From 2d62bd52486bd20922143f61cb7a3159ec78e478 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 31 Oct 2002 22:00:20 +0000 Subject: Add initial upgrading doc (doesn't contain much currently) Start using more entities (This used to be commit 6c442fe5c90902718d9a381e6b2518c0b4aab3de) --- docs/docbook/global.ent | 16 ++++++++++++++++ docs/docbook/manpages/pdbedit.8.sgml | 7 ++++--- docs/docbook/manpages/rpcclient.1.sgml | 23 +++++------------------ docs/docbook/manpages/vfstest.1.sgml | 21 ++++++--------------- docs/docbook/projdoc/upgrading-to-3.0.sgml | 19 +++++++++++++++++++ 5 files changed, 50 insertions(+), 36 deletions(-) create mode 100644 docs/docbook/projdoc/upgrading-to-3.0.sgml (limited to 'docs/docbook') diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent index d88c489a4a..604dec7e18 100644 --- a/docs/docbook/global.ent +++ b/docs/docbook/global.ent @@ -31,3 +31,19 @@ + +-d|--debug=debuglevel +set the debuglevel. Debug level 0 is the lowest +and 100 being the highest. This should be set to 100 if you are +planning on submitting a bug report to the Samba team (see +BUGS.txt). + +'> + + +-h|--help +Print a summary of command line options. + +'> diff --git a/docs/docbook/manpages/pdbedit.8.sgml b/docs/docbook/manpages/pdbedit.8.sgml index fd8ce375e5..e918870ac1 100644 --- a/docs/docbook/manpages/pdbedit.8.sgml +++ b/docs/docbook/manpages/pdbedit.8.sgml @@ -21,8 +21,8 @@ -u username -f fullname -h homedir - -d drive - -s script + -D drive + -S script -p profile -a -m @@ -30,7 +30,8 @@ -i passdb-backend -e passdb-backend -b passdb-backend - -D debuglevel + -d debuglevel + -s configfile -P account-policy -V value diff --git a/docs/docbook/manpages/rpcclient.1.sgml b/docs/docbook/manpages/rpcclient.1.sgml index 7a7a19c837..10e0ff438d 100644 --- a/docs/docbook/manpages/rpcclient.1.sgml +++ b/docs/docbook/manpages/rpcclient.1.sgml @@ -1,4 +1,6 @@ - + %globalentities; +]> @@ -87,23 +89,8 @@ - - -d|--debug=debuglevel - set the debuglevel. Debug level 0 is the lowest - and 100 being the highest. This should be set to 100 if you are - planning on submitting a bug report to the Samba team (see BUGS.txt). - - - - - - - - -h|--help - Print a summary of command line options. - - - + &stdarg.debuglevel; + &stdarg.help; -I IP-address diff --git a/docs/docbook/manpages/vfstest.1.sgml b/docs/docbook/manpages/vfstest.1.sgml index 9a7eff1939..f8fa7298b8 100644 --- a/docs/docbook/manpages/vfstest.1.sgml +++ b/docs/docbook/manpages/vfstest.1.sgml @@ -1,4 +1,7 @@ - + %globalentities; +]> + @@ -48,20 +51,8 @@ - - -d|--debug=debuglevel - set the debuglevel. Debug level 0 is the lowest - and 100 being the highest. This should be set to 100 if you are - planning on submitting a bug report to the Samba team (see - BUGS.txt). - - - - - -h|--help - Print a summary of command line options. - - + &stdarg.debuglevel; + &stdarg.help; -l|--logfile=logbasename diff --git a/docs/docbook/projdoc/upgrading-to-3.0.sgml b/docs/docbook/projdoc/upgrading-to-3.0.sgml new file mode 100644 index 0000000000..5b6b8dd635 --- /dev/null +++ b/docs/docbook/projdoc/upgrading-to-3.0.sgml @@ -0,0 +1,19 @@ + + + + JelmerVernooij + Samba Team + + 25 October 2002 + + +Issues when upgrading from 2.2 to 3.0 + + +Charsets + +FIXME + + + + -- cgit From 4d2879aea95569f8e7c091115b4786bb191355c2 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 2 Nov 2002 00:16:36 +0000 Subject: Update manpages - make ready for 3.0 (This used to be commit 1a06235f183c2dcc6efc056043252246a4f31139) --- docs/docbook/global.ent | 49 ++++++++++++++++++++++++++++++++---- docs/docbook/manpages/nmbd.8.sgml | 2 +- docs/docbook/manpages/pdbedit.8.sgml | 9 ++++--- docs/docbook/manpages/wbinfo.1.sgml | 16 ++++++------ 4 files changed, 59 insertions(+), 17 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent index 604dec7e18..46745c2773 100644 --- a/docs/docbook/global.ent +++ b/docs/docbook/global.ent @@ -34,11 +34,29 @@ -d|--debug=debuglevel -set the debuglevel. Debug level 0 is the lowest -and 100 being the highest. This should be set to 100 if you are -planning on submitting a bug report to the Samba team (see -BUGS.txt). - + +debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero. + +The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day to day running - it generates a small amount of +information about operations carried out. + +Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic. + +Note that specifying this parameter here will +override the log +level parameter in the +smb.conf(5) file. + '> Print a summary of command line options. '> + + +-s <configuration file> +The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See +smb.conf(5) for more information. +The default configuration file name is determined at +compile time. +'> + + +-v +Prints the version number for +smbd. +'> diff --git a/docs/docbook/manpages/nmbd.8.sgml b/docs/docbook/manpages/nmbd.8.sgml index bd8bf964f1..8564ac7924 100644 --- a/docs/docbook/manpages/nmbd.8.sgml +++ b/docs/docbook/manpages/nmbd.8.sgml @@ -318,7 +318,7 @@ VERSION - This man page is correct for version 2.2 of + This man page is correct for version 3.0 of the Samba suite. diff --git a/docs/docbook/manpages/pdbedit.8.sgml b/docs/docbook/manpages/pdbedit.8.sgml index e918870ac1..a3fd7be7b4 100644 --- a/docs/docbook/manpages/pdbedit.8.sgml +++ b/docs/docbook/manpages/pdbedit.8.sgml @@ -161,9 +161,8 @@ - - -d drive + -D drive This option can be used while adding or modifing a user account. It will specify the windows drive letter to be used to map the home directory. @@ -175,7 +174,7 @@ - -s script + -S script This option can be used while adding or modifing a user account. It will specify the user's logon script path. @@ -300,6 +299,10 @@ + + &stdarg.debuglevel; + &stdarg.help; + &stdarg.configfile; diff --git a/docs/docbook/manpages/wbinfo.1.sgml b/docs/docbook/manpages/wbinfo.1.sgml index f1461b07b9..59cab3fc97 100644 --- a/docs/docbook/manpages/wbinfo.1.sgml +++ b/docs/docbook/manpages/wbinfo.1.sgml @@ -17,8 +17,8 @@ wbinfo -u -g - -h name - -i ip +! -i ip + -N netbios-name -n name -s sid -U uid @@ -30,6 +30,7 @@ -r user -a user%password -A user%password + -p @@ -72,10 +73,9 @@ winbindd(8). - - -h name - The -h option + -N name + The -N option queries winbindd(8) to query the WINS server for the IP address associated with the NetBIOS name specified by the name parameter. @@ -84,8 +84,8 @@ - -i ip - The -i option + -I ip + The -I option queries winbindd(8) to send a node status request to get the NetBIOS name associated with the IP address specified by the ip parameter. @@ -210,7 +210,7 @@ VERSION - This man page is correct for version 2.2 of + This man page is correct for version 3.0 of the Samba suite. -- cgit From 3a382e8bf7aefca3b92ebfbb31f5cb10b38b164f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 2 Nov 2002 00:20:29 +0000 Subject: Initial updating of Diagnosis (This used to be commit 4fc8f1d3f29e36c8c1a04d6907c4bed3d6547e35) --- docs/docbook/projdoc/Diagnosis.sgml | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/Diagnosis.sgml b/docs/docbook/projdoc/Diagnosis.sgml index 3cc0bab5d5..b2d7abb656 100644 --- a/docs/docbook/projdoc/Diagnosis.sgml +++ b/docs/docbook/projdoc/Diagnosis.sgml @@ -7,7 +7,14 @@
tridge@samba.org
- 1 November 1999 + + JelmerVernooij + + Samba Team +
jelmer@samba.org
+ + + $Id: Diagnosis.sgml,v 1.3 2002/11/02 00:20:29 jelmer Exp $ Diagnosing your samba server @@ -23,15 +30,15 @@ then it is probably working fine. -You should do ALL the tests, in the order shown. I have tried to +You should do ALL the tests, in the order shown. We have tried to carefully choose them so later tests only use capabilities verified in the earlier tests. -If you send me an email saying "it doesn't work" and you have not -followed this test procedure then you should not be surprised if I -ignore your email. +If you send one of the samba mailing lists an email saying "it doesn't work" +and you have not followed this test procedure then you should not be surprised +your email is ignored. @@ -40,11 +47,8 @@ ignore your email. Assumptions -In all of the tests I assume you have a Samba server called BIGSERVER -and a PC called ACLIENT both in workgroup TESTGROUP. I also assume the -PC is running windows for workgroups with a recent copy of the -microsoft tcp/ip stack. Alternatively, your PC may be running Windows -95 or Windows NT (Workstation or Server). +In all of the tests it is assumed you have a Samba server called +BIGSERVER and a PC called ACLIENT both in workgroup TESTGROUP. @@ -52,7 +56,7 @@ The procedure is similar for other types of clients. -I also assume you know the name of an available share in your +It is also assumed you know the name of an available share in your smb.conf. I will assume this share is called "tmp". You can add a "tmp" share like by adding the following to smb.conf: @@ -68,7 +72,7 @@ smb.conf. I will assume this share is called "tmp". You can add a -THESE TESTS ASSUME VERSION 2.0.6 OR LATER OF THE SAMBA SUITE. SOME +THESE TESTS ASSUME VERSION 3.0.0 OR LATER OF THE SAMBA SUITE. SOME COMMANDS SHOWN DID NOT EXIST IN EARLIER VERSIONS @@ -99,7 +103,7 @@ configuration file is faulty. -Note: Your smb.conf file may be located in: /etc +Note: Your smb.conf file may be located in: /etc/samba Or in: /usr/local/samba/lib -- cgit From b017064cec857b3fd533c5c1b1cd4e6327906b45 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 