configuring Samba

    The following parameters are available in smb.conf only with

    14.6. Accounts and Groups management

    13.6. Accounts and Groups management

    As users accounts are managed thru the sambaAccount objectclass, you should modify you existing administration tools to deal with sambaAccount attributes.

    14.7. Security and sambaAccount

    13.7. Security and sambaAccount

    There are two important points to remember when discussing the security of sambaAccount entries in the directory.

    14.8. LDAP specials attributes for sambaAccounts

    13.8. LDAP specials attributes for sambaAccounts

    The sambaAccount objectclass is composed of the following attributes:

    14.9. Example LDIF Entries for a sambaAccount

    13.9. Example LDIF Entries for a sambaAccount

    The following is a working LDIF with the inclusion of the posixAccount objectclass:

    14.10. Comments

    13.10. Comments

    Please mail all comments regarding this HOWTO to HomeChapter 9. Security levelsChapter 8. Security levels

    9.1. Introduction

    8.1. Introduction

    Samba supports the following options to the global smb.conf parameter

    9.2. More complete description of security levels

    8.2. More complete description of security levels

    A SMB server tells the client at startup what "security level" it is running. There are two options "share level" and "user level". Which @@ -238,7 +238,7 @@ WIDTH="34%" ALIGN="center" VALIGN="top" >HomePrevNext

    17.1. Comparisons

    17.2. Oplocks

    17.2.1. Overview

    17.2.2. Level2 Oplocks

    17.2.3. Old 'fake oplocks' option - deprecated

    17.3. Socket options

    17.4. Read size

    17.5. Max xmit

    17.6. Locking

    17.7. Share modes

    17.8. Log level

    17.9. Wide lines

    17.10. Read raw

    17.11. Write raw

    17.12. Read prediction

    17.13. Memory mapping

    17.14. Slow Clients

    17.15. Slow Logins

    17.16. Client tuning

    17.17. My Results

    PrevHomeNextImproved browsing in sambaQuick Cross Subnet Browsing / Cross Workgroup Browsing guideSamba and other CIFS clientsHOWTO Access Samba source code via CVS

    Chapter 6. UNIX Permission Bits and Windows NT Access Control ListsChapter 5. UNIX Permission Bits and Windows NT Access Control Lists

    6.1. Viewing and changing UNIX permissions using the NT +>5.1. Viewing and changing UNIX permissions using the NT security dialogs

    New in the Samba 2.0.4 release is the ability for Windows @@ -116,9 +116,9 @@ CLASS="SECT1" >

    6.2. How to view file security on a Samba share

    5.2. How to view file security on a Samba share

    From an NT 4.0 client, single-click with the right mouse button on any file or directory in a Samba mounted @@ -186,9 +186,9 @@ CLASS="SECT1" >

    6.3. Viewing file ownership

    5.3. Viewing file ownership

    Clicking on the

    6.4. Viewing file or directory permissions

    5.4. Viewing file or directory permissions

    The third button is the

    6.4.1. File Permissions

    5.4.1. File Permissions

    The standard UNIX user/group/world triple and the corresponding "read", "write", "execute" permissions @@ -404,9 +404,9 @@ CLASS="SECT2" >

    6.4.2. Directory Permissions

    5.4.2. Directory Permissions

    Directories on an NT NTFS file system have two different sets of permissions. The first set of permissions @@ -436,9 +436,9 @@ CLASS="SECT1" >

    6.5. Modifying file or directory permissions

    5.5. Modifying file or directory permissions

    Modifying file and directory permissions is as simple as changing the displayed permissions in the dialog box, and @@ -534,9 +534,9 @@ CLASS="SECT1" >

    6.6. Interaction with the standard Samba create mask +>5.6. Interaction with the standard Samba create mask parameters

    Note that with Samba 2.0.5 there are four new parameters @@ -811,9 +811,9 @@ CLASS="SECT1" >

    6.7. Interaction with the standard Samba file attribute +>5.7. Interaction with the standard Samba file attribute mapping

    Samba maps some of the DOS attribute bits (such as "read @@ -879,7 +879,7 @@ WIDTH="34%" ALIGN="center" VALIGN="top" >HomeChapter 11. Unified Logons between Windows NT and UNIX using WinbindChapter 10. Unified Logons between Windows NT and UNIX using Winbind

    11.1. Abstract

    10.1. Abstract

    Integration of UNIX and Microsoft Windows NT through a unified logon has been considered a "holy grail" in heterogeneous @@ -104,9 +104,9 @@ CLASS="SECT1" >

    11.2. Introduction

    10.2. Introduction

    It is well known that UNIX and Microsoft Windows NT have different models for representing user and group information and @@ -158,9 +158,9 @@ CLASS="SECT1" >

    11.3. What Winbind Provides

    10.3. What Winbind Provides

    Winbind unifies UNIX and Windows NT account management by allowing a UNIX box to become a full member of a NT domain. Once @@ -200,9 +200,9 @@ CLASS="SECT2" >

