From d9613a1a3c37dca9f695b1361a0fd5d2b3f503cd Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 4 Apr 2003 05:12:33 +0000 Subject: Updated CUPS info from Kurt Pfiefle's Samba-2.2 docs. (This used to be commit ec8f717f7760f2e40da6b32b12c6b40872b81190) --- docs/docbook/projdoc/CUPS-printing.sgml | 553 ++++++++++++++++++++++++++++---- 1 file changed, 492 insertions(+), 61 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/CUPS-printing.sgml b/docs/docbook/projdoc/CUPS-printing.sgml index a932127d94..65f18dc385 100644 --- a/docs/docbook/projdoc/CUPS-printing.sgml +++ b/docs/docbook/projdoc/CUPS-printing.sgml @@ -49,10 +49,65 @@ In any case, let us now move on to explore how one may configure CUPS for interf with MS Windows print clients via Samba. + +CUPS is a newcomer in the UNIX printing scene, +which has convinced many people upon first trial already. However, it has quite a few +new features, which make it different from other, more traditional printing systems. + + -CUPS - RAW Print Through Mode +Configuring <filename>smb.conf</filename> for CUPS + + +Printing with CUPS in the most basic smb.conf +setup in Samba-3 only needs two settings: printing = cups and +printcap = cups. While CUPS itself doesn't need a printcap +anymore, the cupsd.conf configuration file knows two directives +(example: Printcap /etc/printcap and PrintcapFormat +BSD), which control if such a file should be created for the +convenience of third party applications. Make sure it is set! For details see +man cupsd.conf and other CUPS-related documentation. + + + +If SAMBA is compiled against libcups, then printcap = cups uses the +CUPS API to list printers, submit jobs, etc. Otherwise it maps to the System V commands +with an additional -oraw option for printing. On a Linux system, +you can use the ldd command to find out details (ldd may not be +present on other OS platforms, or its function may be embodied by a different command): + + + +transmeta:/home/kurt # ldd `which smbd` + libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x4002d000) + libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005a000) + libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000) + libdl.so.2 => /lib/libdl.so.2 (0x401e8000) + libnsl.so.1 => /lib/libnsl.so.1 (0x401ec000) + libpam.so.0 => /lib/libpam.so.0 (0x40202000) + libc.so.6 => /lib/libc.so.6 (0x4020b000) + /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) + + + +The line "libcups.so.2 => /usr/lib/libcups.so.2 +(0x40123000)" shows there is CUPS support compiled into this version of +Samba. If this is the case, and printing = cups is set, then any +otherwise manually set print command in smb.conf is ignored. + + + + +CUPS - RAW Print Through Mode + + + +When used in raw print through mode is will be necessary to use the printer +vendor's drivers in each Windows client PC. + + When CUPS printers are configured for RAW print-through mode operation it is the @@ -245,6 +300,380 @@ for the mailing, etc.). + +CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe +PostScript driver with CUPS-PPDs downloaded to clients + + + +CUPS is perfectly able to use PPD files (PostScript +Printer Descriptions). PPDs can control all print device options. They +are usually provided by the manufacturer -- if you own a PostSript printer, +that is. PPD files are always a component of PostScript printer drivers on MS +Windows or Apple Mac OS systems. They are ASCII files containing +user-selectable print options, mapped to appropriate PostScript, PCL or PJL +commands for the target printer. Printer driver GUI dialogs translate these +options "on-the-fly" into buttons and drop-down lists for the user to +select. + + + +CUPS can load, without any conversions, the PPD file from +any Windows (NT is recommended) PostScript driver and handle the options. +There is a web browser interface to the print options (select +http://localhost:631/printers/ and click on one "Configure Printer" button +to see it), a commandline interface (see man lpoptions or +try if you have lphelp on your system) plus some different GUI frontends on Linux +UNIX, which can present PPD options to the users. PPD options are normally +meant to become evaluated by the PostScript RIP on the real PostScript +printer. + + + +CUPS doesn't stop at "real" PostScript printers in its +usage of PPDs. The CUPS developers have extended the PPD concept, to also +describe available device and driver options for non-PostScript printers +through CUPS-PPDs. + + + +This is logical, as CUPS includes a fully featured +PostScript interpreter (RIP). This RIP is based on Ghostscript. It can +process all received PostScript (and additionally many other file formats) +from clients. All CUPS-PPDs geared to non-PostScript printers contain an +additional line, starting with the keyword *cupsFilter. +This line +tells the CUPS print system which printer-specific filter to use for the +interpretation of the accompanying PostScript. Thus CUPS lets all its +printers appear as PostScript devices to its clients, because it can act as a +PostScript RIP for those printers, processing the received PostScript code +into a proper raster print format. + + + +CUPS-PPDs can also be used on Windows-Clients, on top of a +PostScript driver (recommended is the Adobe one). + + + +This feature enables CUPS to do a few tricks no other +spooler can do: + + + + act as a networked PostScript RIP (Raster Image Processor), handling + printfiles from all client platforms in a uniform way; + act as a central accounting and billing server, as all files are passed + through the pstops Filter and are therefor logged in + the CUPS page_log. - NOTE: this + can not happen with "raw" print jobs, which always remain unfiltered + per definition; + enable clients to consolidate on a single PostScript driver, even for + many different target printers. + + + + +Windows Terminal Servers (WTS) as CUPS clients + + +This setup may be of special interest to people +experiencing major problems in WTS environments. WTS need often a multitude +of non-PostScript drivers installed to run their clients' variety of +different printer models. This often imposes the price of much increased +instability. In many cases, in an attempt to overcome this problem, site +administrators have resorted to restrict the allowed drivers installed on +their WTS to one generic PCL- and one PostScript driver. This however +restricts the clients in the amount of printer options available for them -- +often they can't get out more then simplex prints from one standard paper +tray, while their devices could do much better, if driven by a different +driver! + + + +Using an Adobe PostScript driver, enabled with a CUPS-PPD, +seems to be a very elegant way to overcome all these shortcomings. The +PostScript driver is not known to cause major stability problems on WTS (even +if used with many different PPDs). The clients will be able to (again) chose +paper trays, duplex printing and other settings. However, there is a certain +price for this too: a CUPS server acting as a PostScript RIP for its clients +requires more CPU and RAM than just to act as a "raw spooling" device. Plus, +this setup is not yet widely tested, although the first feedbacks look very +promising... + + + + + +Setting up CUPS for driver download + + +The cupsadsmb utility (shipped with all current +CUPS versions) makes the sharing of any (or all) installed CUPS printers very +easy. Prior to using it, you need the following settings in smb.conf: + + + [global] + load printers = yes + printing = cups + printcap name = cups + + [printers] + comment = All Printers + path = /var/spool/samba + browseable = no + public = yes + guest ok = yes + writable = no + printable = yes + printer admin = root + + [print$] + comment = Printer Drivers + path = /etc/samba/drivers + browseable = yes + guest ok = no + read only = yes + write list = root + + + +For licensing reasons the necessary files of the Adobe +Postscript driver can not be distributed with either Samba or CUPS. You need +to download them yourself from the Adobe website. Once extracted, create a +drivers directory in the CUPS data directory (usually +/usr/share/cups/). Copy the Adobe files using +UPPERCASE filenames, to this directory as follows: + + + + ADFONTS.MFM + ADOBEPS4.DRV + ADOBEPS4.HLP + ADOBEPS5.DLL + ADOBEPSU.DLL + ADOBEPSU.HLP + DEFPRTR2.PPD + ICONLIB.DLL + + + +Users of the ESP Print Pro software are able to install +their "Samba Drivers" package for this purpose with no problem. + + + + + + +Sources of CUPS drivers / PPDs + + +On the internet you can find now many thousand CUPS-PPD +files (with their companion filters), in many national languages, +supporting more than 1.000 non-PostScript models. + + + + ESP PrintPro + (http://wwwl.easysw.com/printpro/) + (commercial, non-Free) is packaged with more than 3.000 PPDs, ready for + successful usage "out of the box" on Linux, IBM-AIX, HP-UX, Sun-Solaris, + SGI-IRIX, Compaq Tru64, Digital Unix and some more commercial Unices (it + is written by the CUPS developers themselves and its sales help finance + the further development of CUPS, as they feed their creators) + the Gimp-Print-Project + (http://gimp-print.sourceforge.net/) + (GPL, Free Software) provides around 120 PPDs (supporting nearly 300 + printers, many driven to photo quality output), to be used alongside the + Gimp-Print CUPS filters; + TurboPrint + (http://www.turboprint.com/) + (Shareware, non-Freee) supports roughly the same amount of printers in + excellent quality; + OMNI + (http://www-124.ibm.com/developerworks/oss/linux/projects/omni/) + (LPGL, Free) is a package made by IBM, now containing support for more + than 400 printers, stemming from the inheritance of IBM OS/2 KnowHow + ported over to Linux (CUPS support is in a Beta-stage at present); + HPIJS + (http://hpinkjet.sourceforge.net/) + (BSD-style licnes, Free) supports around 120 of HP's own printers and is + also providing excellent print quality now; + Foomatic/cupsomatic (http://www.linuxprinting.org/) + (LPGL, Free) from Linuxprinting.org are providing PPDs for practically every + Ghostscript filter known to the world, now usable with CUPS. + + + +NOTE: the cupsomatic trick from Linuxprinting.org is +working different from the other drivers. While the other drivers take the +generic CUPS raster (produced by CUPS' own pstoraster PostScript RIP) as +their input, cupsomatic "kidnaps" the PostScript inside CUPS, before +RIP-ping, deviates it to an external Ghostscript installation (which now +becomes the RIP) and gives it back to a CUPS backend once Ghostscript is +finished. -- CUPS versions from 1.1.15 and later will provide their pstoraster +PostScript RIP function again inside a system-wide Ghostscript +installation rather than in "their own" pstoraster filter. (This +CUPS-enabling Ghostscript version may be installed either as a +patch to GNU or AFPL Ghostscript, or as a complete ESP Ghostscript package). +However, this will not change the cupsomatic approach of guiding the printjob +along a different path through the filtering system than the standard CUPS +way... + + + +Once you installed a printer inside CUPS with one of the +recommended methods (the lpadmin command, the web browser interface or one of +the available GUI wizards), you can use cupsaddsmb to share the +printer via Samba. cupsaddsmb prepares the driver files for +comfortable client download and installation upon their first contact with +this printer share. + + + + + +<command>cupsaddsmb</command> + + + +The cupsaddsmb command copies the needed files +for convenient Windows client installations from the previously prepared CUPS +data directory to your [print$] share. Additionally, the PPD +associated with this printer is copied from /etc/cups/ppd/ to +[print$]. + + + +root# cupsaddsmb -U root infotec_IS2027 +Password for root required to access localhost via SAMBA: [type in password 'secret'] + + + +To share all printers and drivers, use the -a +parameter instead of a printer name. + + + + +Probably you want to see what's going on. Use the +-v parameter to get a more verbose output: + + + +Probably you want to see what's going on. Use the +-v parameter to get a more verbose output: + + + +Note: The following line shave been wrapped so that information is not lost. + +root# cupsaddsmb -v -U root infotec_IS2027 + Password for root required to access localhost via SAMBA: + Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir W32X86;put + /var/spool/cups/tmp/3cd1cc66376c0 W32X86/infotec_IS2027.PPD;put /usr/share/cups/drivers/ + ADOBEPS5.DLL W32X86/ADOBEPS5.DLL;put /usr/share/cups/drivers/ADOBEPSU.DLLr + W32X86/ADOBEPSU.DLL;put /usr/share/cups/drivers/ADOBEPSU.HLP W32X86/ADOBEPSU.HLP' + added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0 + added interface ip=192.168.182.1 bcast=192.168.182.255 nmask=255.255.255.0 + added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0 + Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs] + NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86 + putting file /var/spool/cups/tmp/3cd1cc66376c0 as \W32X86/infotec_IS2027.PPD (17394.6 kb/s) + (average 17395.2 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS5.DLL as \W32X86/ADOBEPS5.DLL (10877.4 kb/s) + (average 11343.0 kb/s) + putting file /usr/share/cups/drivers/ADOBEPSU.DLL as \W32X86/ADOBEPSU.DLL (5095.2 kb/s) + (average 9260.4 kb/s) + putting file /usr/share/cups/drivers/ADOBEPSU.HLP as \W32X86/ADOBEPSU.HLP (8828.7 kb/s) + (average 9247.1 kb/s) + + Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir WIN40;put + /var/spool/cups/tmp/3cd1cc66376c0 WIN40/infotec_IS2027.PPD;put + /usr/share/cups/drivers/ADFONTS.MFM WIN40/ADFONTS.MFM;put + /usr/share/cups/drivers/ADOBEPS4.DRV WIN40/ADOBEPS4.DRV;put + /usr/share/cups/drivers/ADOBEPS4.HLP WIN40/ADOBEPS4.HLP;put + /usr/share/cups/drivers/DEFPRTR2.PPD WIN40/DEFPRTR2.PPD;put + /usr/share/cups/drivers/ICONLIB.DLL WIN40/ICONLIB.DLL;put + /usr/share/cups/drivers/PSMON.DLL