2 Nov 2002 07:09:17 +0000 Subject: Add a 'ldap trust ids' option that lets pdb_ldap check for posixAccount attributes rather than calling getpwnam() on the user. This should help fix some of metze's performance issues - particularly on enumerations. There is a consequential change to the operation of 'non unix account's in LDAP - they are no longer restricted to being 'within' the NUA range, but will always be added to that range. Finally, there is the doco for this and the previous LDAP SSL changes. (This used to be commit 18abaeffda300074a507561d8372d5bfddc8fe50) --- docs/docbook/manpages/smb.conf.5.sgml | 46 +++++++++++++++++++++++++++++------ 1 file changed, 39 insertions(+), 7 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index e4c4587c1f..5cb8f088a6 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -663,6 +663,7 @@ ldap user suffix ldap machine suffix ldap passwd sync + ldap trust ids lm announce lm interval @@ -3464,16 +3465,20 @@ The ldap ssl can be set to one of three values: - On = Always use SSL when contacting the - ldap server. - Off = Never use SSL when querying the directory. Start_tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server. + + On = + Use SSL on the ldaps port when contacting the + ldap server. Only + available when the backwards-compatiblity + --with-ldapsam option is specified + to configure. See passdb backend - Default : ldap ssl = on + Default : ldap ssl = start_tls @@ -3540,9 +3545,24 @@ + + ldap trust uids (G) + Normally, Samba validates each entry + in the LDAP server against getpwnam(). This allows + LDAP to be used for Samba with the unix system using + NIS (for example) and also ensures that Samba does not + present accounts that do not otherwise exist. + This option is used to disable this functionality, and + instead to rely on the presence of the appropriate + attributes in LDAP directly, which can result in a + significant performance boost in some situations. + Setting this option to yes effectivly assumes + that the local machine is running nss_ldap against the + same LDAP server. - - + Default: ldap trust ids = No + + level2 oplocks (S) @@ -5357,8 +5377,20 @@ ldapsam_nua - The LDAP based passdb backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to ldap://localhost) + Note: In this module, any account + without a matching POSIX account is regarded + as 'non unix'. See also - non unix account range + non unix account + range + + LDAP connections should be secured where + possible. This may be done using either + Start-TLS (see + ldap ssl) or by + specifying ldaps:// in + the URL argument. + nisplussam - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. -- cgit From a80438d96ce2bc94965b9f26e4976dd5809ae154 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 2 Nov 2002 11:35:43 +0000 Subject: Fix typo (This used to be commit 5c6041f713f1931072aa25f49e8210c4c7e36ba9) --- docs/docbook/manpages/smb.conf.5.sgml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/docbook') diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index 5cb8f088a6..621b764a11 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -3546,7 +3546,7 @@ - ldap trust uids (G) + ldap trust ids (G) Normally, Samba validates each entry in the LDAP server against getpwnam(). This allows LDAP to be used for Samba with the unix system using -- cgit From e7c2603609c99e4c39948a7f7afcd633223714e7 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 4 Nov 2002 16:20:15 +0000 Subject: Move explanation of encryption algorithm to dev-doc (This used to be commit b279cc065385d45b8a16e220fb13b278d5921b1f) --- docs/docbook/projdoc/ENCRYPTION.sgml | 243 ++++------------------------------- 1 file changed, 27 insertions(+), 216 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/ENCRYPTION.sgml b/docs/docbook/projdoc/ENCRYPTION.sgml index 6a26dbeffa..f903d7d334 100644 --- a/docs/docbook/projdoc/ENCRYPTION.sgml +++ b/docs/docbook/projdoc/ENCRYPTION.sgml @@ -7,88 +7,42 @@ Samba Team
- samba@samba.org + jra@samba.org
- - 19 Apr 1999 + + JelmerVernooij + + Samba Team +
+ jelmer@samba.org +
+ + + + 4 November 2002 -LanMan and NT Password Encryption in Samba 2.x +LanMan and NT Password Encryption in Samba Introduction - With the development of LanManager and Windows NT - compatible password encryption for Samba, it is now able - to validate user connections in exactly the same way as - a LanManager or Windows NT server. - - This document describes how the SMB password encryption - algorithm works and what issues there are in choosing whether - you want to use it. You should read it carefully, especially - the part about security and the "PROS and CONS" section. - - - - - How does it work? - - LanManager encryption is somewhat similar to UNIX - password encryption. The server uses a file containing a - hashed value of a user's password. This is created by taking - the user's plaintext password, capitalising it, and either - truncating to 14 bytes or padding to 14 bytes with null bytes. - This 14 byte value is used as two 56 bit DES keys to encrypt - a 'magic' eight byte value, forming a 16 byte value which is - stored by the server and client. Let this value be known as - the "hashed password". - - Windows NT encryption is a higher quality mechanism, - consisting of doing an MD4 hash on a Unicode version of the user's - password. This also produces a 16 byte hash value that is - non-reversible. - - When a client (LanManager, Windows for WorkGroups, Windows - 95 or Windows NT) wishes to mount a Samba drive (or use a Samba - resource), it first requests a connection and negotiates the - protocol that the client and server will use. In the reply to this - request the Samba server generates and appends an 8 byte, random - value - this is stored in the Samba server after the reply is sent - and is known as the "challenge". The challenge is different for - every client connection. - - The client then uses the hashed password (16 byte values - described above), appended with 5 null bytes, as three 56 bit - DES keys, each of which is used to encrypt the challenge 8 byte - value, forming a 24 byte value known as the "response". - - In the SMB call SMBsessionsetupX (when user level security - is selected) or the call SMBtconX (when share level security is - selected), the 24 byte response is returned by the client to the - Samba server. For Windows NT protocol levels the above calculation - is done on both hashes of the user's password and both responses are - returned in the SMB call, giving two 24 byte values. + Newer windows clients send encrypted passwords over + the wire, instead of plain text passwords. The newest clients + will only send encrypted passwords and refuse to send plain text + passwords, unless their registry is tweaked. - The Samba server then reproduces the above calculation, using - its own stored value of the 16 byte hashed password (read from the - smbpasswd file - described later) and the challenge - value that it kept from the negotiate protocol reply. It then checks - to see if the 24 byte value it calculates matches the 24 byte value - returned to it from the client. - - If these values match exactly, then the client knew the - correct password (or the 16 byte hashed value - see security note - below) and is thus allowed access. If not, then the client did not - know the correct password and is denied access. + These passwords can't be converted to unix style encrypted + passwords. Because of that you can't use the standard unix + user database, and you have to store the Lanman and NT hashes + somewhere else. For more information, see the documentation + about the passdb backend = parameter. + - Note that the Samba server never knows or stores the cleartext - of the user's password - just the 16 byte hashed values derived from - it. Also note that the cleartext password or 16 byte hashed values - are never transmitted over the network - thus increasing security. @@ -183,111 +137,6 @@ - - <anchor id="SMBPASSWDFILEFORMAT">The smbpasswd file - - In order for Samba to participate in the above protocol - it must be able to look up the 16 byte hashed values given a user name. - Unfortunately, as the UNIX password value is also a one way hash - function (ie. it is impossible to retrieve the cleartext of the user's - password given the UNIX hash of it), a separate password file - containing this 16 byte value must be kept. To minimise problems with - these two password files, getting out of sync, the UNIX - /etc/passwd and the smbpasswd file, - a utility, mksmbpasswd.sh, is provided to generate - a smbpasswd file from a UNIX /etc/passwd file. - To generate the smbpasswd file from your /etc/passwd - file use the following command : - - $ cat /etc/passwd | mksmbpasswd.sh - > /usr/local/samba/private/smbpasswd - - If you are running on a system that uses NIS, use - - $ ypcat passwd | mksmbpasswd.sh - > /usr/local/samba/private/smbpasswd - - The mksmbpasswd.sh program is found in - the Samba source directory. By default, the smbpasswd file is - stored in : - - /usr/local/samba/private/smbpasswd - - The owner of the /usr/local/samba/private/ - directory should be set to root, and the permissions on it should - be set to 0500 (chmod 500 /usr/local/samba/private). - - - Likewise, the smbpasswd file inside the private directory should - be owned by root and the permissions on is should