From 02edc621fda8b705185b2c0d7016a99e5c19dca4 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 26 May 2003 19:41:44 +0000 Subject: Lots of minor, mostly layout fixes. (This used to be commit 99674fdbd12caca61baa00974a492a9a26d982e9) --- docs/docbook/projdoc/AccessControls.xml | 219 +++++++++++--------- docs/docbook/projdoc/AdvancedNetworkAdmin.xml | 27 +-- docs/docbook/projdoc/Bugs.xml | 43 ++-- docs/docbook/projdoc/Compiling.xml | 168 ++++++++------- docs/docbook/projdoc/DOMAIN_MEMBER.xml | 282 ++++++++++++++------------ docs/docbook/projdoc/passdb.xml | 35 ++-- docs/docbook/projdoc/printer_driver2.xml | 2 +- 7 files changed, 426 insertions(+), 350 deletions(-) (limited to 'docs/docbook/projdoc') diff --git a/docs/docbook/projdoc/AccessControls.xml b/docs/docbook/projdoc/AccessControls.xml index 38c3475d34..6a56705a54 100644 --- a/docs/docbook/projdoc/AccessControls.xml +++ b/docs/docbook/projdoc/AccessControls.xml @@ -176,11 +176,11 @@ at how Samba helps to bridge the differences. Consider the following, all are unique Unix names but one single MS Windows file name: - + MYFILE.TXT MyFile.txt myfile.txt - + So clearly, In an MS Windows file name space these three files CAN NOT co-exist! But in Unix they can. So what should Samba do if all three are present? Answer, the one that is lexically first will be accessible to MS Windows users, the others are invisible and unaccessible - any @@ -246,13 +246,17 @@ at how Samba helps to bridge the differences. There are three basic operations for managing directories, create, delete, rename. - - Action MS Windows Command Unix Command - ------ ------------------ ------------ - create md folder mkdir folder - delete rd folder rmdir folder - rename rename oldname newname mv oldname newname - + + + ActionMS Windows CommandUnix Command + + + + createmd foldermkdir folder + deleterd folderrmdir folder + renamerename oldname newnamemv oldname newname + +
@@ -271,8 +275,8 @@ at how Samba helps to bridge the differences. Unix/Linux file and directory access permissions invloves setting three (3) primary sets of data and one (1) control set. A Unix file listing looks as follows:- - - jht@frodo:~/stuff> ls -la + + jht@frodo:~/stuff> ls -la total 632 drwxr-xr-x 13 jht users 816 2003-05-12 22:56 . drwxr-xr-x 37 jht users 3800 2003-05-12 22:29 .. @@ -293,8 +297,8 @@ at how Samba helps to bridge the differences. -r-xr-xr-x 1 jht users 206339 2003-05-12 22:32 mydata05.lst -rw-rw-rw- 1 jht users 41105 2003-05-12 22:32 mydata06.lst -rwxrwxrwx 1 jht users 19312 2003-05-12 22:32 mydata07.lst - jht@frodo:~/stuff> - + jht@frodo:~/stuff> +
@@ -305,6 +309,7 @@ at how Samba helps to bridge the differences. The permissions field is made up of: + [ type ] [ users ] [ group ] [ others ] [File, Directory Permissions] [ d | l ] [ r w x ] [ r w x ] [ r w x ] | | | | | | | | | | | @@ -324,6 +329,7 @@ at how Samba helps to bridge the differences. Any bit flag may be unset. An unset bit flag is the equivalent of 'Can NOT' and is represented as a '-' character. + Example File -rwxr-x--- Means: The owner (user) can read, write, execute @@ -337,7 +343,7 @@ at how Samba helps to bridge the differences. - The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),r + The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),r execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), sticky (t). @@ -809,7 +815,7 @@ Before using any of the following options please refer to the man page for &smb. Viewing file ownership - Clicking on the "Ownership" button + Clicking on the Ownership button brings up a dialog box telling you who owns the given file. The owner name will be of the form : @@ -819,14 +825,14 @@ Before using any of the following options please refer to the man page for &smb. the Samba server, user is the user name of the UNIX user who owns the file, and (Long name) is the descriptive string identifying the user (normally found in the - GECOS field of the UNIX password database). Click on the Close - button to remove this dialog. + GECOS field of the UNIX password database). Click on the + Close button to remove this dialog. If the parameter nt acl support is set to false then the file owner will - be shown as the NT user "Everyone". + be shown as the NT user "Everyone". - The Take Ownership button will not allow + The Take Ownership button will not allow you to change the ownership of this file to yourself (clicking on it will display a dialog box complaining that the user you are currently logged onto the NT client cannot be found). The reason @@ -849,12 +855,14 @@ Before using any of the following options please refer to the man page for &smb. Viewing File or Directory Permissions - The third button is the "Permissions" + The third button is the Permissions button. Clicking on this brings up a dialog box that shows both the permissions and the UNIX owner of the file or directory. The owner is displayed in the form : - "SERVER\user (Long name)" + "SERVER\ + user + (Long name)" Where SERVER is the NetBIOS name of the Samba server, user is the user name of @@ -864,7 +872,7 @@ Before using any of the following options please refer to the man page for &smb. If the parameter nt acl support is set to false then the file owner will - be shown as the NT user "Everyone" and the + be shown as the NT user "Everyone" and the permissions will be shown as NT "Full Control". @@ -880,18 +888,18 @@ Before using any of the following options please refer to the man page for &smb. triples are mapped by Samba into a three element NT ACL with the 'r', 'w', and 'x' bits mapped into the corresponding NT permissions. The UNIX world permissions are mapped into - the global NT group Everyone, followed + the global NT group Everyone, followed by the list of permissions allowed for UNIX world. The UNIX owner and group permissions are displayed as an NT - user icon and an NT local - group icon respectively followed by the list + user icon and an NT local + group icon respectively followed by the list of permissions allowed for the UNIX user and group. As many UNIX permission sets don't map into common - NT names such as "read", - "change" or "full control" then - usually the permissions will be prefixed by the words - "Special Access" in the NT display list. + NT names such as read, + "change" or full control then + usually the permissions will be prefixed by the words + "Special Access" in the NT display list. But what happens if the file has no permissions allowed for a particular UNIX user group