WIN40/PSMON.DLL;' + added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0 + added interface ip=192.168.182.1 bcast=192.168.182.255 nmask=255.255.255.0 + added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0 + Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs] + NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40 + putting file /var/spool/cups/tmp/3cd1cc66376c0 as \WIN40/infotec_IS2027.PPD (26091.5 kb/s) + (average 26092.8 kb/s) + putting file /usr/share/cups/drivers/ADFONTS.MFM as \WIN40/ADFONTS.MFM (11241.6 kb/s) + (average 11812.9 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS4.DRV as \WIN40/ADOBEPS4.DRV (16640.6 kb/s) + (average 14679.3 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS4.HLP as \WIN40/ADOBEPS4.HLP (11285.6 kb/s) + (average 14281.5 kb/s) + putting file /usr/share/cups/drivers/DEFPRTR2.PPD as \WIN40/DEFPRTR2.PPD (823.5 kb/s) + (average 12944.0 kb/s) + putting file /usr/share/cups/drivers/ICONLIB.DLL as \WIN40/ICONLIB.DLL (19226.2 kb/s) + (average 13169.7 kb/s) + putting file /usr/share/cups/drivers/PSMON.DLL as \WIN40/PSMON.DLL (18666.1 kb/s) + (average 13266.7 kb/s) + + Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows NT x86" + "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:ADOBEPSU.HLP:NULL:RAW:NULL"' + cmd = adddriver "Windows NT x86" "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL: + ADOBEPSU.HLP:NULL:RAW:NULL" + Printer Driver infotec_IS2027 successfully installed. + + Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows 4.0" + "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW: + ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"' + cmd = adddriver "Windows 4.0" "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL: + ADOBEPS4.HLP:PSMON.DLL:RAW:ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL" + Printer Driver infotec_IS2027 successfully installed. + + Running command: rpcclient localhost -N -U'root%secret' + -c 'setdriver infotec_IS2027 infotec_IS2027' + cmd = setdriver infotec_IS2027 infotec_IS2027 + Succesfully set infotec_IS2027 to driver infotec_IS2027. + + root# + + + +If you look closely, you'll discover your root password was transfered unencrypted over +the wire, so beware! Also, if you look further her, you'll discover error messages like +NT_STATUS_OBJECT_NAME_COLLISION in between. They occur, because +the directories WIN40 and W32X86 already +existed in the [print$] driver download share (from a previous driver +installation). They are harmless here. + + + +Now your printer is prepared for the clients to use. From +a client, browse to the CUPS/Samba server, open the "Printers" +share, right-click on this printer and select "Install..." or +"Connect..." (depending on the Windows version you use). Now their +should be a new printer in your client's local "Printers" folder, +named (in my case) "infotec_IS2027 on kdebitshop" + + + +NOTE: +cupsaddsmb will only reliably work i +with CUPS version 1.1.15 or higher +and Samba from 2.2.4. If it doesn't work, or if the automatic printer +driver download to the clients doesn't succeed, you can still manually +install the CUPS printer PPD on top of the Adobe PostScript driver on +clients and then point the client's printer queue to the Samba printer +share for connection, should you desire to use the CUPS networked +PostScript RIP functions. + + + + + The CUPS Filter Chains @@ -674,7 +1103,8 @@ at "/some/path/on/your/filesystem/somewhere/my-name-for-my-printer.ppd" Then install the printer: - "lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -P /some/path/on/your/filesystem/somewhere/my-name-for-my-printer.ppd" + "lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E \ + -P /some/path/on/your/filesystem/somewhere/my-name-for-my-printer.ppd" @@ -833,7 +1263,8 @@ assuming an existing printer named "quotaprinter": - lpadmin -p quotaprinter -o job-quota-period=604800 -o job-k-limit=1024 -o job-page-limit=100 + lpadmin -p quotaprinter -o job-quota-period=604800 -o job-k-limit=1024 \ + -o job-page-limit=100 @@ -989,15 +1420,15 @@ download is "cups-samba-1.1.16.tar.gz". Upon untar-/unzip-ping it will reveal the files: - - - cups-samba.install - cups-samba.license - cups-samba.readme - cups-samba.remove - cups-samba.ss - - + + + cups-samba.install + cups-samba.license + cups-samba.readme + cups-samba.remove + cups-samba.ss + + These have been packaged with the ESP meta packager software "EPM". The @@ -1006,13 +1437,13 @@ These have been packaged with the ESP meta packager software "EPM". The into /usr/share/cups/drivers/. Its contents are 3 files: - - - cupsdrvr.dll - cupsui.dll - cups.hlp - - + + + cupsdrvr.dll + cupsui.dll + cups.hlp + + ATTENTION: due to a bug one CUPS release puts the cups.hlp @@ -1021,11 +1452,11 @@ into /usr/share/drivers/ instead of the file after running the "./cups-samba.install" script manually to the right place: - - - cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/ - - + + + cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/ + + @@ -1053,45 +1484,45 @@ Win NT/2k/XP clients. - -NOTE 1: Win 9x/ME clients won't work with this driver. For these you'd -still need to use the ADOBE*.* drivers as previously. - + + NOTE 1: Win 9x/ME clients won't work with this driver. For these you'd + still need to use the ADOBE*.* drivers as previously. + - -NOTE 2: It is not harming if you've still the ADOBE*.* driver files from -previous installations in the "/usr/share/cups/drivers/" directory. -The new cupsaddsmb (from 1.1.16) will automatically use the -"newest" installed driver (which here then is the CUPS drivers). - + + NOTE 2: It is not harming if you've still the ADOBE*.* driver files from + previous installations in the "/usr/share/cups/drivers/" directory. + The new cupsaddsmb (from 1.1.16) will automatically use the + "newest" installed driver (which here then is the CUPS drivers). + - -NOTE 3: Should your Win clients have had the old ADOBE*.* files and the -Adobe PostScript drivers installed, the download and installation -of the new CUPS PostScript driver for Windows NT/2k/XP will fail -at first. - - -It is not enough to "delete" the printer (as the driver files -will still be kept by the clients and re-used if you try to -re-install the printer). To really get rid of the Adobe driver -files on the clients, open the "Printers" folder (possibly via -"Start --> Settings --> Control Panel --> Printers"), right-click -onto the folder background and select "Server Properties". A -new dialog opens; select the "Drivers" tab; on the list select -the driver you want to delete and click on the "Delete" button. -(This will only work if there is no single printer left which -uses that particular driver -- you need to "delete" all printers -using this driver in the "Printers" folder first.) - - - - -Once you have successfully downloaded the CUPS PostScript driver -to a client, you can easily switch all printers to this one -by proceeding as described elsewhere in the "Samba HOWTO -Collection" to change a driver for an existing printer. - + + NOTE 3: Should your Win clients have had the old ADOBE*.