be set to 0600 - (chmod 600 smbpasswd). - - - The format of the smbpasswd file is (The line has been - wrapped here. It should appear as one entry per line in - your smbpasswd file.) - - -username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: - [Account type]:LCT-<last-change-time>:Long name - - - Although only the username, - uid, - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, - [Account type] and - last-change-time sections are significant - and are looked at in the Samba code. - - It is VITALLY important that there by 32 - 'X' characters between the two ':' characters in the XXX sections - - the smbpasswd and Samba code will fail to validate any entries that - do not have 32 characters between ':' characters. The first XXX - section is for the Lanman password hash, the second is for the - Windows NT version. - - When the password file is created all users have password entries - consisting of 32 'X' characters. By default this disallows any access - as this user. When a user has a password set, the 'X' characters change - to 32 ascii hexadecimal digits (0-9, A-F). These are an ascii - representation of the 16 byte hashed value of a user's password. - - To set a user to have no password (not recommended), edit the file - using vi, and replace the first 11 characters with the ascii text - "NO PASSWORD" (minus the quotes). - - For example, to clear the password for user bob, his smbpasswd file - entry would look like : - - - bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Bob's full name:/bobhome:/bobshell - - - If you are allowing users to use the smbpasswd command to set - their own passwords, you may want to give users NO PASSWORD initially - so they do not have to enter a previous password when changing to their - new password (not recommended). In order for you to allow this the - smbpasswd program must be able to connect to the - smbd daemon as that user with no password. Enable this - by adding the line : - - null passwords = yes - - to the [global] section of the smb.conf file (this is why - the above scenario is not recommended). Preferably, allocate your - users a default password to begin with, so you do not have - to enable this on your server. - - Note : This file should be protected very - carefully. Anyone with access to this file can (with enough knowledge of - the protocols) gain access to your SMB server. The file is thus more - sensitive than a normal unix /etc/passwd file. - - - The smbpasswd Command @@ -297,25 +146,14 @@ username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: install it in /usr/local/samba/bin/ (or your main Samba binary directory). - Note that as of Samba 1.9.18p4 this program MUST NOT - BE INSTALLED setuid root (the new smbpasswd - code enforces this restriction so it cannot be run this way by - accident). - smbpasswd now works in a client-server mode where it contacts the local smbd to change the user's password on its behalf. This has enormous benefits - as follows. - - smbpasswd no longer has to be setuid root - - an enormous range of potential security problems is - eliminated. - - smbpasswd now has the capability - to change passwords on Windows NT servers (this only works when - the request is sent to the NT Primary Domain Controller if you - are changing an NT Domain user's password). - + smbpasswd now has the capability + to change passwords on Windows NT servers (this only works when + the request is sent to the NT Primary Domain Controller if you + are changing an NT Domain user's password). To run smbpasswd as a normal user just type : @@ -348,31 +186,4 @@ username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: to the man page which will always be the definitive reference. - - - Setting up Samba to support LanManager Encryption - - This is a very brief description on how to setup samba to - support password encryption. - - - compile and install samba as usual - - - enable encrypted passwords in - smb.conf by adding the line encrypt - passwords = yes in the [global] section - - - create the initial smbpasswd - password file in the place you specified in the Makefile - (--prefix=<dir>). See the notes under the The smbpasswd File - section earlier in the document for details. - - - - Note that you can test things using smbclient. - - -- cgit From 61c600725d5b374877beb2871a8458d19848cbc3 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 4 Nov 2002 16:23:00 +0000 Subject: Move encryption algorithm explanation to dev-doc (This used to be commit ea026d74c1d8696e45c6bddc5b1b0029e7e41507) --- docs/docbook/devdoc/dev-doc.sgml | 2 + docs/docbook/devdoc/encryption.sgml | 196 ++++++++++++++++++++++++++++++++++++ 2 files changed, 198 insertions(+) create mode 100644 docs/docbook/devdoc/encryption.sgml (limited to 'docs/docbook') diff --git a/docs/docbook/devdoc/dev-doc.sgml b/docs/docbook/devdoc/dev-doc.sgml index adc25e83bd..e256dbe3a2 100644 --- a/docs/docbook/devdoc/dev-doc.sgml +++ b/docs/docbook/devdoc/dev-doc.sgml @@ -11,6 +11,7 @@ + ]> @@ -64,5 +65,6 @@ url="http://www.fsf.org/licenses/gpl.txt">http://www.fsf.org/licenses/gpl.txt diff --git a/docs/docbook/devdoc/encryption.sgml b/docs/docbook/devdoc/encryption.sgml new file mode 100644 index 0000000000..7d95edd34a --- /dev/null +++ b/docs/docbook/devdoc/encryption.sgml @@ -0,0 +1,196 @@ + + + + + + JeremyAllison + + Samba Team +
+ samba@samba.org +
+ + + + 19 Apr 1999 + + +LanMan and NT Password Encryption + + + Introduction + + With the development of LanManager and Windows NT + compatible password encryption for Samba, it is now able + to validate user connections in exactly the same way as + a LanManager or Windows NT server. + + This document describes how the SMB password encryption + algorithm works and what issues there are in choosing whether + you want to use it. You should read it carefully, especially + the part about security and the "PROS and CONS" section. + + + + + How does it work? + + LanManager encryption is somewhat similar to UNIX + password encryption. The server uses a file containing a + hashed value of a user's password. This is created by taking + the user's plaintext password, capitalising it, and either + truncating to 14 bytes or padding to 14 bytes with null bytes. + This 14 byte value is used as two 56 bit DES keys to encrypt + a 'magic' eight byte value, forming a 16 byte value which is + stored by the server and client. Let this value be known as + the "hashed password". + + Windows NT encryption is a higher quality mechanism, + consisting of doing an MD4 hash on a Unicode version of the user's + password. This also produces a 16 byte hash value that is + non-reversible. + + When a client (LanManager, Windows for WorkGroups, Windows + 95 or Windows NT) wishes to mount a Samba drive (or use a Samba + resource), it first requests a connection and negotiates the + protocol that the client and server will use. In the reply to this + request the Samba server generates and appends an 8 byte, random + value - this is stored in the Samba server after the reply is sent + and is known as the "challenge". The challenge is different for + every client connection. + + The client then uses the hashed password (16 byte values + described above), appended with 5 null bytes, as three 56 bit + DES keys, each of which is used to encrypt the challenge 8 byte + value, forming a 24 byte value known as the "response". + + In the SMB call SMBsessionsetupX (when user level security + is selected) or the call SMBtconX (when share level security is + selected), the 24 byte response is returned by the client to the + Samba server. For Windows NT protocol levels the above calculation + is done on both hashes of the user's password and both responses are + returned in the SMB call, giving two 24 byte values. + + The Samba server then reproduces the above calculation, using + its own stored value of the 16 byte hashed password (read from the + smbpasswd file - described later) and the challenge + value that it kept from the negotiate protocol reply. It then checks + to see if the 24 byte value it calculates matches the 24 byte value + returned to it from the client. + + If these values match exactly, then the client knew the + correct password (or the 16 byte hashed value - see security note + below) and is thus allowed access. If not, then the client did not + know the correct password and is denied access. + + Note that the Samba server never knows or stores the cleartext + of the user's password - just the 16 byte hashed values derived from + it. Also note that the cleartext password or 16 byte hashed values + are never transmitted over the network - thus increasing security. + + + + <anchor id="SMBPASSWDFILEFORMAT">The smbpasswd file + + In order for Samba to participate in the above protocol + it must be able to look up the 16 byte hashed values given a user name. + Unfortunately, as the UNIX password value is also a one way hash + function (ie. it is impossible to retrieve the cleartext of the user's + password given the UNIX hash of it), a separate password file + containing this 16 byte value must be kept. To minimise problems with + these two password files, getting out of sync, the UNIX + /etc/passwd and the smbpasswd file, + a utility, mksmbpasswd.sh, is provided to generate + a smbpasswd file from a UNIX /etc/passwd file. + To generate the smbpasswd file from your /etc/passwd + file use the following command : + + $ cat /etc/passwd | mksmbpasswd.sh + > /usr/local/samba/private/smbpasswd + + If you are running on a system that uses NIS, use + + $ ypcat passwd | mksmbpasswd.sh + > /usr/local/samba/private/smbpasswd + + The mksmbpasswd.sh program is found in + the Samba source directory. By default, the smbpasswd file is + stored in : + + /usr/local/samba/private/smbpasswd + + The owner of the /usr/local/samba/private/ + directory should be set to root, and the permissions on it should + be set to 0500 (chmod 500 /usr/local/samba/private). + + + Likewise, the smbpasswd file inside the private directory should + be owned by root and the permissions on is should be set to 0600 + (chmod 600 smbpasswd). + + + The format of the smbpasswd file is (The line has been + wrapped here. It should appear as one entry per line in + your smbpasswd file.) + + +username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: + [Account type]:LCT-<last-change-time>:Long name + + + Although only the username, + uid, + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, + [Account type] and + last-change-time sections are significant + and are looked at in the Samba code. + + It is VITALLY important that there by 32 + 'X' characters between the two ':' characters in the XXX sections - + the smbpasswd and Samba code will fail to validate any entries that + do not have 32 characters between ':' characters. The first XXX + section is for the Lanman password hash, the second is for the + Windows NT version. + + When the password file is created all users have password entries + consisting of 32 'X' characters. By default this disallows any access + as this user. When a user has a password set, the 'X' characters change + to 32 ascii hexadecimal digits (0-9, A-F). These are an ascii + representation of the 16 byte hashed value of a user's password. + + To set a user to have no password (not recommended), edit the file + using vi, and replace the first 11 characters with the ascii text + "NO PASSWORD" (minus the quotes). + + For example, to clear the password for user bob, his smbpasswd file + entry would look like : + + + bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Bob's full name:/bobhome:/bobshell + + + If you are allowing users to use the smbpasswd command to set + their own passwords, you may want to give users NO PASSWORD initially + so they do not have to enter a previous password when changing to their + new password (not recommended). In order for you to allow this the + smbpasswd program must be able to connect to the + smbd daemon as that user with no password. Enable this + by adding the line : + + null passwords = yes + + to the [global] section of the smb.conf file (this is why + the above scenario is not recommended). Preferably, allocate your + users a default password to begin with, so you do not have + to enable this on your server. + + Note : This file should be protected very + carefully. Anyone with access to this file can (with enough knowledge of + the protocols) gain access to your SMB server. The file is thus more + sensitive than a normal unix /etc/passwd file. + + + -- cgit From 4ca4febd67fb0f54d1f3d1081c674c322b1b87a7 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 4 Nov 2002 18:25:25 +0000 Subject: Large number of updates - new structure of the HOWTO, better names, introductions, updating to 3.0 (This used to be commit dfc3d55493c40201244a9e44b89868f7128c6f85) --- docs/docbook/projdoc/ADS-HOWTO.sgml | 2 +- docs/docbook/projdoc/Browsing.sgml | 4 +- docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 2 +- docs/docbook/projdoc/Printing.sgml | 398 ------------------------ docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 2 +- docs/docbook/projdoc/UNIX_INSTALL.sgml | 39 ++- docs/docbook/projdoc/printer_driver2.sgml | 501 ++++++++++++++++++++++++------ docs/docbook/projdoc/samba-doc.sgml | 55 +++- 8 files changed, 472 insertions(+), 531 deletions(-) delete mode 100644 docs/docbook/projdoc/Printing.sgml (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index 0d2fda5f78..83bb2dc85d 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -7,7 +7,7 @@ 2002 -Using samba 3.0 with ActiveDirectory support +Samba as a ADS domain member This is a VERY ROUGH guide to setting up the current (November 2001) diff --git a/docs/docbook/projdoc/Browsing.sgml b/docs/docbook/projdoc/Browsing.sgml index a463ea786b..13d6fce917 100644 --- a/docs/docbook/projdoc/Browsing.sgml +++ b/docs/docbook/projdoc/Browsing.sgml @@ -461,7 +461,7 @@ all smb.conf files : - wins server = >name or IP address< +wins server = >name or IP address< @@ -512,7 +512,7 @@ set the following option in the [global] section of the smb.conf file : - domain master = yes +domain master = yes diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index 6d0b36eafc..8bb64dbf50 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -25,7 +25,7 @@ -security = domain in Samba 2.x +Samba as a NT4 domain member diff --git a/docs/docbook/projdoc/Printing.sgml b/docs/docbook/projdoc/Printing.sgml deleted file mode 100644 index ce9f40e88b..0000000000 --- a/docs/docbook/projdoc/Printing.sgml +++ /dev/null @@ -1,398 +0,0 @@ - - - - PatrickPowell - -
papowell@lprng.org
- - - 11 August 2000 - - -Debugging Printing Problems - - -Introduction - - -This is a short description of how to debug printing problems with -Samba. This describes how to debug problems with printing from a SMB -client to a Samba server, not the other way around. For the reverse -see the examples/printing directory. - - - -Ok, so you want to print to a Samba server from your PC. The first -thing you need to understand is that Samba does not actually do any -printing itself, it just acts as a middleman between your PC client -and your Unix printing subsystem. Samba receives the file from the PC -then passes the file to a external "print command". What print command -you use is up to you. - - - -The whole things is controlled using options in smb.conf. The most -relevant options (which you should look up in the smb.conf man page) -are: - - - - [global] - print command - send a file to a spooler - lpq command - get spool queue status - lprm command - remove a job - [printers] - path = /var/spool/lpd/samba - - - -The following are nice to know about: - - - - queuepause command - stop a printer or print queue - queueresume command - start a printer or print queue - - - -Example: - - - - print command = /usr/bin/lpr -r -P%p %s - lpq command = /usr/bin/lpq -P%p %s - lprm command = /usr/bin/lprm -P%p %j - queuepause command = /usr/sbin/lpc -P%p stop - queuepause command = /usr/sbin/lpc -P%p start - - - -Samba should set reasonable defaults for these depending on your -system type, but it isn't clairvoyant. It is not uncommon that you -have to tweak these for local conditions. The commands should -always have fully specified pathnames, as the smdb may not have -the correct PATH values. - - - -When you send a job to Samba to be printed, it will make a temporary -copy of it in the directory specified in the [printers] section. -and it should be periodically cleaned out. The lpr -r option -requests that the temporary copy be removed after printing; If -printing fails then you might find leftover files in this directory, -and it should be periodically cleaned out. Samba used the lpq -command to determine the "job number" assigned to your print job -by the spooler. - - - -The %>letter< are "macros" that get dynamically replaced with appropriate -values when they are used. The %s gets replaced with the name of the spool -file that Samba creates and the %p gets replaced with the name of the -printer. The %j gets replaced with the "job number" which comes from -the lpq output. - - - - - -Debugging printer problems - - -One way to debug printing problems is to start by replacing these -command with shell scripts that record the arguments and the contents -of the print file. A simple example of this kind of things might -be: - - - - print command = /tmp/saveprint %p %s - - #!