or world component ? In order @@ -916,8 +924,8 @@ Before using any of the following options please refer to the man page for &smb. above, and is displayed in the same way. The second set of directory permissions has no real meaning - in the UNIX permissions world and represents the - "inherited" permissions that any file created within + in the UNIX permissions world and represents the + inherited permissions that any file created within this directory would inherit. Samba synthesises these inherited permissions for NT by @@ -931,27 +939,27 @@ Before using any of the following options please refer to the man page for &smb. Modifying file and directory permissions is as simple as changing the displayed permissions in the dialog box, and - clicking the OK button. However, there are + clicking the OK button. However, there are limitations that a user needs to be aware of, and also interactions with the standard Samba permission masks and mapping of DOS attributes that need to also be taken into account. If the parameter nt acl support is set to false then any attempt to set - security permissions will fail with an "Access Denied" - message. + security permissions will fail with an "Access Denied" + message. - The first thing to note is that the "Add" + The first thing to note is that the "Add" button will not return a list of users in Samba (it will give - an error message of "The remote procedure call failed - and did not execute"). This means that you can only + an error message of The remote procedure call failed + and did not execute). This means that you can only manipulate the current user/group/world permissions listed in the dialog box. This actually works quite well as these are the only permissions that UNIX actually has. If a permission triple (either user, group, or world) is removed from the list of permissions in the NT dialog box, - then when the "OK" button is pressed it will + then when the OK button is pressed it will be applied as "no permissions" on the UNIX side. If you then view the permissions again the "no permissions" entry will appear as the NT "O" flag, as described above. This @@ -966,15 +974,15 @@ Before using any of the following options please refer to the man page for &smb. When setting permissions on a directory the second set of permissions (in the second set of parentheses) is by default applied to all files within that directory. If this - is not what you want you must uncheck the "Replace - permissions on existing files" checkbox in the NT - dialog before clicking "OK". + is not what you want you must uncheck the Replace + permissions on existing files checkbox in the NT + dialog before clicking OK. If you wish to remove all permissions from a user/group/world component then you may either highlight the - component and click the "Remove" button, - or set the component to only have the special "Take - Ownership" permission (displayed as "O" + component and click the Remove button, + or set the component to only have the special Take + Ownership permission (displayed as "O" ) highlighted. @@ -991,7 +999,7 @@ Before using any of the following options please refer to the man page for &smb. directory security mask force directory security mode - Once a user clicks "OK" to apply the + Once a user clicks OK to apply the permissions Samba maps the given permissions into a user/group/world r/w/x triple set, and then will check the changed permissions for a file against the bits set in the @@ -1075,13 +1083,13 @@ Before using any of the following options please refer to the man page for &smb. What this can mean is that if the owner changes the permissions to allow themselves read access using the security dialog, clicks - "OK" to get back to the standard attributes tab - dialog, and then clicks "OK" on that dialog, then + OK to get back to the standard attributes tab + dialog, and then clicks OK on that dialog, then NT will set the file permissions back to read-only (as that is what the attributes still say in the dialog). This means that after setting - permissions and clicking "OK" to get back to the - attributes dialog you should always hit "Cancel" - rather than "OK" to ensure that your changes + permissions and clicking OK to get back to the + attributes dialog you should always hit Cancel + rather than OK to ensure that your changes are not overridden. @@ -1099,10 +1107,12 @@ are examples taken from the mailing list in recent times. Users can not write to a public share + We are facing some troubles with file / directory permissions. I can log on the domain as admin user(root), and theres a public share, on which everyone needs to have permission to create / modify files, but only root can change the file, no one else can. We need to constantly go to server to - chgrp -R users * and chown -R nobody * to allow others users to change the file. + chgrp -R users * and chown -R nobody * to allow others users to change the file. + @@ -1112,77 +1122,99 @@ are examples taken from the mailing list in recent times. Example Solution: - - Go to the top of the directory that is shared - + + Go to the top of the directory that is shared + - - Set the ownership to what ever public owner and group you want - - find 'directory_name' -type d -exec chown user.group {}\; - find 'directory_name' -type d -exec chmod 6775 'directory_name' - find 'directory_name' -type f -exec chmod 0775 {} \; - find 'directory_name' -type f -exec chown user.group {}\; - - + + Set the ownership to what ever public owner and group you want + + find 'directory_name' -type d -exec chown user.group {}\; + find 'directory_name' -type d -exec chmod 6775 'directory_name' + find 'directory_name' -type f -exec chmod 0775 {} \; + find 'directory_name' -type f -exec chown user.group {}\; + + - - Note: The above will set the 'sticky bit' on all directories. Read your - Unix/Linux man page on what that does. It causes the OS to assign to all - files created in the directories the ownership of the directory. - + + The above will set the 'sticky bit' on all directories. Read your + Unix/Linux man page on what that does. It causes the OS to assign + to all files created in the directories the ownership of the + directory. + + + + - - - Directory is: /foodbar - chown jack.engr /foodbar + Directory is: /foodbar + + $ chown jack.engr /foodbar + + - Note: This is the same as doing: - chown jack /foodbar - chgrp engr /foodbar + + This is the same as doing: + + $ chown jack /foodbar + $ chgrp engr /foodbar + + + + + Now