* files and the + Adobe PostScript drivers installed, the download and installation + of the new CUPS PostScript driver for Windows NT/2k/XP will fail + at first. + + + It is not enough to "delete" the printer (as the driver files + will still be kept by the clients and re-used if you try to + re-install the printer). To really get rid of the Adobe driver + files on the clients, open the "Printers" folder (possibly via + "Start --> Settings --> Control Panel --> Printers"), right-click + onto the folder background and select "Server Properties". A + new dialog opens; select the "Drivers" tab; on the list select + the driver you want to delete and click on the "Delete" button. + (This will only work if there is no single printer left which + uses that particular driver -- you need to "delete" all printers + using this driver in the "Printers" folder first.) + + + + + Once you have successfully downloaded the CUPS PostScript driver + to a client, you can easily switch all printers to this one + by proceeding as described elsewhere in the "Samba HOWTO + Collection" to change a driver for an existing printer. + What are the benefits with the "CUPS PostScript driver for Windows NT/2k/XP" -- cgit From 02bb4e1b8ae931d9eefa2fbd4a6f5456aca99b2b Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 4 Apr 2003 15:21:04 +0000 Subject: This is a merge of the NETLOGON schannel server code from Samba TNG. Actually, it exists in the main Samba cvs tree in APPLIANCE_TNG as I found out later :-) It adds a new parameter: server schannel = yes/auto/no defaulting to auto. What does this mean to the user: No requireSignOrSeal registry patch for XP anymore. Many thanks for this code to Luke Leighton, Elrond and anybody else I forgot to mention. My next thing will be to see if this applies cleanly to 3_0. Please test and comment! Volker (This used to be commit e1f953241eb020f19fe657f29afdae28dcf5a03b) --- docs/docbook/manpages/smb.conf.5.sgml | 26 ++++++++++++++++++++++ .../docbook/smbdotconf/security/serverschannel.xml | 24 ++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 docs/docbook/smbdotconf/security/serverschannel.xml (limited to 'docs/docbook') diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index 2fbd27b934..40c4963c8d 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -744,6 +744,7 @@ alias|alias|alias|alias... root dir root directory security + server schannel server string set primary group script show add printer wizard @@ -6922,6 +6923,31 @@ print5|My Printer 5 + + server schannel (G) + + + This controls whether the server offers or even + demands the use of the netlogon schannel. + server schannel = no does not + offer the schannel, server schannel = + auto offers the schannel but does not + enforce it, and server schannel = + yes denies access if the client is not + able to speak netlogon schannel. This is only the case + for Windows NT4 before SP4. + + Please note that with this set to + no you will have to apply the + WindowsXP requireSignOrSeal-Registry patch found in + the docs/Registry subdirectory.Default: server schannel = auto + + Example: server schannel = yes/para> + + + server string (G) This controls what string will show up in the diff --git a/docs/docbook/smbdotconf/security/serverschannel.xml b/docs/docbook/smbdotconf/security/serverschannel.xml new file mode 100644 index 0000000000..05261fa417 --- /dev/null +++ b/docs/docbook/smbdotconf/security/serverschannel.xml @@ -0,0 +1,24 @@ + + server schannel (G) + + + This controls whether the server offers or even + demands the use of the netlogon schannel. + server schannel = no does not + offer the schannel, server schannel = + auto offers the schannel but does not + enforce it, and server schannel = + yes denies access if the client is not + able to speak netlogon schannel. This is only the case + for Windows NT4 before SP4. + + Please note that with this set to + no you will have to apply the + WindowsXP requireSignOrSeal-Registry patch found in + the docs/Registry subdirectory.Default: server schannel = auto + + Example: server schannel = yes/para> + + \ No newline at end of file -- cgit From f72611917fd0c80b66fa603c85e5e58e6acea973 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 4 Apr 2003 17:59:54 +0000 Subject: Add entities for some common authors (This used to be commit 60979d59b478191b95821dbde97a1b2a9406fc20) --- docs/docbook/global.ent | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'docs/docbook') diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent index 5f89a97593..c34151ea05 100644 --- a/docs/docbook/global.ent +++ b/docs/docbook/global.ent @@ -8,6 +8,39 @@ + + +JelmerVernooij +The Samba Team
jelmer@samba.org
 + +'> + + +Gerald (Jerry)Carter +Samba Team
jerry@samba.org
 + +'> + + + JeremyAllison + + Samba Team +
jra@samba.org
+ +'> + + + John HTerpstra + + Samba Team +
jht@samba.org
+ +'> + -- cgit From c98dd1184dd60648a98fc9866ce5de062fb9f415 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 4 Apr 2003 23:04:49 +0000 Subject: - Add some entities for authors - Layout improvements, fixing links (This used to be commit 71441d3d7cc7922259302ff23c8fc1c9429d5934) --- docs/docbook/global.ent | 62 +++++++++++---- docs/docbook/projdoc/ADS-HOWTO.sgml | 15 ++-- docs/docbook/projdoc/AdvancedNetworkAdmin.sgml | 89 ++++++++++------------ docs/docbook/projdoc/Browsing-Quickguide.sgml | 10 +-- docs/docbook/projdoc/Browsing.sgml | 7 +- docs/docbook/projdoc/Bugs.sgml | 5 +- docs/docbook/projdoc/CUPS-printing.sgml | 77 +++++++++---------- docs/docbook/projdoc/Compiling.sgml | 1 + docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 22 +----- docs/docbook/projdoc/Diagnosis.sgml | 80 +++++++------------ docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml | 4 +- docs/docbook/projdoc/Integrating-with-Windows.sgml | 13 +--- docs/docbook/projdoc/NT4Migration.sgml | 4 +- docs/docbook/projdoc/NT_Security.sgml | 10 +-- docs/docbook/projdoc/Other-Clients.sgml | 17 +---- .../projdoc/PAM-Authentication-And-Samba.sgml | 16 +--- docs/docbook/projdoc/PolicyMgmt.sgml | 63 ++++++--------- docs/docbook/projdoc/Portability.sgml | 4 +- docs/docbook/projdoc/ProfileMgmt.sgml | 12 +-- docs/docbook/projdoc/SWAT.sgml | 4 +- docs/docbook/projdoc/Samba-BDC-HOWTO.sgml | 9 +-- docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 15 +--- docs/docbook/projdoc/ServerType.sgml | 8 +- docs/docbook/projdoc/Speed.sgml | 7 +- docs/docbook/projdoc/UNIX_INSTALL.sgml | 7 ++ docs/docbook/projdoc/VFS.sgml | 4 +- docs/docbook/projdoc/passdb.sgml | 55 +++---------- docs/docbook/projdoc/printer_driver2.sgml | 30 +++----- docs/docbook/projdoc/samba-doc.sgml | 29 +++---- docs/docbook/projdoc/securing-samba.sgml | 5 +- docs/docbook/projdoc/security_level.sgml | 9 +-- docs/docbook/projdoc/unicode.sgml | 8 +- docs/docbook/projdoc/upgrading-to-3.0.sgml | 11 +-- docs/docbook/projdoc/winbind.sgml | 24 +----- 34 files changed, 275 insertions(+), 461 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent index c34151ea05..c71166b4d7 100644 --- a/docs/docbook/global.ent +++ b/docs/docbook/global.ent @@ -8,20 +8,25 @@ + - +JelmerVernooij -The Samba Team