/bin/saveprint - # we make sure that we are the right user - /usr/bin/id -p >/tmp/tmp.print - # we run the command and save the error messages - # replace the command with the one appropriate for your system - /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print - - - -Then you print a file and try removing it. You may find that the -print queue needs to be stopped in order to see the queue status -and remove the job: - - - - -h4: {42} % echo hi >/tmp/hi -h4: {43} % smbclient //localhost/lw4 -added interface ip=10.0.0.4 bcast=10.0.0.255 nmask=255.255.255.0 -Password: -Domain=[ASTART] OS=[Unix] Server=[Samba 2.0.7] -smb: \> print /tmp/hi -putting file /tmp/hi as hi-17534 (0.0 kb/s) (average 0.0 kb/s) -smb: \> queue -1049 3 hi-17534 -smb: \> cancel 1049 -Error cancelling job 1049 : code 0 -smb: \> cancel 1049 -Job 1049 cancelled -smb: \> queue -smb: \> exit - - - -The 'code 0' indicates that the job was removed. The comment -by the smbclient is a bit misleading on this. -You can observe the command output and then and look at the -/tmp/tmp.print file to see what the results are. You can quickly -find out if the problem is with your printing system. Often people -have problems with their /etc/printcap file or permissions on -various print queues. - - - - -What printers do I have? - - -You can use the 'testprns' program to check to see if the printer -name you are using is recognized by Samba. For example, you can -use: - - - - testprns printer /etc/printcap - - - -Samba can get its printcap information from a file or from a program. -You can try the following to see the format of the extracted -information: - - - - testprns -a printer /etc/printcap - - testprns -a printer '|/bin/cat printcap' - - - - - -Setting up printcap and print servers - - -You may need to set up some printcaps for your Samba system to use. -It is strongly recommended that you use the facilities provided by -the print spooler to set up queues and printcap information. - - - -Samba requires either a printcap or program to deliver printcap -information. This printcap information has the format: - - - - name|alias1|alias2...:option=value:... - - - -For almost all printing systems, the printer 'name' must be composed -only of alphanumeric or underscore '_' characters. Some systems also -allow hyphens ('-') as well. An alias is an alternative name for the -printer, and an alias with a space in it is used as a 'comment' -about the printer. The printcap format optionally uses a \ at the end of lines -to extend the printcap to multiple lines. - - - -Here are some examples of printcap files: - - - - - -pr just printer name - - -pr|alias printer name and alias - - -pr|My Printer printer name, alias used as comment - - -pr:sh:\ Same as pr:sh:cm= testing - :cm= \ - testing - - -pr:sh Same as pr:sh:cm= testing - :cm= testing - - - - - -Samba reads the printcap information when first started. If you make -changes in the printcap information, then you must do the following: - - - - - -make sure that the print spooler is aware of these changes. -The LPRng system uses the 'lpc reread' command to do this. - - - -make sure that the spool queues, etc., exist and have the -correct permissions. The LPRng system uses the 'checkpc -f' -command to do this. - - - -You now should send a SIGHUP signal to the smbd server to have -it reread the printcap information. - - - - - - -Job sent, no output - - -This is the most frustrating part of printing. You may have sent the -job, verified that the job was forwarded, set up a wrapper around -the command to send the file, but there was no output from the printer. - - - -First, check to make sure that the job REALLY is getting to the -right print queue. If you are using a BSD or LPRng print spooler, -you can temporarily stop the printing of jobs. Jobs can still be -submitted, but they will not be printed. Use: - - - - lpc -Pprinter stop - - - -Now submit a print job and then use 'lpq -Pprinter' to see if the -job is in the print queue. If it is not in the print queue then -you will have to find out why it is not being accepted for printing. - - - -Next, you may want to check to see what the format of the job really -was. With the assistance of the system administrator you can view -the submitted jobs files. You may be surprised to find that these -are not in what you would expect to call a printable format. -You can use the UNIX 'file' utitily to determine what the job -format actually is: - - - - cd /var/spool/lpd/printer # spool directory of print jobs - ls # find job files - file dfA001myhost - - - -You should make sure that your printer supports this format OR that -your system administrator has installed a 'print filter' that will -convert the file to a format appropriate for your printer. - - - - - -Job sent, strange output - - -Once you have the job printing, you can then start worrying about -making it print nicely. - - - -The most common problem is extra pages of output: banner pages -OR blank pages at the end. - - - -If you are getting banner pages, check and make sure that the -printcap option or printer option is configured for no banners. -If you have a printcap, this is the :sh (suppress header or banner -page) option. You should have the following in your printer. - - - - printer: ... :sh - - - -If you have this option and are still getting banner pages, there -is a strong chance that your printer is generating them for you -automatically. You should make sure that banner printing is disabled -for the printer. This usually requires using the printer setup software -or procedures supplied by the printer manufacturer. - - - -If you get an extra page of output, this could be due to problems -with your job format, or if you are generating PostScript jobs, -incorrect setting on your printer driver on the MicroSoft client. -For example, under Win95 there is a option: - - - - Printers|Printer Name|(Right Click)Properties|Postscript|Advanced| - - - -that allows you to choose if a Ctrl-D is appended to all jobs. -This is a very bad thing to do, as most spooling systems will -automatically add a ^D to the end of the job if it is detected as -PostScript. The multiple ^D may cause an additional page of output. - - - - - -Raw PostScript printed - - -This is a problem that is usually caused by either the print spooling -system putting information at the start of the print job that makes -the printer think the job is a text file, or your printer simply -does not support PostScript. You may need to enable 'Automatic -Format Detection' on your printer. - - - - - -Advanced Printing - - -Note that you can do some pretty magic things by using your -imagination with the "print command" option and some shell scripts. -Doing print accounting is easy by passing the %U option to a print -command shell script. You could even make the print command detect -the type of output and its size and send it to an appropriate -printer. - - - - - -Real debugging - - -If the above debug tips don't help, then maybe you need to bring in -the bug guns, system tracing. See Tracing.txt in this directory. - - - diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index 25a9783277..7cf3e5735c 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -19,7 +19,7 @@ -How to Configure Samba 2.2 as a Primary Domain Controller +How to Configure Samba as a NT4 Primary Domain Controller diff --git a/docs/docbook/projdoc/UNIX_INSTALL.sgml b/docs/docbook/projdoc/UNIX_INSTALL.sgml index c307636d5f..1ff735a656 100644 --- a/docs/docbook/projdoc/UNIX_INSTALL.sgml +++ b/docs/docbook/projdoc/UNIX_INSTALL.sgml @@ -3,15 +3,17 @@ How to Install and Test SAMBA - Step 0: Read the man pages + Read the man pages The man pages distributed with SAMBA contain lots of useful info that will help to get you started. If you don't know how to read man pages then try something like: - $ nroff -man smbd.8 | more - + $ man smbd.8 + or + $ nroff -man smbd.8 | more + on older unixes. Other sources of information are pointed to by the Samba web site, @@ -19,7 +21,7 @@ - Step 1: Building the Binaries + Building the Binaries To do this, first run the program ./configure in the source directory. This should automatically @@ -62,7 +64,7 @@ - Step 2: The all important step + The all important step At this stage you must fetch yourself a coffee or other drink you find stimulating. Getting the rest @@ -74,7 +76,7 @@ - Step 3: Create the smb configuration file. + Create the smb configuration file. There are sample configuration files in the examples subdirectory in the distribution. I suggest you read them @@ -91,7 +93,7 @@ [homes] guest ok = no read only = no - + which would allow connections by anyone with an account on the server, using either their login name or @@ -111,7 +113,7 @@ - Step 4: Test your config file with + <title>Test your config file with <command>testparm</command> It's important that you test the validity of your @@ -122,10 +124,13 @@ Make sure it runs OK and that the services look reasonable before proceeding. + Always run testparm again when you change + smb.conf! + - Step 5: Starting the smbd and nmbd + Starting the smbd and nmbd You must choose to start smbd and nmbd either as daemons or from inetd. Don't try @@ -144,7 +149,7 @@ request. - Step 5a: Starting from inetd.conf + Starting from inetd.conf NOTE; The following will be different if you use NIS or NIS+ to distributed services maps. @@ -196,7 +201,7 @@ - Step 5b. Alternative: starting it as a daemon + Alternative: starting it as a daemon To start the server as a daemon you should create a script something like this one, perhaps calling @@ -225,7 +230,7 @@ - Step 6: Try listing the shares available on your + <title>Try listing the shares available on your server $ smbclient -L @@ -245,7 +250,7 @@ - Step 7: Try connecting with the unix client + Try connecting with the unix client $ smbclient //yourhostname/aservice @@ -265,7 +270,7 @@ - Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, + <title>Try connecting from a DOS, WfWg, Win9x, WinNT, Win2k, OS/2, etc... client Try mounting disks. eg: @@ -305,8 +310,8 @@ Diagnosing Problems - If you have installation problems then go to - DIAGNOSIS.txt to try to find the + If you have installation problems then go to the + Diagnosis chapter to try to find the problem. @@ -424,6 +429,8 @@ its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE or DENY_ALL. There are also special compatibility modes called DENY_FCB and DENY_DOS. + + diff --git a/docs/docbook/projdoc/printer_driver2.sgml b/docs/docbook/projdoc/printer_driver2.sgml index 85ae0713b3..7bca8dc6f5 100644 --- a/docs/docbook/projdoc/printer_driver2.sgml +++ b/docs/docbook/projdoc/printer_driver2.sgml @@ -11,12 +11,16 @@ - - + + PatrickPowell + +