do: - Now do: - chmod 6775 /foodbar - ls -al /foodbar/.. + + $ chmod 6775 /foodbar + $ ls -al /foodbar/.. + - You should see: - drwsrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar + + + You should see: + + drwsrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar + + + + - Now do: - su - jill - cd /foodbar - touch Afile - ls -al - + Now do: + + $ su - jill + $ cd /foodbar + $ touch Afile + $ ls -al + You should see that the file 'Afile' created by Jill will have ownership and permissions of Jack, as follows: - + -rw-r--r-- 1 jack engr 0 2003-02-04 09:57 Afile - + - Now in your smb.conf for the share add: + Now in your &smb.conf; for the share add: force create mode = 0775 force direcrtory mode = 6775 - - Note: The above are only needed IF your users are NOT members of the group + + The above are only needed IF your users are NOT members of the group you have used. ie: Within the OS do not have write permission on the directory. - + + - An alternative is to set in the smb.conf entry for the share: + An alternative is to set in the &smb.conf; entry for the share: force user = jack force group = engr @@ -1192,7 +1224,6 @@ are examples taken from the mailing list in recent times. - diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.xml b/docs/docbook/projdoc/AdvancedNetworkAdmin.xml index e6e7347290..a52728d9c9 100644 --- a/docs/docbook/projdoc/AdvancedNetworkAdmin.xml +++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.xml @@ -20,20 +20,20 @@ environment, and to make their lives a little easier. -Since I don't need to buy an NT4 Server, how do I get the 'User Manager for Domains', + Since I don't need to buy an NT4 Server, how do I get the 'User Manager for Domains', the 'Server Manager'? -Microsoft distributes a version of these tools called nexus for installation on Windows 9x / Me -systems. The tools set includes: +Microsoft distributes a version of these tools called nexus for installation +on Windows 9x / Me systems. The tools set includes: - - Server Manager - User Manager for Domains - Event Viewer - + + Server Manager + User Manager for Domains + Event Viewer + Click here to download the archived file ftp://ftp.microsoft.com -The Windows NT 4.0 version of the 'User Manager for +The Windows NT 4.0 version of the 'User Manager for Domains' and 'Server Manager' are available from Microsoft via ftp from ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE @@ -69,7 +69,9 @@ There are several opportunities for creating a custom network startup configurat -The Samba source code tree includes two logon script generation/execution tools. See examples directory genlogon and ntlogon subdirectories. +The Samba source code tree includes two logon script generation/execution tools. +See examples directory genlogon and +ntlogon subdirectories. @@ -77,7 +79,7 @@ The following listings are from the genlogon directory. -This is the genlogon.pl file: +This is the genlogon.pl file: #!/usr/bin/perl @@ -174,10 +176,9 @@ Printers may be added automatically during logon script processing through the u rundll32 printui.dll,PrintUIEntry /? -See the documentation in the Microsoft knowledgebase article no: 189105 referred to above. +See the documentation in the Microsoft knowledgebase article no: 189105. - diff --git a/docs/docbook/projdoc/Bugs.xml b/docs/docbook/projdoc/Bugs.xml index d782920457..03a60b6ce5 100644 --- a/docs/docbook/projdoc/Bugs.xml +++ b/docs/docbook/projdoc/Bugs.xml @@ -83,7 +83,7 @@ detail, but may use too much disk space. -To set the debug level use log level = in your +To set the debug level use the log level in your &smb.conf;. You may also find it useful to set the log level higher for just one machine and keep separate logs for each machine. To do this use: @@ -100,24 +100,25 @@ then create a file /usr/local/samba/lib/smb.conf.machine where machine is the name of the client you wish to debug. In that file put any &smb.conf; commands you want, for example -log level= may be useful. This also allows you to +log level may be useful. This also allows you to experiment with different security systems, protocol levels etc on just one machine. -The &smb.conf; entry log level = -is synonymous with the entry debuglevel = that has been -used in older versions of Samba and is being retained for backwards +The &smb.conf; entry log level +is synonymous with the parameter debuglevel that has +been used in older versions of Samba and is being retained for backwards compatibility of &smb.conf; files. -As the log level = value is increased you will record +As the log level value is increased you will record a significantly increasing level of debugging information. For most -debugging operations you may not need a setting higher than 3. Nearly -all bugs can be tracked at a setting of 10, but be prepared for a VERY -large volume of log data. +debugging operations you may not need a setting higher than +3. Nearly +all bugs can be tracked at a setting of 10, but be +prepared for a VERY large volume of log data. @@ -126,8 +127,8 @@ large volume of log data. Internal errors -If you get a "INTERNAL ERROR" message in your log files it means that -Samba got an unexpected signal while running. It is probably a +If you get a INTERNAL ERROR message in your log files +it means that Samba got an unexpected signal while running. It is probably a segmentation fault and almost certainly means a bug in Samba (unless you have faulty hardware or system software). @@ -151,17 +152,20 @@ files. This file is the most useful tool for tracking down the bug. To use it you do this: -gdb smbd core + + $ gdb smbd core + adding appropriate paths to smbd and core so gdb can find them. If you -don't have gdb then try dbx. Then within the debugger use the -command where to give a stack trace of where the problem -occurred. Include this in your mail. +don't have gdb then try dbx. Then within the debugger +use the command where to give a stack trace of where the +problem occurred. Include this in your report. -If you know any assembly language then do a disass of the routine +If you know any assembly language then do a +disass of the routine where the problem occurred (if its in a library routine then disassemble the routine that called it) and try to work out exactly where the problem is by looking at the surrounding code. Even if you @@ -177,8 +181,10 @@ useful. Unfortunately some unixes (in particular some recent linux kernels) refuse to dump a core file if the task has changed uid (which smbd does