jelmer@samba.org
 - -'> + + The Samba Team +
jelmer@samba.org
+'> - -Gerald (Jerry)Carter -Samba Team
jerry@samba.org
 - -'> +&person.jelmer;'> + +GeraldCarter(Jerry) + + Samba Team +
jerry@samba.org
+'> + +&person.jerry;'> @@ -32,15 +37,44 @@ '> -John HTerpstra + + Samba Team +
jht@samba.org
+ +'> + +&person.jht;'> + + + AndrewTridgell + + Samba Team +
tridge@samba.org
+ +'> + + - John HTerpstra + JimMcDonough + + IBM +
jmcd@us.ibm.com
+ +'> + + + VolkerLendecke Samba Team -
jht@samba.org
+
Volker.Lendecke@SerNet.DE
 '> + diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index a98fe14e31..a0bba36e99 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -1,9 +1,7 @@ - - AndrewTridgell - + &author.tridge; 2002 @@ -33,11 +31,12 @@ In case samba can't figure out your ads server using your realm name, use the -You do *not* need a smbpasswd file, and older clients will - be authenticated as if "security = domain", although it won't do any harm +You do *not* need a smbpasswd file, and older clients will + be authenticated as if security = domain, + although it won't do any harm and allows you to have local users not in the domain. I expect that the above required options will change soon when we get better - active directory integration. + active directory integration. @@ -56,7 +55,7 @@ In case samba can't figure out your ads server using your realm name, use the Test your config by doing a "kinit USERNAME@REALM" and making sure that your password is accepted by the Win2000 KDC. -NOTE: The realm must be uppercase. +The realm must be uppercase. You also must ensure that you can do a reverse DNS lookup on the IP @@ -87,7 +86,7 @@ support for smbd and winbindd. As a user that has write permission on the Samba private directory (usually root) run: -net ads join +net ads join diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml index fe0774810b..525ab6dd37 100644 --- a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml +++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml @@ -1,15 +1,7 @@ - - John HTerpstra - - Samba Team -
- jht@samba.org -
- - - April 3 2003 + &author.jht; + April 3 2003 Advanced Network Manangement @@ -61,19 +53,18 @@ Server Manager is shipped with Windows NT4 Server products but not with Windows You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below. - -Instructions: - - - - Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu - select Computer, then click on the Shared Directories entry. - + +Instructions + +Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu +select Computer, then click on the Shared Directories entry. + - + Now click on the share that you wish to manage, then click on the Properties tab, next click on the Permissions tab. Now you can Add or change access control settings as you wish. - + + @@ -93,37 +84,37 @@ Microsoft Management Console (MMC). This tool is located by clicking on Computer Management. - -Instructions: - - + +Instructions + After launching the MMC with the Computer Management snap-in, click on the menu item 'Action', select 'Connect to another computer'. If you are not logged onto a domain you will be prompted to enter a domain login user identifier and a password. This will authenticate you to the domain. If you where already logged in with administrative privilidge this step is not offered. - - - - If the Samba server is not shown in the Select Computer box, then type in the name of the target - Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+] - next to 'Shared Folders' in the left panel. - - - - Now in the right panel, double-click on the share you wish to set access control permissions on. - Then click on the tab 'Share Permissions'. It is now possible to add access control entities - to the shared folder. Do NOT forget to set what type of access (full control, change, read) you - wish to assign for each entry. - - - - - Be careful. If you take away all permissions from the Everyone user without removing this user - then effectively no user will be able to access the share. This is a result of what is known as - ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone - will have no access even if this user is given explicit full control access. - - + + + +If the Samba server is not shown in the Select Computer box, then type in the name of the target +Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+] +next to 'Shared Folders' in the left panel. + + + +Now in the right panel, double-click on the share you wish to set access control permissions on. +Then click on the tab 'Share Permissions'. It is now possible to add access control entities +to the shared folder. Do NOT forget to set what type of access (full control, change, read) you +wish to assign for each entry. + + + + + +Be careful. If you take away all permissions from the Everyone user without removing this user +then effectively no user will be able to access the share. This is a result of what is known as +ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone +will have no access even if this user is given explicit full control access. + + @@ -148,9 +139,7 @@ systems. The tools set includes: Server Manager - User Manager for Domains - Event Viewer @@ -171,7 +160,7 @@ from ftp://ft This section needs work. Volunteer contributions most welcome. Please send your patches or updates -to jht@samba.org. +to John Terpstra. diff --git a/docs/docbook/projdoc/Browsing-Quickguide.sgml b/docs/docbook/projdoc/Browsing-Quickguide.sgml index adf20b7386..3a26ebcb21 100644 --- a/docs/docbook/projdoc/Browsing-Quickguide.sgml +++ b/docs/docbook/projdoc/Browsing-Quickguide.sgml @@ -1,8 +1,6 @@ - - John HTerpstra - + &author.jht; July 5, 1998 Updated: March 15, 2003 @@ -17,10 +15,10 @@ of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling except by way of name to address mapping. - -Note: MS Windows 2000 and later can be configured to operate with NO NetBIOS + +MS Windows 2000 and later can be configured to operate with NO NetBIOS over TCP/IP. Samba-3 and later also supports this mode of operation. - + diff --git a/docs/docbook/projdoc/Browsing.sgml b/docs/docbook/projdoc/Browsing.sgml index 60512c3cd1..2de0f446a6 100644 --- a/docs/docbook/projdoc/Browsing.sgml +++ b/docs/docbook/projdoc/Browsing.sgml @@ -6,7 +6,6 @@ - (5 July 1998) @@ -69,15 +68,15 @@ regardless of whether it is NT, Samba or any other type of domain master that is providing this service. - -[Note that nmbd can be configured as a WINS server, but it is not + +Nmbd can be configured as a WINS server, but it is not necessary to specifically use samba as your WINS server. MS Windows NT4, Server or Advanced Server 2000 or 2003 can be configured as your WINS server. In a mixed NT/2000/2003 server and samba environment on a Wide Area Network, it is recommended that you use the Microsoft WINS server capabilities. In a samba-only