    11.3.1. Target Uses

    10.3.1. Target Uses

    Winbind is targeted at organizations that have an existing NT based domain infrastructure into which they wish @@ -224,9 +224,9 @@ CLASS="SECT1" >

    11.4. How Winbind Works

    10.4. How Winbind Works

    The winbind system is designed around a client/server architecture. A long running

    11.4.1. Microsoft Remote Procedure Calls

    10.4.1. Microsoft Remote Procedure Calls

    Over the last two years, efforts have been underway by various Samba Team members to decode various aspects of @@ -270,9 +270,9 @@ CLASS="SECT2" >

    11.4.2. Name Service Switch

    10.4.2. Name Service Switch

    The Name Service Switch, or NSS, is a feature that is present in many UNIX operating systems. It allows system @@ -350,9 +350,9 @@ CLASS="SECT2" >

    11.4.3. Pluggable Authentication Modules

    10.4.3. Pluggable Authentication Modules

    Pluggable Authentication Modules, also known as PAM, is a system for abstracting authentication and authorization @@ -399,9 +399,9 @@ CLASS="SECT2" >

    11.4.4. User and Group ID Allocation

    10.4.4. User and Group ID Allocation

    When a user or group is created under Windows NT is it allocated a numerical relative identifier (RID). This is @@ -425,9 +425,9 @@ CLASS="SECT2" >

    11.4.5. Result Caching

    10.4.5. Result Caching

    An active system can generate a lot of user and group name lookups. To reduce the network cost of these lookups winbind @@ -448,9 +448,9 @@ CLASS="SECT1" >

    11.5. Installation and Configuration

    10.5. Installation and Configuration

    Many thanks to John Trostel

    11.5.1. Introduction

    10.5.1. Introduction

    This HOWTO describes the procedures used to get winbind up and running on my RedHat 7.1 system. Winbind is capable of providing access @@ -534,9 +534,9 @@ CLASS="SECT2" >

    11.5.2. Requirements

    10.5.2. Requirements

    If you have a samba configuration file that you are currently using...

    11.5.3. Testing Things Out

    10.5.3. Testing Things Out

    Before starting, it is probably best to kill off all the SAMBA related daemons running on your server. Kill off all

    11.5.3.1. Configure and compile SAMBA

    10.5.3.1. Configure and compile SAMBA

    The configuration and compilation of SAMBA is pretty straightforward. The first three steps may not be necessary depending upon @@ -715,9 +715,9 @@ CLASS="SECT3" >

    11.5.3.2. Configure 10.5.3.2. Configure nsswitch.conf and the @@ -820,9 +820,9 @@ CLASS="SECT3" >

    11.5.3.3. Configure smb.conf

    10.5.3.3. Configure smb.conf

    Several parameters are needed in the smb.conf file to control the behavior of

    11.5.3.4. Join the SAMBA server to the PDC domain

    10.5.3.4. Join the SAMBA server to the PDC domain

    Enter the following command to make the SAMBA server join the PDC domain, where

    11.5.3.5. Start up the winbindd daemon and test it!

    10.5.3.5. Start up the winbindd daemon and test it!

    Eventually, you will want to modify your smb startup script to automatically invoke the winbindd daemon when the other parts of @@ -1064,17 +1064,17 @@ CLASS="SECT3" >

    11.5.3.6. Fix the init.d startup scripts

    10.5.3.6. Fix the init.d startup scripts

    11.5.3.6.1. Linux

    10.5.3.6.1. Linux

    The

    11.5.3.6.2. Solaris

    10.5.3.6.2. Solaris

    On solaris, you need to modify the

    11.5.3.6.3. Restarting

    10.5.3.6.3. Restarting

    If you restart the

    11.5.3.7. Configure Winbind and PAM

    10.5.3.7. Configure Winbind and PAM

    If you have made it this far, you know that winbindd and samba are working together. If you want to use winbind to provide authentication for other @@ -1321,9 +1321,9 @@ CLASS="SECT4" >

    11.5.3.7.1. Linux/FreeBSD-specific PAM configuration

    10.5.3.7.1. Linux/FreeBSD-specific PAM configuration

    The

    11.5.3.7.2. Solaris-specific configuration

    10.5.3.7.2. Solaris-specific configuration

    The /etc/pam.conf needs to be changed. I changed this file so that my Domain users can logon both locally as well as telnet.The following are the changes @@ -1537,9 +1537,9 @@ CLASS="SECT1" >

    11.6. Limitations

    10.6. Limitations

    Winbind has a number of limitations in its current released version that we hope to overcome in future @@ -1578,9 +1578,9 @@ CLASS="SECT1" >

    11.7. Conclusion

    10.7. Conclusion

    The winbind system, through the use of the Name Service Switch, Pluggable Authentication Modules, and appropriate @@ -1615,7 +1615,7 @@ WIDTH="34%" ALIGN="center" VALIGN="top" >Home