often). To debug with this sort of system you could try to attach -to the running process using gdb smbd PID where you get PID from -smbstatus. Then use c to continue and try to cause the core dump +to the running process using +gdb smbd PID where you get +PID from smbstatus. +Then use c to continue and try to cause the core dump using the client. The debugger should catch the fault and tell you where it occurred. @@ -198,4 +204,3 @@ exactly what version you used. - diff --git a/docs/docbook/projdoc/Compiling.xml b/docs/docbook/projdoc/Compiling.xml index 9638663dde..fb59dead02 100644 --- a/docs/docbook/projdoc/Compiling.xml +++ b/docs/docbook/projdoc/Compiling.xml @@ -7,7 +7,7 @@ &author.jelmer; - (22 May 2001) + 22 May 2001 18 March 2003 @@ -45,8 +45,8 @@ This chapter is a modified version of the instructions found at The machine samba.org runs a publicly accessible CVS repository for access to the source code of several packages, -including samba, rsync and jitterbug. There are two main ways of -accessing the CVS server on this host. +including samba, rsync, distcc, ccache and jitterbug. There are two main ways +of accessing the CVS server on this host. @@ -80,11 +80,12 @@ just a casual browser. To download the latest cvs source code, point your -browser at the URL : http://www.cyclic.com/. +browser at the URL : +http://www.cyclic.com/. and click on the 'How to get cvs' link. CVS is free software under the GNU GPL (as is Samba). Note that there are several graphical CVS clients which provide a graphical interface to the sometimes mundane CVS commands. -Links to theses clients are also available from http://www.cyclic.com. +Links to theses clients are also available from the Cyclic website. @@ -94,16 +95,17 @@ samba source code. For the other source code repositories on this system just substitute the correct package name - - + + Retrieving samba using CVS + + Install a recent copy of cvs. All you really need is a copy of the cvs client binary. - - + - + Run the command @@ -111,14 +113,16 @@ on this system just substitute the correct package name cvs -d :pserver:cvs@samba.org:/cvsroot login + + + When it asks you for a password type cvs. - + - - + Run the command @@ -134,18 +138,19 @@ on this system just substitute the correct package name - CVS branches other then HEAD can be obtained by using the -r - and defining a tag name. A list of branch tag names can be found on the - "Development" page of the samba web site. A common request is to obtain the - latest 2.2 release code. This could be done by using the following userinput. + CVS branches other then HEAD can be obtained by using the + and defining a tag name. A list of branch tag names + can be found on the "Development" page of the samba web site. A common + request is to obtain the latest 3.0 release code. This could be done by + using the following userinput. - cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba + cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_3_0 samba - + - + Whenever you want to merge in the latest code changes use the following command from within the samba directory: @@ -154,8 +159,8 @@ on this system just substitute the correct package name cvs update -d -P - - + + @@ -166,16 +171,16 @@ on this system just substitute the correct package name Accessing the samba sources via rsync and ftp - pserver.samba.org also exports unpacked copies of most parts of the CVS tree at ftp://pserver.samba.org/pub/unpacked and also via anonymous rsync at rsync://pserver.samba.org/ftp/unpacked/. I recommend using rsync rather than ftp. + pserver.samba.org also exports unpacked copies of most parts of the CVS + tree at ftp://pserver.samba.org/pub/unpacked and also via anonymous rsync at + rsync://pserver.samba.org/ftp/unpacked/. I recommend using rsync rather than ftp. See the rsync homepage for more info on rsync. - The disadvantage of the unpacked trees - is that they do not support automatic - merging of local changes like CVS does. - rsync access is most convenient for an - initial install. + The disadvantage of the unpacked trees is that they do not support automatic + merging of local changes like CVS does. rsync access is most convenient + for an initial install. @@ -183,11 +188,10 @@ on this system just substitute the correct package name Verifying Samba's PGP signature -In these days of insecurity, it's strongly recommended that you verify the PGP signature for any -source file before installing it. According to Jerry Carter of the Samba Team, only about 22% of -all Samba downloads have had a corresponding PGP signature download (a very low percentage, which -should be considered a bad thing). Even if you're not downloading from a mirror site, verifying PGP -signatures should be a standard reflex. +In these days of insecurity, it's strongly recommended that you verify the PGP +signature for any source file before installing it. Even if you're not +downloading from a mirror site, verifying PGP signatures should be a +standard reflex. @@ -195,38 +199,39 @@ signatures should be a standard reflex. With that said, go ahead and download the following files: - - $ wget http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.asc - $ wget http://us1.samba.org/samba/ftp/samba-pubkey.asc - + +$ wget http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.asc +$ wget http://us1.samba.org/samba/ftp/samba-pubkey.asc + The first file is the PGP signature for the Samba source file; the other is the Samba public PGP key itself. Import the public PGP key with: - - $ gpg --import samba-pubkey.asc - + + $ gpg --import samba-pubkey.asc + And verify the Samba source code integrity with: - - $ gzip -d samba-2.2.8a.tar.gz - $ gpg --verify samba-2.2.8a.tar.asc - + + $ gzip -d samba-2.2.8a.tar.gz + $ gpg --verify samba-2.2.8a.tar.asc + -If you receive a message like, "Good signature from Samba Distribution Verification Key..." -then all is well. The warnings about trust relationships can be ignored. An example of what -you would not want to see would be: +If you receive a message like, "Good signature from Samba Distribution +Verification Key..." +then all is well. The warnings about trust relationships can be ignored. An +example of what you would not want to see would be: - + gpg: BAD signature from "Samba Distribution Verification Key" - + @@ -288,28 +293,31 @@ you would not want to see would be: If your kerberos libraries are in a non-standard location then - remember to add the configure option --with-krb5=DIR. + remember