environment, it is recommended that you use one and only one Samba server as your WINS server. - + To get browsing to work you need to run nmbd as usual, but will need diff --git a/docs/docbook/projdoc/Bugs.sgml b/docs/docbook/projdoc/Bugs.sgml index a9493b07d4..4e4f7b9084 100644 --- a/docs/docbook/projdoc/Bugs.sgml +++ b/docs/docbook/projdoc/Bugs.sgml @@ -1,6 +1,7 @@ + &author.jelmer; Samba Team @@ -15,7 +16,7 @@ Introduction -The email address for bug reports for stable releases is samba@samba.org. +The email address for bug reports for stable releases is samba@samba.org. Bug reports for alpha releases should go to samba-technical@samba.org. @@ -61,7 +62,7 @@ file for correct syntax. -Have you run through the diagnosis? +Have you run through the diagnosis? This is very important. diff --git a/docs/docbook/projdoc/CUPS-printing.sgml b/docs/docbook/projdoc/CUPS-printing.sgml index 65f18dc385..eb59695b04 100644 --- a/docs/docbook/projdoc/CUPS-printing.sgml +++ b/docs/docbook/projdoc/CUPS-printing.sgml @@ -2,15 +2,7 @@ - - John HTerpstra - - Samba Team -
- jht@samba.org -
- - + &author.jht; KurtPfeifle @@ -1310,7 +1302,7 @@ It is *not* working for Win9x/ME clients. But it: - >it guarantees to not write an PJL-header + it guarantees to not write an PJL-header it guarantees to still read and support all PJL-options named in the driver PPD with its own means it guarantees the file going thru the "pstops" filter on the CUPS/Samba server it guarantees to page-count correctly the printfile @@ -1326,29 +1318,30 @@ current with CUPS 1.1.16). These are the items CUPS logs in the "page_log" for every single *page* of a job: - - * Printer name - * User name - * Job ID - * Time of printing - * the page number - * the number of copies - * a billing info string (optional) - + +Printer name +User name +Job ID +Time of printing +the page number +the number of copies +a billing info string (optional) + + Here is an extract of my CUPS server's page_log file to illustrate the format and included items: - + infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 1 2 #marketing infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 2 2 #marketing infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 3 2 #marketing infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 4 2 #marketing infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 5 2 #marketing infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 6 2 #marketing - + This was Job ID "40", printed on "infotec_IS2027" by user "kurt", a 6-page job @@ -1397,7 +1390,7 @@ huge improvements under development: page counting will go into the "backends" (these talk directly to the printer and will increase the count in sync with the - actual printing process -- a jam at the 5th sheet will lead to a stop in the counting) + actual printing process -- a jam at the 5th sheet will lead to a stop in the counting) quotas will be handled more flexibly @@ -1421,13 +1414,13 @@ the files: - + cups-samba.install cups-samba.license cups-samba.readme cups-samba.remove cups-samba.ss - + @@ -1438,26 +1431,24 @@ into /usr/share/cups/drivers/. Its contents are 3 files: - + cupsdrvr.dll cupsui.dll cups.hlp - + - -ATTENTION: due to a bug one CUPS release puts the cups.hlp + +Due to a bug one CUPS release puts the cups.hlp into /usr/share/drivers/ instead of /usr/share/cups/drivers/. To work around this, copy/move the file after running the "./cups-samba.install" script manually to the right place: - - cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/ - - - + cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/ + + @@ -1485,19 +1476,19 @@ Win NT/2k/XP clients. - NOTE 1: Win 9x/ME clients won't work with this driver. For these you'd + Win 9x/ME clients won't work with this driver. For these you'd still need to use the ADOBE*.* drivers as previously. - NOTE 2: It is not harming if you've still the ADOBE*.* driver files from + It is not harming if you've still the ADOBE*.* driver files from previous installations in the "/usr/share/cups/drivers/" directory. The new cupsaddsmb (from 1.1.16) will automatically use the "newest" installed driver (which here then is the CUPS drivers). - NOTE 3: Should your Win clients have had the old ADOBE*.* files and the + Should your Win clients have had the old ADOBE*.* files and the Adobe PostScript drivers installed, the download and installation of the new CUPS PostScript driver for Windows NT/2k/XP will fail at first. @@ -1685,11 +1676,11 @@ it is most likely the Samba part. For the CUPS part, you may want to consult: - - http://localhost:631/sam.html#PreserveJobFiles and - http://localhost:631/sam.html#PreserveJobHistory and - http://localhost:631/sam.html#MaxJobs - + +http://localhost:631/sam.html#PreserveJobFiles +http://localhost:631/sam.html#PreserveJobHistory +http://localhost:631/sam.html#MaxJobs + There are the settings described for your CUPS daemon, which could lead to completed @@ -1773,10 +1764,10 @@ If you have more problems, post the output of these commands: - + grep -v ^# /etc/cups/cupsd.conf | grep -v ^$ grep -v ^# /etc/samba/smb.conf | grep -v ^$ | grep -v "^;" - + diff --git a/docs/docbook/projdoc/Compiling.sgml b/docs/docbook/projdoc/Compiling.sgml index ac98f34a32..a5ff783244 100644 --- a/docs/docbook/projdoc/Compiling.sgml +++ b/docs/docbook/projdoc/Compiling.sgml @@ -5,6 +5,7 @@ Samba Team + &author.jelmer; (22 May 2001) 18 March 2003 diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index 8ac3520384..1a97e6f5a8 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -1,26 +1,8 @@ - - JeremyAllison - - Samba Team -
- samba@samba.org -
- - - - JerryCarter - - Samba Team -
- jerry@samba.org -
- - - - + &author.jeremy; + &author.jerry; 16 Apr 2001 diff --git a/docs/docbook/projdoc/Diagnosis.sgml b/docs/docbook/projdoc/Diagnosis.sgml index 1e2e6d7598..2a771c23d1 100644 --- a/docs/docbook/projdoc/Diagnosis.sgml +++ b/docs/docbook/projdoc/Diagnosis.sgml @@ -1,19 +1,7 @@ - - AndrewTridgell - - Samba Team -
tridge@samba.org
- - - - JelmerVernooij - - Samba Team -
jelmer@samba.org