papowell@lprng.org
+ + (3 May 2001) -Printing Support in Samba 2.2.x +Printing Support Introduction @@ -59,12 +63,7 @@ SPOOLSS support includes: There has been some initial confusion about what all this means and whether or not it is a requirement for printer drivers to be installed on a Samba host in order to support printing from Windows -clients. A bug existed in Samba 2.2.0 which made Windows NT/2000 clients -require that the Samba server possess a valid driver for the printer. -This is fixed in Samba 2.2.1 and once again, Windows NT/2000 clients -can use the local APW for installing drivers to be used with a Samba -served printer. This is the same behavior exhibited by Windows 9x clients. -As a side note, Samba does not use these drivers in any way to process +clients. As a side note, Samba does not use these drivers in any way to process spooled files. They are utilized entirely by the clients. @@ -104,16 +103,9 @@ parameter named printer driver provided a means of defining the printer driver name to be sent to the client. - - -These parameters, including printer driver -file parameter, are being deprecated and should not -be used in new installations. For more information on this change, -you should refer to the Migration section -of this document. - - + + Creating [print$] @@ -243,10 +235,8 @@ that matches the printer shares defined on your Samba host. The initial listing of printers in the Samba host's Printers folder will have no real printer driver assigned -to them. By default, in Samba 2.2.0 this driver name was set to -NO PRINTER DRIVER AVAILABLE FOR THIS PRINTER. -Later versions changed this to a NULL string to allow the use -tof the local Add Printer Wizard on NT/2000 clients. +to them. This defaults to a NULL string to allow the use +of the local Add Printer Wizard on NT/2000 clients. Attempting to view the printer properties for a printer which has this default driver assigned will result in the error message: @@ -603,84 +593,6 @@ foreach (supported architecture for a given driver) - - -<anchor id="MIGRATION">Migration to from Samba 2.0.x to 2.2.x - - -Given that printer driver management has changed (we hope improved) in -2.2 over prior releases, migration from an existing setup to 2.2 can -follow several paths. Here are the possible scenarios for -migration: - - - - If you do not desire the new Windows NT - print driver support, nothing needs to be done. - All existing parameters work the same. - - If you want to take advantage of NT printer - driver support but do not want to migrate the - 9x drivers to the new setup, the leave the existing - printers.def file. When smbd attempts - to locate a - 9x driver for the printer in the TDB and fails it - will drop down to using the printers.def (and all - associated parameters). The make_printerdef - tool will also remain for backwards compatibility but will - be removed in the next major release. - - If you install a Windows 9x driver for a printer - on your Samba host (in the printing TDB), this information will - take precedence and the three old printing parameters - will be ignored (including print driver location). - - If you want to migrate an existing printers.def - file into the new setup, the current only solution is to use the Windows - NT APW to install the NT drivers and the 9x drivers. This can be scripted - using smbclient and rpcclient. See the - Imprints installation client at http://imprints.sourceforge.net/ - for an example. - - - - - -Achtung! - - -The following smb.conf parameters are considered to -be deprecated and will be removed soon. Do not use them in new -installations - - - - printer driver file (G) - - - printer driver (S) - - - printer driver location (S) - - - - - - -The have been two new parameters add in Samba 2.2.2 to for -better support of Samba 2.0.x backwards capability (disable -spoolss) and for using local printers drivers on Windows -NT/2000 clients (use client driver). Both of -these options are described in the smb.coinf(5) man page and are -disabled by default. - - - - - - + +Diagnosis + + +Introduction + + +This is a short description of how to debug printing problems with +Samba. This describes how to debug problems with printing from a SMB +client to a Samba server, not the other way around. For the reverse +see the examples/printing directory. + + + +Ok, so you want to print to a Samba server from your PC. The first +thing you need to understand is that Samba does not actually do any +printing itself, it just acts as a middleman between your PC client +and your Unix printing subsystem. Samba receives the file from the PC +then passes the file to a external "print command". What print command +you use is up to you. + + + +The whole things is controlled using options in smb.conf. The most +relevant options (which you should look up in the smb.conf man page) +are: + + + + [global] + print command - send a file to a spooler + lpq command - get spool queue status + lprm command - remove a job + [printers] + path = /var/spool/lpd/samba + + + +The following are nice to know about: + + + + queuepause command - stop a printer or print queue + queueresume command - start a printer or print queue + + + +Example: + + + + print command = /usr/bin/lpr -r -P%p %s + lpq command = /usr/bin/lpq -P%p %s + lprm command = /usr/bin/lprm -P%p %j + queuepause command = /usr/sbin/lpc -P%p stop + queuepause command = /usr/sbin/lpc -P%p start + + + +Samba should set reasonable defaults for these depending on your +system type, but it isn't clairvoyant. It is not uncommon that you +have to tweak these for local conditions. The commands should +always have fully specified pathnames, as the smdb may not have +the correct PATH values. + + + +When you send a job to Samba to be printed, it will make a temporary +copy of it in the directory specified in the [printers] section. +and it should be periodically cleaned out. The lpr -r option +requests that the temporary copy be removed after printing; If +printing fails then you might find leftover files in this directory, +and it should be periodically cleaned out. Samba used the lpq +command to determine the "job number" assigned to your print job +by the spooler. + + + +The %>letter< are "macros" that get dynamically replaced with appropriate +values when they are used. The %s gets replaced with the name of the spool +file that Samba creates and the %p gets replaced with the name of the +printer. The %j gets replaced with the "job number" which comes from +the lpq output. + + + + + +Debugging printer problems + + +One way to debug printing problems is to start by replacing these +command with shell scripts that record the arguments and the contents +of the print file. A simple example of this kind of things might +be: + + + + print command = /tmp/saveprint %p %s + + #!/bin/saveprint + # we make sure that we are the right user + /usr/bin/id -p >/tmp/tmp.print + # we run the command and save the error messages + # replace the command with the one appropriate for your system + /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print + + + +Then you print a file and try removing it. You may find that the +print queue needs to be stopped in order to see the queue status +and remove the job: + + + + +h4: {42} % echo hi >/tmp/hi +h4: {43} % smbclient //localhost/lw4 +added interface ip=10.0.0.4 bcast=10.0.0.255 nmask=255.255.255.0 +Password: +Domain=[ASTART] OS=[Unix] Server=[Samba 2.0.7] +smb: \> print /tmp/hi +putting file /tmp/hi as hi-17534 (0.0 kb/s) (average 0.0 kb/s) +smb: \> queue +1049 3 hi-17534 +smb: \> cancel 1049 +Error cancelling job 1049 : code 0 +smb: \> cancel 1049 +Job 1049 cancelled +smb: \> queue +smb: \> exit + + + +The 'code 0' indicates that the job was removed. The comment +by the smbclient is a bit misleading on this. +You can observe the command output and then and look at the +/tmp/tmp.print file to see what the results are. You can quickly +find out if the problem is with your printing system. Often people +have problems with their /etc/printcap file or permissions on +various print queues. + + + + +What printers do I have? + + +You can use the 'testprns' program to check to see if the printer +name you are using is recognized by Samba. For example, you can +use: + + + + testprns printer /etc/printcap + + + +Samba can get its printcap information from a file or from a program. +You can try the following to see the format of the extracted +information: + + + + testprns -a printer /etc/printcap + + testprns -a printer '|/bin/cat printcap' + + + + + +Setting up printcap and print servers + + +You may need to set up some printcaps for your Samba system to use. +It is strongly recommended that you use the facilities provided by +the print spooler to set up queues and printcap information. + + + +Samba requires either a printcap or program to deliver printcap +information. This printcap information has the format: + + + + name|alias1|alias2...:option=value:... + + + +For almost all printing systems, the printer 'name' must be composed +only of alphanumeric or underscore '_' characters. Some systems also +allow hyphens ('-') as well. An alias is an alternative name for the +printer, and an alias with a space in it is used as a 'comment' +about the printer. The printcap format optionally uses a \ at the end of lines +to extend the printcap to multiple lines. + + + +Here