to add the configure option + . - After you run configure make sure that include/config.h it generates contains lines like this: + After you run configure make sure that + include/config.h it generates contains lines like + this: - + #define HAVE_KRB5 1 #define HAVE_LDAP 1 - If it doesn't then configure did not find your krb5 libraries or - your ldap libraries. Look in config.log to figure out why and fix - it. + If it doesn't then configure did not find your krb5 libraries or + your ldap libraries. Look in config.log to figure + out why and fix it. Installing the required packages for Debian On Debian you need to install the following packages: - - libkrb5-dev - krb5-user - + + libkrb5-dev + krb5-user + @@ -318,11 +326,11 @@ you would not want to see would be: On RedHat this means you should have at least: - - krb5-workstation (for kinit) - krb5-libs (for linking with) - krb5-devel (because you are compiling from source) - + + krb5-workstation (for kinit) + krb5-libs (for linking with) + krb5-devel (because you are compiling from source) + in addition to the standard development environment. @@ -337,9 +345,9 @@ you would not want to see would be: - Starting the smbd and nmbd + Starting the &smbd; and &nmbd; - You must choose to start smbd and nmbd either + You must choose to start &smbd; and &nmbd; either as daemons or from inetdDon't try to do both! Either you can put them in inetd.conf and have them started on demand @@ -350,26 +358,28 @@ you would not want to see would be: the bit about what user you need to be in order to start Samba. In many cases you must be root. - The main advantage of starting smbd - and nmbd using the recommended daemon method + The main advantage of starting &smbd; + and &nmbd; using the recommended daemon method is that they will respond slightly more quickly to an initial connection request. Starting from inetd.conf - NOTE; The following will be different if + + The following will be different if you use NIS, NIS+ or LDAP to distribute services maps. + Look at your /etc/services. What is defined at port 139/tcp. If nothing is defined then add a line like this: - netbios-ssn 139/tcp + netbios-ssn 139/tcp similarly for 137/udp you should have an entry like: - netbios-ns 137/udp + netbios-ns 137/udp Next edit your /etc/inetd.conf and add two lines something like this: @@ -386,11 +396,13 @@ you would not want to see would be: Some unixes already have entries like netbios_ns (note the underscore) in /etc/services. You must either edit /etc/services or - /etc/inetd.conf to make them consistent. + /etc/inetd.conf to make them consistent. + On many systems you may need to use the - interfaces option in &smb.conf; to specify the IP address - and netmask of your interfaces. Run ifconfig + interfaces option in &smb.conf; to specify the IP + address and netmask of your interfaces. Run + ifconfig as root if you don't know what the broadcast is for your net. &nmbd; tries to determine it at run time, but fails on some unixes. @@ -402,9 +414,9 @@ you would not want to see would be: arguments, or you should use a script, and start the script from inetd. - Restart inetd, perhaps just send - it a HUP. If you have installed an earlier version of - nmbd then you may need to kill nmbd as well. + Restart inetd, perhaps just send + it a HUP. If you have installed an earlier version of &nmbd; then + you may need to kill &nmbd; as well. @@ -428,7 +440,7 @@ you would not want to see would be: To kill it send a kill signal to the processes - nmbd and smbd. + &nmbd; and &smbd;. If you use the SVR4 style init system then you may like to look at the examples/svr4-startup diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.xml b/docs/docbook/projdoc/DOMAIN_MEMBER.xml index ecb8a3afb3..bb8e95b8a9 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.xml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.xml @@ -4,40 +4,48 @@ &author.jht; &author.jeremy; &author.jerry; + + + &author.tridge; + &author.jelmer; Domain Membership -Domain Membership is a subject of vital concern, Samba must be able to participate -as a member server in a Microsoft Domain security context, and Samba must be capable of -providing Domain machine member trust accounts, otherwise it would not be capable of offering -a viable option for many users. +Domain Membership is a subject of vital concern, Samba must be able to +participate as a member server in a Microsoft Domain security context, and +Samba must be capable of providing Domain machine member trust accounts, +otherwise it would not be capable of offering a viable option for many users. -This chapter covers background information pertaining to domain membership, Samba -configuration for it, and MS Windows client procedures for joining a domain. Why is -this necessary? Because both are areas in which there exists within the current MS -Windows networking world and particularly in the Unix/Linux networking and administration -world, a considerable level of mis-information, incorrect understanding, and a lack of -knowledge. Hopefully this chapter will fill the voids. +This chapter covers background information pertaining to domain membership, +Samba configuration for it, and MS Windows client procedures for joining a +domain. Why is this necessary? Because both are areas in which there exists +within the current MS Windows networking world and particularly in the +Unix/Linux networking and administration world, a considerable level of +mis-information, incorrect understanding, and a lack of knowledge. Hopefully +this chapter will fill the voids. Features and Benefits -MS Windows workstations and servers that want to participate in domain security need to +MS Windows workstations and servers that want to participate in domain +security need to be made Domain members. Participating in Domain security is often called -Single Sign On or SSO for short. This chapter describes the process -that must be followed to make a workstation (or another server - be it an MS Windows NT4 / 200x +Single Sign On or SSO for short. This +chapter describes the process that must be followed to make a workstation +(or another server - be it an MS Windows NT4 / 200x server) or a Samba server a member of an MS Windows Domain security context. -Samba-3 can join an MS Windows NT4 style domain as a native member server, an MS Windows -Active Directory Domain as a native member server, or a Samba Domain Control network. +Samba-3 can join an MS Windows NT4 style domain as a native member