- - + &author.tridge; + &author.jelmer; Wed Jan 15 @@ -92,10 +80,11 @@ best way to check this is with "testparm smb.conf" -Tests +The tests + +Diagnosing your samba server - -Test 1 + In the directory in which you store your smb.conf file, run the command "testparm smb.conf". If it reports any errors then your smb.conf @@ -106,11 +95,9 @@ configuration file is faulty. Note: Your smb.conf file may be located in: /etc/samba Or in: /usr/local/samba/lib - - - -Test 2 + + Run the command "ping BIGSERVER" from the PC and "ping ACLIENT" from the unix box. If you don't get a valid response then your TCP/IP @@ -135,11 +122,9 @@ software. You will need to relax the rules to let in the workstation in question, perhaps by allowing access from another subnet (on Linux this is done via the ipfwadm program.) - - - -Test 3 + + Run the command "smbclient -L BIGSERVER" on the unix box. You should get a list of available shares back. @@ -218,10 +203,9 @@ network interface IP Address / Broadcast Address / Subnet Mask settings are correct and that Samba has correctly noted these in the log.nmb file. - + - -Test 4 + Run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the @@ -241,10 +225,9 @@ one-line script that contains the right parameters and run that from inetd. - + - -Test 5 + run the command nmblookup -B ACLIENT '*' @@ -259,10 +242,9 @@ If ACLIENT doesn't resolve via DNS then use the IP address of the client in the above test. - + - -Test 6 + Run the command nmblookup -d 2 '*' @@ -296,10 +278,9 @@ This test will probably fail if your subnet mask and broadcast address are not correct. (Refer to TEST 3 notes above). - + - -Test 7 + Run the command smbclient //BIGSERVER/TMP. You should @@ -369,10 +350,9 @@ especially check that the amount of free disk space shown is correct when you type dir. - + - -Test 8 + On the PC type the command net view \\BIGSERVER. You will @@ -429,10 +409,9 @@ Check to see if the host is running tcp wrappers, and if so add an entry in the hosts.allow file for your client (or subnet, etc.) - + - -Test 9 + Run the command net use x: \\BIGSERVER\TMP. You should @@ -456,10 +435,9 @@ and you have encrypt passwords = no in smb.conf - + - -Test 10 + Run the command nmblookup -M TESTGROUP where @@ -476,10 +454,9 @@ sure you have preferred master = yes to ensure that an election is held at startup. - + - -Test 11 + From file manager try to browse the server. Your samba server should @@ -495,7 +472,8 @@ smb.conf file, or enable encrypted passwords AFTER compiling in support for encrypted passwords (refer to the Makefile). - + + @@ -507,7 +485,7 @@ sniff the problem. The official samba mailing list can be reached at samba@samba.org. To find out more about samba and how to subscribe to the mailing list check out the samba web page at -http://samba.org/samba +http://samba.org/samba/ diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml index a2d16541ef..8aea87fe24 100644 --- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml +++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml @@ -57,7 +57,7 @@ domadm:x:502:joe,john,mary Map this domadm group to the domain admins group by running the command: -smbgroupedit -c "Domain Admins" -u domadm +smbgroupedit -c "Domain Admins" -u domadm @@ -74,6 +74,6 @@ your samba PDC. Flag that group as a domain group by running: smbgroupedit -a unixgroup -td You can list the various groups in the mapping database like this -smbgroupedit -v +smbgroupedit -v diff --git a/docs/docbook/projdoc/Integrating-with-Windows.sgml b/docs/docbook/projdoc/Integrating-with-Windows.sgml index 8a5c0c40f2..b48fc3b305 100644 --- a/docs/docbook/projdoc/Integrating-with-Windows.sgml +++ b/docs/docbook/projdoc/Integrating-with-Windows.sgml @@ -1,18 +1,7 @@ - - - JohnTerpstra - - Samba Team -
- jht@samba.org -
- - - - + &author.jht; (Jan 01 2001) diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 1a4499038d..253de8aea0 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -1,8 +1,6 @@ - - John HTerpstra - + &author.jht; April 3, 2003 diff --git a/docs/docbook/projdoc/NT_Security.sgml b/docs/docbook/projdoc/NT_Security.sgml index c5e3b9b9f9..65072ef4ff 100644 --- a/docs/docbook/projdoc/NT_Security.sgml +++ b/docs/docbook/projdoc/NT_Security.sgml @@ -1,14 +1,6 @@ - - JeremyAllison - - Samba Team -
- samba@samba.org -
- - + &author.jeremy; 12 Apr 1999 diff --git a/docs/docbook/projdoc/Other-Clients.sgml b/docs/docbook/projdoc/Other-Clients.sgml index e4d7e34185..6177b4dcb6 100644 --- a/docs/docbook/projdoc/Other-Clients.sgml +++ b/docs/docbook/projdoc/Other-Clients.sgml @@ -1,16 +1,7 @@ - - JimMcDonough - - IBM - - JelmerVernooij - - Samba Team -
jelmer@samba.org
- - + &author.jmcd; + &author.jelmer; 5 Mar 2001 @@ -334,8 +325,8 @@ for the profile. This default ACL includes DOMAIN\user "Full Control" -NOTE : This bug does not occur when using winbind to -create accounts on the Samba host for Domain users. +This bug does not occur when using winbind to +create accounts on the Samba host for Domain users. diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml index f2a6fc06ac..e13a81eac5 100644 --- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml +++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml @@ -1,15 +1,7 @@ - - JohnTerpstra - - Samba Team -
- jht@samba.org -
- - - (Jun 21 2001) + &author.jht; + (Jun 21 2001) PAM Configuration for Centrally Managed Authentication @@ -80,8 +72,8 @@ PAM allows use of replacable modules. Those available on a sample system include: - - $ /bin/ls /lib/security +$/bin/ls /lib/security + pam_access.so pam_ftp.so pam_limits.so pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so pam_cracklib.so pam_group.so pam_listfile.so diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml index 1dc4dd435d..9dee288b1f 100644 --- a/docs/docbook/projdoc/PolicyMgmt.sgml +++ b/docs/docbook/projdoc/PolicyMgmt.sgml @@ -1,15 +1,7 @@ - - John HTerpstra - - Samba Team -
- jht@samba.org -
- - - April 3 2003 + &author.jht; + April 3 2003 System and Account Policies @@ -203,40 +195,33 @@ exists with NT4 style policy files. Administration of Win2K / XP Policies + +Instructions Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console -(MMC) snap-in as follows: - +(MMC) snap-in as follows: - - - - Go to the Windows 200x / XP menu Start->Programs->Administrative Tools + + +Go to the Windows 200x / XP menu Start->Programs->Administrative Tools and select the MMC snap-in called "Active Directory Users and Computers" - - - - - - Select the domain or organizational unit (OU) that you wish to manage, then right click - to open the context menu for that object, select the properties item. - - - - - - Now left click on the Group Policy tab, then left click on the New tab. Type a name - for the new policy you will create. - - - - - - Now left click on the Edit tab to commence the steps needed to create the GPO. - - - + + + +Select the domain or organizational unit (OU) that you wish to manage, then right click +to open the context menu for that object, select the properties item. + + + +Now left click on the Group Policy tab, then left click on the New tab. Type a name +for the new policy you will create. + + + +Now left click on the Edit tab to commence the steps needed to create the GPO. + + All policy configuration options are controlled through the use of policy administrative diff --git a/docs/docbook/projdoc/Portability.sgml b/docs/docbook/projdoc/Portability.sgml index dae267e8b5..61a694e130 100644 --- a/docs/docbook/projdoc/Portability.sgml +++ b/docs/docbook/projdoc/Portability.sgml @@ -1,8 +1,6 @@ - - JelmerVernooij - + &author.jelmer; Portability diff --git a/docs/docbook/projdoc/ProfileMgmt.sgml b/docs/docbook/projdoc/ProfileMgmt.sgml index 72eac8635a..9d11c80ffb 100644 --- a/docs/docbook/projdoc/ProfileMgmt.sgml +++ b/docs/docbook/projdoc/ProfileMgmt.sgml @@ -1,15 +1,7 @@ - - John HTerpstra - - Samba Team -
- jht@samba.org -