are some examples of printcap files: + + + + + +pr just printer name + + +pr|alias printer name and alias + + +pr|My Printer printer name, alias used as comment + + +pr:sh:\ Same as pr:sh:cm= testing + :cm= \ + testing + + +pr:sh Same as pr:sh:cm= testing + :cm= testing + + + + + +Samba reads the printcap information when first started. If you make +changes in the printcap information, then you must do the following: + + + + + +make sure that the print spooler is aware of these changes. +The LPRng system uses the 'lpc reread' command to do this. + + + +make sure that the spool queues, etc., exist and have the +correct permissions. The LPRng system uses the 'checkpc -f' +command to do this. + + + +You now should send a SIGHUP signal to the smbd server to have +it reread the printcap information. + + + + + + +Job sent, no output + + +This is the most frustrating part of printing. You may have sent the +job, verified that the job was forwarded, set up a wrapper around +the command to send the file, but there was no output from the printer. + + + +First, check to make sure that the job REALLY is getting to the +right print queue. If you are using a BSD or LPRng print spooler, +you can temporarily stop the printing of jobs. Jobs can still be +submitted, but they will not be printed. Use: + + + + lpc -Pprinter stop + + + +Now submit a print job and then use 'lpq -Pprinter' to see if the +job is in the print queue. If it is not in the print queue then +you will have to find out why it is not being accepted for printing. + + + +Next, you may want to check to see what the format of the job really +was. With the assistance of the system administrator you can view +the submitted jobs files. You may be surprised to find that these +are not in what you would expect to call a printable format. +You can use the UNIX 'file' utitily to determine what the job +format actually is: + + + + cd /var/spool/lpd/printer # spool directory of print jobs + ls # find job files + file dfA001myhost + + + +You should make sure that your printer supports this format OR that +your system administrator has installed a 'print filter' that will +convert the file to a format appropriate for your printer. + + + + + +Job sent, strange output + + +Once you have the job printing, you can then start worrying about +making it print nicely. + + + +The most common problem is extra pages of output: banner pages +OR blank pages at the end. + + + +If you are getting banner pages, check and make sure that the +printcap option or printer option is configured for no banners. +If you have a printcap, this is the :sh (suppress header or banner +page) option. You should have the following in your printer. + + + + printer: ... :sh + + + +If you have this option and are still getting banner pages, there +is a strong chance that your printer is generating them for you +automatically. You should make sure that banner printing is disabled +for the printer. This usually requires using the printer setup software +or procedures supplied by the printer manufacturer. + + + +If you get an extra page of output, this could be due to problems +with your job format, or if you are generating PostScript jobs, +incorrect setting on your printer driver on the MicroSoft client. +For example, under Win95 there is a option: + + + + Printers|Printer Name|(Right Click)Properties|Postscript|Advanced| + + + +that allows you to choose if a Ctrl-D is appended to all jobs. +This is a very bad thing to do, as most spooling systems will +automatically add a ^D to the end of the job if it is detected as +PostScript. The multiple ^D may cause an additional page of output. + + + + + +Raw PostScript printed + + +This is a problem that is usually caused by either the print spooling +system putting information at the start of the print job that makes +the printer think the job is a text file, or your printer simply +does not support PostScript. You may need to enable 'Automatic +Format Detection' on your printer. + + + + + +Advanced Printing + + +Note that you can do some pretty magic things by using your +imagination with the "print command" option and some shell scripts. +Doing print accounting is easy by passing the %U option to a print +command shell script. You could even make the print command detect +the type of output and its size and send it to an appropriate +printer. + + + + + +Real debugging + + +If the above debug tips don't help, then maybe you need to bring in +the bug guns, system tracing. See Tracing.txt in this directory. + + + + diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index f20849edbf..1a35cbd35d 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -13,7 +13,6 @@ - @@ -23,6 +22,7 @@ + ]> @@ -66,30 +66,61 @@ Cheers, jerry + +General installation + +Introduction +This part contains general info on how to install samba +and how to configure the parts of samba you will most likely need. +PLEASE read this. + &UNIX-INSTALL; +&BROWSING; +&oplocks; +&BROWSING-Quick; +&ENCRYPTION; + + + +Type of installation + +Introduction +This part contains information on using samba in a (NT 4 or ADS) domain. +If you wish to run samba as a domain member or DC, read the appropriate chapter in +this part. + +&Samba-PDC-HOWTO; +&Samba-BDC-HOWTO; +&ADS-HOWTO; +&DOMAIN-MEMBER; + + + +Optional configuration + +Introduction +Samba has several features that you might want or might not want to use. The chapters in this +part each cover one specific feature. + &IntegratingWithWindows; +&NT-Security; &Samba-PAM; &MS-Dfs-Setup; -&NT-Security; &PRINTER-DRIVER2; -&PRINTING; &SECURITY-LEVEL; -&DOMAIN-MEMBER; &WINBIND; -&Samba-PDC-HOWTO; -&Samba-BDC-HOWTO; &Samba-LDAP; -&ADS-HOWTO; -&BROWSING; -&BROWSING-Quick; -&SPEED; &CVS-Access; -&BUGS; &GROUP-MAPPING-HOWTO; +&SPEED; + - + +Appendixes &Portability; &Other-Clients; +&BUGS; &Diagnosis; + -- cgit From 70fbc958db085b4fc87931e05e8736c53f48942c Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 5 Nov 2002 16:26:19 +0000 Subject: The default for 'announce version' is 4.9, not 4.5 or 4.2 (This used to be commit 570c3b2fab6368726213bb786e33902f261eb606) --- docs/docbook/manpages/smb.conf.5.sgml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index 621b764a11..07b04efd96 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -1269,10 +1269,10 @@ announce version (G) This specifies the major and minor version numbers that nmbd will use when announcing itself as a server. The default - is 4.2. Do not change this parameter unless you have a specific + is 4.9. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server. - Default: announce version = 4.5 + Default: announce version = 4.9 Example: announce version = 2.0 -- cgit From f82d197b45e3a20fabf1dfdf168b3d0eddcf5ecc Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 5 Nov 2002 16:59:45 +0000 Subject: Fix various small syntax errors add docs for pdb_mysql don't build obsolete docs in Makefile (This used to be commit 1c06377f84b170fe2a6476df13f1b2a0d39d0a92) --- docs/docbook/Makefile.in | 10 ++- docs/docbook/devdoc/unix-smb.sgml | 2 - docs/docbook/manpages/nmbd.8.sgml | 1 - docs/docbook/projdoc/pdb_mysql.sgml | 138 ++++++++++++++++++++++++++++++++++++ docs/docbook/projdoc/samba-doc.sgml | 2 + 5 files changed, 144 insertions(+), 9 deletions(-) create mode 100644 docs/docbook/projdoc/pdb_mysql.sgml (limited to 'docs/docbook') diff --git a/docs/docbook/Makefile.in b/docs/docbook/Makefile.in index 1ac71e452b..ae24606caf 100644 --- a/docs/docbook/Makefile.in +++ b/docs/docbook/Makefile.in @@ -13,16 +13,14 @@ MANPAGES_NAMES=findsmb.1 smbclient.1 \ smbspool.8 lmhosts.5 \ - smbcontrol.1 smbstatus.1 \ - make_smbcodepage.1 smbd.8 \ - smbtar.1 nmbd.8 smbmnt.8 \ - smbumount.8 nmblookup.1 \ - smbmount.8 swat.8 rpcclient.1 \ + smbcontrol.1 smbstatus.1 \ + smbd.8 net.8 smbtar.1 nmbd.8 \ + smbmnt.8 smbumount.8 nmblookup.1 \ + smbmount.8 swat.8 rpcclient.1 \ smbpasswd.5 testparm.1 samba.7 \ smbpasswd.8 testprns.1 \ smb.conf.5 wbinfo.1 pdbedit.8 \ smbcacls.1 smbsh.1 winbindd.8 \ - make_unicodemap.1 net.8 \ smbgroupedit.8 vfstest.1 ## This part contains only rules. You shouldn't need to change it diff --git a/docs/docbook/devdoc/unix-smb.sgml b/docs/docbook/devdoc/unix-smb.sgml index 73da12758d..aae96edfb7 100644 --- a/docs/docbook/devdoc/unix-smb.sgml +++ b/docs/docbook/devdoc/unix-smb.sgml @@ -144,10 +144,8 @@ details. Locking - Since samba 2.2, samba supports other types of locking as well. This section is outdated. - diff --git a/docs/docbook/manpages/nmbd.8.sgml b/docs/docbook/manpages/nmbd.8.sgml index 8564ac7924..b8986110a6 100644 --- a/docs/docbook/manpages/nmbd.8.sgml +++ b/docs/docbook/manpages/nmbd.8.sgml @@ -1,4 +1,3 @@ -2Q diff --git a/docs/docbook/projdoc/pdb_mysql.sgml b/docs/docbook/projdoc/pdb_mysql.sgml new file mode 100644 index 0000000000..220f17caa1 --- /dev/null +++ b/docs/docbook/projdoc/pdb_mysql.sgml @@ -0,0 +1,138 @@ + + + + JelmerVernooij + + The Samba Team +
jelmer@samba.org