server, an +MS Windows Active Directory Domain as a native member server, or a Samba Domain +Control network. @@ -50,19 +58,21 @@ Domain membership has many advantages: - Domain user access rights and file ownership / access controls can be set from - the single Domain SAM (Security Accounts Management) database (works with Domain member - servers as well as with MS Windows workstations that are domain members) + Domain user access rights and file ownership / access controls can be set + from the single Domain SAM (Security Accounts Management) database + (works with Domain member servers as well as with MS Windows workstations + that are domain members) - Only MS Windows NT4 / 200x / XP Professional workstations that are Domain members + Only MS Windows NT4 / 200x / XP Professional + workstations that are Domain members can use network logon facilities - Domain Member workstations can be better controlled through the use of Policy files - (NTConfig.POL) and Desktop Profiles. + Domain Member workstations can be better controlled through the use of + Policy files (NTConfig.POL) and Desktop Profiles. @@ -71,10 +81,11 @@ Domain membership has many advantages: - Network administrators gain better application and user access management abilities - because there is no need to maintain user accounts on any network client or server, - other than the central Domain database (either NT4/Samba SAM style Domain, NT4 Domain - that is back ended with an LDAP directory, or via an Active Directory infrastructure) + Network administrators gain better application and user access management + abilities because there is no need to maintain user accounts on any network + client or server, other than the central Domain database + (either NT4/Samba SAM style Domain, NT4 Domain that is back ended with an + LDAP directory, or via an Active Directory infrastructure) @@ -84,7 +95,8 @@ Domain membership has many advantages: MS Windows Workstation/Server Machine Trust Accounts -A machine trust account is an account that is used to authenticate a client machine +A machine trust account is an account that is used to authenticate a client +machine (rather than a user) to the Domain Controller server. In Windows terminology, this is known as a "Computer Account." @@ -113,10 +125,10 @@ as follows: - A Domain Security Account (stored in the passdb backend - that has been configured in the &smb.conf; file. The precise nature of the - account information that is stored depends on the type of backend database - that has been chosen. + A Domain Security Account (stored in the + passdb backend that has been configured in the + &smb.conf; file. The precise nature of the account information that is + stored depends on the type of backend database that has been chosen. @@ -127,15 +139,17 @@ as follows: - The two newer database types are called ldapsam, tdbsam. - Both store considerably more data than the older smbpasswd - file did. The extra information enables new user account controls to be used. + The two newer database types are called ldapsam, + tdbsam. Both store considerably more data than the + older smbpasswd file did. The extra information + enables new user account controls to be used. - A corresponding Unix account, typically stored in /etc/passwd. - Work is in progress to allow a simplified mode of operation that does not require - Unix user accounts, but this may not be a feature of the early releases of Samba-3. + A corresponding Unix account, typically stored in + /etc/passwd. Work is in progress to allow a + simplified mode of operation that does not require Unix user accounts, but + this may not be a feature of the early releases of Samba-3. @@ -146,20 +160,22 @@ There are three ways to create machine trust accounts: - Manual creation from the Unix/Linux command line. Here, both the Samba and corresponding - Unix account are created by hand. + Manual creation from the Unix/Linux command line. Here, both the Samba and + corresponding Unix account are created by hand. - Using the MS Windows NT4 Server Manager (either from an NT4 Domain member server, or using - the Nexus toolkit available from the Microsoft web site. This tool can be run from any - MS Windows machine so long as the user is logged on as the administrator account. + Using the MS Windows NT4 Server Manager (either from an NT4 Domain member + server, or using the Nexus toolkit available from the Microsoft web site. + This tool can be run from any MS Windows machine so long as the user is + logged on as the administrator account. - "On-the-fly" creation. The Samba machine trust account is automatically created by - Samba at the time the client is joined to the domain. (For security, this is the - recommended method.) The corresponding Unix account may be created automatically or manually. + "On-the-fly" creation. The Samba machine trust account is automatically + created by Samba at the time the client is joined to the domain. + (For security, this is the recommended method.) The corresponding Unix + account may be created automatically or manually. @@ -167,26 +183,26 @@ There are three ways to create machine trust accounts: Manual Creation of Machine Trust Accounts -The first step in manually creating a machine trust account is to manually create the -corresponding Unix account in /etc/passwd. This can be done using -vipw or other 'add user' command that is normally used to create new -Unix accounts. The following is an example for a Linux based Samba server: +The first step in manually creating a machine trust account is to manually +create the corresponding Unix account in /etc/passwd. +This can be done using vipw or another 'add user' command +that is normally used to create new Unix accounts. The following is an example for a Linux based Samba server: -root# /usr/sbin/useradd -g 100 -d /dev/null -c "machine nickname" -s /bin/false machine_name$ +root# /usr/sbin/useradd -g 100 -d /dev/null -c "machine nickname" -s /bin/false machine_name$ -root# passwd -l machine_name$ +root# passwd -l machine_name$ -On *BSD systems, this can be done using the 'chpass' utility: +On *BSD systems, this can be done using the chpass utility: -root# chpass -a "machine_name$:*:101:100::0:0:Workstation machine_name:/dev/null:/sbin/nologin" +root# chpass -a "machine_name$:*:101:100::0:0:Workstation machine_name:/dev/null:/sbin/nologin" @@ -235,11 +251,11 @@ the corresponding Unix account. Manually creating a machine trust account using this method is the equivalent of