+ + + November 2002 + + +Passdb MySQL plugin + + +Building + +To build the plugin, run make bin/pdb_mysql.so +in the source/ directory of samba distribution. + + +Next, copy pdb_mysql.so to any location you want. I +strongly recommend installing it in $PREFIX/lib or /usr/lib/samba/ + + + + +Configuring + +This plugin lacks some good documentation, but here is some short info: + +Add a the following to the passdb backend variable in your smb.conf: + +passdb backend = [other-plugins] plugin:/location/to/pdb_mysql.so:identifier [other-plugins] + + + +The identifier can be any string you like, as long as it doesn't collide with +the identifiers of other plugins or other instances of pdb_mysql. If you +specify multiple pdb_mysql.so entries in 'passdb backend', you also need to +use different identifiers! + + + +Additional options can be given thru the smb.conf file in the [global] section. + + + +identifier:mysql host - host name, defaults to 'localhost' +identifier:mysql password +identifier:mysql user - defaults to 'samba' +identifier:mysql database - defaults to 'samba' +identifier:mysql port - defaults to 3306 +identifier:table - Name of the table containing users + + +Names of the columns in this table(I've added column types those columns should have first): + + +identifier:logon time column - int(9) +identifier:logoff time column - int(9) +identifier:kickoff time column - int(9) +identifier:pass last set time column - int(9) +identifier:pass can change time column - int(9) +identifier:pass must change time column - int(9) +identifier:username column - varchar(255) - unix username +identifier:domain column - varchar(255) - NT domain user is part of +identifier:nt username column - varchar(255) - NT username +identifier:fullname column - varchar(255) - Full name of user +identifier:home dir column - varchar(255) - Unix homedir path +identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:') +identifier:logon script column - varchar(255) - Batch file to run on client side when logging on +identifier:profile path column - varchar(255) - Path of profile +identifier:acct desc column - varchar(255) - Some ASCII NT user data +identifier:workstations column - varchar(255) - Workstations user can logon to (or NULL for all) +identifier:unknown string column - varchar(255) - unknown string +identifier:munged dial column - varchar(255) - ? +identifier:uid column - int(9) - Unix user ID (uid) +identifier:gid column - int(9) - Unix user group (gid) +identifier:user sid column - varchar(255) - NT user SID +identifier:group sid column - varchar(255) - NT group ID +identifier:lanman pass column - varchar(255) - encrypted lanman password +identifier:nt pass column - varchar(255) - encrypted nt passwd +identifier:plaintext pass column - varchar(255) - plaintext password +identifier:acct control column - int(9) - nt user data +identifier:unknown 3 column - int(9) - unknown +identifier:logon divs column - int(9) - ? +identifier:hours len column - int(9) - ? +identifier:unknown 5 column - int(9) - unknown +identifier:unknown 6 column - int(9) - unknown + + + +Eventually, you can put a colon (:) after the name of each column, which +should specify the column to update when updating the table. You can also +specify nothing behind the colon - then the data from the field will not be +updated. + + + + + +Using plaintext passwords or encrypted password + + +I strongly discourage the use of plaintext passwords, however, you can use them: + + + +If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plaintext pass column' to the name of the column containing the plaintext passwords. + + + +If you use encrypted passwords, set the 'identifier:plaintext pass column' to 'NULL' (without the quotes). This is the default. + + + + + +Getting non-column data from the table + + +It is possible to have not all data in the database and making some 'constant'. + + + +For example, you can set 'identifier:fullname column' to : +CONCAT(First_name,' ',Sur_name) + + + +Or, set 'identifier:workstations column' to : +NULL + +See the MySQL documentation for more language constructs. + + + diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index 1a35cbd35d..db6c5a7b62 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -23,6 +23,7 @@ + ]> @@ -109,6 +110,7 @@ part each cover one specific feature. &PRINTER-DRIVER2; &SECURITY-LEVEL; &WINBIND; +&pdb-mysql; &Samba-LDAP; &CVS-Access; &GROUP-MAPPING-HOWTO; -- cgit From be80211e357ae16ddee1ae228ca9df79d4207799 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 5 Nov 2002 17:11:23 +0000 Subject: Add pdb_xml docs (This used to be commit f92f10ef253615d453aca6cb093f65a3a0a62283) --- docs/docbook/projdoc/pdb_xml.sgml | 42 +++++++++++++++++++++++++++++++++++++ docs/docbook/projdoc/samba-doc.sgml | 2 ++ 2 files changed, 44 insertions(+) create mode 100644 docs/docbook/projdoc/pdb_xml.sgml (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/pdb_xml.sgml b/docs/docbook/projdoc/pdb_xml.sgml new file mode 100644 index 0000000000..9e1c509e76 --- /dev/null +++ b/docs/docbook/projdoc/pdb_xml.sgml @@ -0,0 +1,42 @@ + + + + JelmerVernooij + + The Samba Team +
jelmer@samba.org
+ + + November 2002 + + +Passdb XML plugin + + +Building + +This module requires libxml2 to be installed. + +To build pdb_xml, run: make bin/pdb_xml.so in +the directory source/. + + + + +Usage + +The usage of pdb_xml is pretty straightforward. To export data, use: + +pdbedit -e plugin:/usr/lib/samba/pdb_xml.so:filename + +(where filename is the name of the file to put the data in) + + + +To import data, use: +pdbedit -i plugin:/usr/lib/samba/pdb_xml.so:filename -e current-pdb + +Where filename is the name to read the data from and to put it in. + + + diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index db6c5a7b62..f00dfd9db6 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -24,6 +24,7 @@ + ]> @@ -111,6 +112,7 @@ part each cover one specific feature. &SECURITY-LEVEL; &WINBIND; &pdb-mysql; +&pdb-xml; &Samba-LDAP; &CVS-Access; &GROUP-MAPPING-HOWTO; -- cgit From 46cc36920314ca14f0135f505151baa022eaad4f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 5 Nov 2002 18:48:59 +0000 Subject: Add note about obsolete section (This used to be commit 2d38795d3a9258babccfe52420ed83ec5a1d3f51) --- docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index 8bb64dbf50..8a30a5527d 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -139,10 +139,11 @@ Samba and Windows 2000 Domains + Many people have asked regarding the state of Samba's ability to participate in -a Windows 2000 Domain. Samba 2.2 is able to act as a member server of a Windows +a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows 2000 domain operating in mixed or native mode. @@ -164,7 +165,6 @@ Computers" MMC (Microsoft Management Console) plugin. - Why is this better than security = server? -- cgit From 87124fc4039877714b0f7a31a1d03a14bf7708e1 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 5 Nov 2002 21:35:22 +0000 Subject: Fix small syntax errors (This used to be commit 7f9b0dbf5bddf6b49fdb8788ab6745ed46cb9cca) --- docs/docbook/manpages/pdbedit.8.sgml | 4 +++- docs/docbook/manpages/smb.conf.5.sgml | 12 +++++++----- docs/docbook/manpages/wbinfo.1.sgml | 2 +- docs/docbook/projdoc/msdfs_setup.sgml | 3 +-- docs/docbook/projdoc/pdb_xml.sgml | 2 +- 5 files changed, 13 insertions(+), 10 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/manpages/pdbedit.8.sgml b/docs/docbook/manpages/pdbedit.8.sgml index a3fd7be7b4..ed49b9f540 100644 --- a/docs/docbook/manpages/pdbedit.8.sgml +++ b/docs/docbook/manpages/pdbedit.8.sgml @@ -1,4 +1,6 @@ - + %globalentities; +]> diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index 07b04efd96..0cdf2bbcd6 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -2862,7 +2862,7 @@ system print command such as lpr(1) or lp(1). - This paramater does not accept % macros, because + This parameter does not accept % macros, because many parts of the system require this value to be constant for correct operation. @@ -3475,7 +3475,7 @@ ldap server. Only available when the backwards-compatiblity --with-ldapsam option is specified - to configure. See passdb backend + to configure. See passdb backend Default : ldap ssl = start_tls @@ -5387,8 +5387,8 @@ LDAP connections should be secured where possible. This may be done using either Start-TLS (see - ldap ssl) or by - specifying ldaps:// in + ldap ssl) or by + specifying ldaps:// in the URL argument. @@ -7499,7 +7499,8 @@ unicode (G) Specifies whether Samba should try - to use unicode on the wire by default. + to use unicode on the wire by default. Note: This does NOT + mean that samba will assume that the unix machine uses unicode! Default: unicode = yes @@ -7515,6 +7516,7 @@ Default: unix charset = ASCII + Example: unix charset = UTF8 diff --git a/docs/docbook/manpages/wbinfo.1.sgml b/docs/docbook/manpages/wbinfo.1.sgml index 59cab3fc97..a6ca244243 100644 --- a/docs/docbook/manpages/wbinfo.1.sgml +++ b/docs/docbook/manpages/wbinfo.1.sgml @@ -17,7 +17,7 @@ wbinfo -u -g -! -i ip + -i ip -N netbios-name -n name -s sid diff --git a/docs/docbook/projdoc/msdfs_setup.sgml b/docs/docbook/projdoc/msdfs_setup.sgml index 35c9d40840..6e1609460f 100644 --- a/docs/docbook/projdoc/msdfs_setup.sgml +++ b/docs/docbook/projdoc/msdfs_setup.sgml @@ -11,8 +11,7 @@ - - 12 Jul 200 + 12 Jul 2000 diff --git a/docs/docbook/projdoc/pdb_xml.sgml b/docs/docbook/projdoc/pdb_xml.sgml index 9e1c509e76..87afb7b401 100644 --- a/docs/docbook/projdoc/pdb_xml.sgml +++ b/docs/docbook/projdoc/pdb_xml.sgml @@ -36,7 +36,7 @@ the directory source/. To import data, use: pdbedit -i plugin:/usr/lib/samba/pdb_xml.so:filename -e current-pdb -Where filename is the name to read the data from and to put it in. +Where filename is the name to read the data from and current-pdb to put it in. -- cgit