creating a machine trust account on a Windows NT PDC using - the "Server Manager". From the time at which the account is created - to the time which the client joins the domain and changes the password, - your domain is vulnerable to an intruder joining your domain using - a machine with the same NetBIOS name. A PDC inherently trusts - members of the domain and will serve out a large degree of user + the Server Manager. From the time at which the + account is created to the time which the client joins the domain and + changes the password, your domain is vulnerable to an intruder joining + your domain using a machine with the same NetBIOS name. A PDC inherently + trusts members of the domain and will serve out a large degree of user information to such clients. You have been warned! @@ -249,16 +265,19 @@ the corresponding Unix account. Using NT4 Server Manager to Add Machine Accounts to the Domain -If the machine from which you are trying to manage the domain is an MS Windows NT4 workstation -then the tool of choice is the package called SRVTOOLS.EXE. When executed in the target directory -this will unpack SrvMge.exe and UsrMgr.exe (both are Domain Management tools for MS Windows NT4 -workstation. +If the machine from which you are trying to manage the domain is an +MS Windows NT4 workstation +then the tool of choice is the package called SRVTOOLS.EXE. +When executed in the target directory this will unpack +SrvMge.exe and UsrMgr.exe (both are +Domain Management tools for MS Windows NT4 workstation. -If your workstation is any other MS Windows product you should download the Nexus.exe package -from the Microsoft web site. When executed from the target directory this will unpack the same -tools but for use on MS Windows 9x/Me/200x/XP. +If your workstation is any other MS Windows product you should download the +Nexus.exe package from the Microsoft web site. When executed +from the target directory this will unpack the same tools but for use on +MS Windows 9x/Me/200x/XP. @@ -268,29 +287,32 @@ Launch the srvmgr.exe (Server Manager for Domains) and follow Server Manager Account Machine Account Management - From the menu select Computer + From the menu select Computer - Click on "Select Domain" + Click on Select Domain - Click on the name of the domain you wish to administer in the "Select Domain" panel - and then Click OK. + Click on the name of the domain you wish to administer in the + Select Domain panel and then click + OK. - Again from the menu select Computer + Again from the menu select Computer - Select "Add to Domain" + Select Add to Domain - In the dialog box, click on the radio button to "Add NT Workstation of Server", then - enter the machine name in the field provided, then Click the "Add" button. + In the dialog box, click on the radio button to + Add NT Workstation of Server, then + enter the machine name in the field provided, then click the + Add button. @@ -334,8 +356,8 @@ The procedure for making an MS Windows workstation of server a member of the dom with the version of Windows: - - Windows 200x XP Professional + + Windows 200x XP Professional When the user elects to make the client a domain member, Windows 200x prompts for @@ -363,9 +385,11 @@ with the version of Windows: encryption key for setting the password of the machine trust account. The machine trust account will be created on-the-fly, or updated if it already exists. - + + - Windows NT4 + + Windows NT4 If the machine trust account was created manually, on the @@ -382,13 +406,16 @@ with the version of Windows: this case, joining the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba administrative account when prompted). - + + + + + Samba - Samba Joining a samba client to a domain is documented in the Domain Member chapter. - - + + @@ -398,38 +425,41 @@ with the version of Windows: This mode of server operation involves the samba machine being made a member -of a domain security context. This means by definition that all user authentication -will be done from a centrally defined authentication regime. The authentication -regime may come from an NT3/4 style (old domain technology) server, or it may be -provided from an Active Directory server (ADS) running on MS Windows 2000 or later. +of a domain security context. This means by definition that all user +authentication will be done from a centrally defined authentication regime. +The authentication regime may come from an NT3/4 style (old domain technology) +server, or it may be provided from an Active Directory server (ADS) running on +MS Windows 2000 or later. -Of course it should be clear that the authentication back end itself could be from any -distributed directory architecture server that is supported by Samba. This can be -LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory Server, etc. +Of course it should be clear that the authentication back end itself could be +from any distributed directory architecture server that is supported by Samba. +This can be LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory +Server, etc. -Please refer to the section on Howto configure Samba as a Primary Domain Controller -and for more information regarding how to create a domain machine account for a -domain member server as well as for information regarding how to enable the samba -domain member machine to join the domain and to be fully trusted by it. +Please refer to the Samba as a Primary Domain +Controller chapter for more information regarding how to create a domain +machine account for a domain member server as well as for information +regarding how to enable the samba domain member machine to join the domain and +to be fully trusted by it. Joining an NT4 type Domain with Samba-3 -Assumptions: - - NetBIOS name: SERV1 - Win2K/NT domain name: DOM - Domain's PDC NetBIOS name: DOMPDC - Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2 - +Assumptions: + + NetBIOS name:SERV1 + Win2K/NT domain name:DOM + Domain's PDC NetBIOS name:DOMPDC + Domain's BDC NetBIOS names:DOMBDC1 and DOMBDC2 +
@@ -445,18 +475,19 @@ of your &smb.conf; to read: - security = domain +security = domain Next change the -workgroup = line in the [global] section to read: +workgroup line in the [global] +section to read: - workgroup = DOM +workgroup = DOM @@ -472,13 +503,13 @@ You must also have the parameter Finally, add (or modify) a -password server = line in the [global] +password server line in the [global] section to read: - password server = DOMPDC DOMBDC1 DOMBDC2 +password server = DOMPDC DOMBDC1 DOMBDC2 @@ -498,7 +529,7 @@ set this line to be: - password server = * +password server = * @@ -513,14 +544,14 @@ In order to actually join the domain, you must run this command: - - root# net join -S DOMPDC -UAdministrator%password - + +root# net join -S DOMPDC -UAdministrator%password + -If the -S DOMPDC argument is not given then -the domain name will be obtained from smb.conf. +If the argument is not given then +the domain name will be obtained from &smb.conf;. @@ -573,7 +604,7 @@ clients to begin using domain security!
-Why is this better than security = server? +Why is this better than <parameter>security = server</parameter>? Currently, domain security in Samba doesn't free you from @@ -604,11 +635,11 @@ domain PDC to an account domain PDC). -In addition, with security = server every Samba +In addition, with security = server every Samba daemon on a server has to keep a connection open to the authenticating server for as long as that daemon lasts. This can drain the connection resources on a Microsoft NT server and cause it to run -out of available connections. With security = domain, +out of available connections. With security = domain, however, the Samba daemons connect to the PDC/BDC only for as long as is necessary to authenticate the user, and then drop the connection, thus conserving PDC connection resources. @@ -624,8 +655,8 @@ as the user SID, the list of NT groups the user belongs to, etc. Much of the text of this document -was first published in the Web magazine -LinuxWorld as the article LinuxWorld as the article Doing the NIS/NT Samba. @@ -646,7 +677,7 @@ Windows2000 KDC. Setup your <filename>smb.conf</filename> -You must use at least the following 3 options in smb.conf: +You must use at least the following 3 options in &smb.conf;: @@ -657,17 +688,18 @@ You must use at least the following 3 options in smb.conf: In case samba can't figure out your ads server using your realm name, use the -ads server option in smb.conf: +ads server option in smb.conf: ads server = your.kerberos.server -You do *not* need a smbpasswd file, and older clients will be authenticated as if -security = domain, although it won't do any harm and allows you -to have local users not in the domain. I expect that the above required options will -change soon when we get better active directory integration. +You do ¬ need a smbpasswd file, and older clients will be authenticated as +if security = domain, although it won't do any harm and +allows you to have local users not in the domain. It is expected that the above +required options will change soon when active directory integration will get +better. @@ -675,10 +707,6 @@ change soon when we get better active directory integration. Setup your <filename>/etc/krb5.conf</filename> - -Note: you will need the krb5 workstation, devel, and libs installed - - The minimal configuration for krb5.conf is: @@ -697,8 +725,8 @@ making sure that your password is accepted by the Win2000 KDC. -The realm must be uppercase or you will get "Cannot find KDC for requested -realm while getting initial credentials" error +The realm must be uppercase or you will get Cannot find KDC for +requested realm while getting initial credentials error @@ -748,7 +776,7 @@ As a user that has write permission on the Samba private directory - "ADS support not compiled in" + ADS support not compiled in Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed. diff --git a/docs/docbook/projdoc/passdb.xml b/docs/docbook/projdoc/passdb.xml index 368d7ba863..afe5ae24af 100644 --- a/docs/docbook/projdoc/passdb.xml +++ b/docs/docbook/projdoc/passdb.xml @@ -208,9 +208,9 @@ Samba-3 introduces the following new password backend capabilities: In addition to differently encrypted passwords, windows also stores certain data for each user that is not stored in a unix user database. e.g: workstations the user may logon from, the location where the users' profile is stored, and so on. Samba retrieves and stores this - information using a "passdb backend". Commonly available backends are LDAP, plain text + information using a passdb backend. Commonly available backends are LDAP, plain text file, MySQL and nisplus. For more information, see the man page for &smb.conf; regarding the - passdb backend = parameter. + passdb backend parameter. @@ -756,9 +756,9 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY - -root# cp samba.schema /etc/openldap/schema/ - + +&rootprompt;cp samba.schema /etc/openldap/schema/ + @@ -833,9 +833,9 @@ index default sub - -root# /etc/init.d/slapd restart - + +&rootprompt;/etc/init.d/slapd restart + @@ -844,14 +844,13 @@ index default sub Configuring Samba - The following parameters are available in smb.conf only with --with-ldapsam - was included when compiling Samba. The following parameters are available in smb.conf only if your + The following parameters are available in smb.conf only if your version of samba was built with LDAP support. Samba automatically builds with LDAP support if the LDAP libraries are found. - passdb backend ldapsam:url + passdb backend = ldapsam:url ldap ssl ldap admin dn ldap suffix @@ -970,12 +969,12 @@ index default sub To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults - to require an encrypted session (ldap ssl = on) using - the default port of 636 + to require an encrypted session (ldap ssl = on) using + the default port of 636 when contacting the directory server. When using an OpenLDAP server, it is possible to use the use the StartTLS LDAP extended operation in the place of LDAPS. In either case, you are strongly discouraged to disable this security - (ldap ssl = off). + (ldap ssl = off). @@ -1236,7 +1235,7 @@ index default sub The identifier can be any string you like, as long as it doesn't collide with the identifiers of other plugins or other instances of pdb_mysql. If you - specify multiple pdb_mysql.so entries in 'passdb backend', you also need to + specify multiple pdb_mysql.so entries in passdb backend, you also need to use different identifiers! @@ -1383,10 +1382,10 @@ index default sub - then execute (as root): - pdbedit -i smbpasswd -e tdbsam - + + &rootprompt;pdbedit -i smbpasswd -e tdbsam + diff --git a/docs/docbook/projdoc/printer_driver2.xml b/docs/docbook/projdoc/printer_driver2.xml index da3eb838f2..76f59c12ea 100644 --- a/docs/docbook/projdoc/printer_driver2.xml +++ b/docs/docbook/projdoc/printer_driver2.xml @@ -8,7 +8,7 @@
papowell@lprng.org
- (3 May 2001) + 3 May 2001 Printing Support -- cgit