- - - April 3 2003 + &author.jht; + April 3 2003 Desktop Profile Management diff --git a/docs/docbook/projdoc/SWAT.sgml b/docs/docbook/projdoc/SWAT.sgml index 9df94b9aee..7326a49874 100644 --- a/docs/docbook/projdoc/SWAT.sgml +++ b/docs/docbook/projdoc/SWAT.sgml @@ -1,8 +1,6 @@ - - John HTerpstra - + &author.jht; April 3, 2003 diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml index 46e69e4ba9..8dbc007e4f 100644 --- a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml @@ -1,14 +1,7 @@ - - - VolkerLendecke - - Samba Team -
Volker.Lendecke@SerNet.DE
- - + &author.vl; (26 Apr 2001) diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index 7aabca948f..451ab02762 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -2,23 +2,14 @@ + &author.jerry; + &author.jht; - Gerald (Jerry)Carter - - VA Linux Systems/Samba Team -
jerry@samba.org
- DavidBannon Samba Team
dbannon@samba.org
 - John HTerpstra - - Samba Team -
jht@samba.org
- - (26 Apr 2001) @@ -243,7 +234,7 @@ There are a couple of points to emphasize in the above configuration. Encrypted passwords must be enabled. For more details on how - to do this, refer to ENCRYPTION.html. + to do this, refer to ENCRYPTION.html. diff --git a/docs/docbook/projdoc/ServerType.sgml b/docs/docbook/projdoc/ServerType.sgml index 239880160e..7df1eb03fc 100644 --- a/docs/docbook/projdoc/ServerType.sgml +++ b/docs/docbook/projdoc/ServerType.sgml @@ -1,12 +1,6 @@ - - John HTerpstra - - Samba Team -
jht@samba.org
- - + &author.jht; Nomenclature of Server Types diff --git a/docs/docbook/projdoc/Speed.sgml b/docs/docbook/projdoc/Speed.sgml index 55d8b9492b..78b5935a9c 100644 --- a/docs/docbook/projdoc/Speed.sgml +++ b/docs/docbook/projdoc/Speed.sgml @@ -1,12 +1,6 @@ - - - Samba Team -
samba@samba.org
- - PaulCochrane @@ -14,6 +8,7 @@
paulc@dth.scot.nhs.uk
 + &author.jelmer; Samba performance issues diff --git a/docs/docbook/projdoc/UNIX_INSTALL.sgml b/docs/docbook/projdoc/UNIX_INSTALL.sgml index 5d0d388c08..df038510af 100644 --- a/docs/docbook/projdoc/UNIX_INSTALL.sgml +++ b/docs/docbook/projdoc/UNIX_INSTALL.sgml @@ -1,4 +1,11 @@ + + &author.tridge; + &author.jelmer; + KarlAuer + + + How to Install and Test SAMBA diff --git a/docs/docbook/projdoc/VFS.sgml b/docs/docbook/projdoc/VFS.sgml index 7aa280f4ef..0a88543c6e 100644 --- a/docs/docbook/projdoc/VFS.sgml +++ b/docs/docbook/projdoc/VFS.sgml @@ -1,10 +1,10 @@ - JelmerVernooij + &author.jelmer; + &author.jht; AlexanderBokovoy TimPotter SimoSorce - John HTerpstra Stackable VFS modules diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml index 7e4b9bcbd0..362cf97064 100644 --- a/docs/docbook/projdoc/passdb.sgml +++ b/docs/docbook/projdoc/passdb.sgml @@ -1,19 +1,9 @@ - - JelmerVernooij - - The Samba Team -
jelmer@samba.org
- - - - Gerald (Jerry)Carter - - Samba Team -
jerry@samba.org
- - + &author.jelmer; + &author.jerry; + &author.jeremy; + &author.jht; Olivier (lem)Lemaire @@ -21,24 +11,6 @@
olem@IDEALX.org
 - - JeremyAllison - - Samba Team -
- jra@samba.org -
- - - - John HTerpstra - - Samba Team -
- jht@samba.org -
- - February 2003 @@ -137,13 +109,9 @@ Windows NT 3.5x - Windows NT 4.0 - Windows 2000 Professional - Windows 200x Server/Advanced Server - Windows XP Professional @@ -393,6 +361,8 @@ the details of configuring these packages are beyond the scope of this document. Supported LDAP Servers + + The LDAP samdb code in 2.2.3 (and later) has been developed and tested using the OpenLDAP 2.0 server and client libraries. @@ -400,8 +370,8 @@ The same code should be able to work with Netscape's Directory Server and client SDK. However, due to lack of testing so far, there are bound to be compile errors and bugs. These should not be hard to fix. If you are so inclined, please be sure to forward all patches to -samba-patches@samba.org and -jerry@samba.org. +samba-patches@samba.org and +jerry@samba.org. @@ -430,7 +400,7 @@ The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are owned by the Samba Team and as such is legal to be openly published. If you translate the schema to be used with Netscape DS, please submit the modified schema file as a patch to jerry@samba.org +url="mailto:jerry@samba.org">jerry@samba.org @@ -470,7 +440,7 @@ server, first copy the samba.schema file to slapd's configuration directory. -root# cp samba.schema /etc/openldap/schema/ +root# cp samba.schema /etc/openldap/schema/ @@ -525,7 +495,6 @@ index rid eq Configuring Samba - The following parameters are available in smb.conf only with --with-ldapsam @@ -972,14 +941,14 @@ Or, set 'identifier:workstations column' to : The usage of pdb_xml is pretty straightforward. To export data, use: -pdbedit -e xml:filename +pdbedit -e xml:filename (where filename is the name of the file to put the data in) To import data, use: -pdbedit -i xml:filename -e current-pdb +pdbedit -i xml:filename -e current-pdb Where filename is the name to read the data from and current-pdb to put it in. diff --git a/docs/docbook/projdoc/printer_driver2.sgml b/docs/docbook/projdoc/printer_driver2.sgml index 8d15e437b2..da3eb838f2 100644 --- a/docs/docbook/projdoc/printer_driver2.sgml +++ b/docs/docbook/projdoc/printer_driver2.sgml @@ -1,16 +1,7 @@ - - - Gerald (Jerry)Carter - - Samba Team -
- jerry@samba.org -
- - + &author.jerry; PatrickPowell @@ -183,14 +174,14 @@ Samba follows this model as well. Next create the directory tree below the [print$] share for each architecture you wish to support. - + [print$]----- |-W32X86 ; "Windows NT x86" |-WIN40 ; "Windows 95/98" |-W32ALPHA ; "Windows NT Alpha_AXP" |-W32MIPS ; "Windows NT R4000" |-W32PPC ; "Windows NT PowerPC" - + ATTENTION! REQUIRED PERMISSIONS @@ -302,8 +293,9 @@ setdriver command can be used to set the driver associated with an installed driver. The following is example of how this could be accomplished: - -$ rpcclient pogo -U root%secret -c "enumdrivers" + +$ rpcclient pogo -U root%secret -c "enumdrivers" + Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] [Windows NT x86] @@ -315,16 +307,18 @@ Printer Driver Info 1: Printer Driver Info 1: Driver Name: [HP LaserJet 4Si/4SiMX PS] - -$ rpcclient pogo -U root%secret -c "enumprinters" + +$ rpcclient pogo -U root%secret -c "enumprinters" + Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] flags:[0x800000] name:[\\POGO\hp-print] description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,] comment:[] -$ rpcclient pogo -U root%secret \ -> -c "setdriver hp-print \"HP LaserJet 4000 Series PS\"" + +$ rpcclient pogo -U root%secret -c "setdriver hp-print \"HP LaserJet 4000 Series PS\"" + Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] Successfully set hp-print to driver HP LaserJet 4000 Series PS. diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index 7a8c4b6d06..9c3861b8c3 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -1,4 +1,5 @@ %globalentities; @@ -34,23 +35,20 @@ ]> - SAMBA Project Documentation - SAMBA Team + SAMBA Team +
samba@samba.org
 -
samba@samba.org
- - - -Abstract + &person.jht; + &person.jelmer; + &person.jerry; - -Last Update : Wed Jan 15 - + Friday 4 April + This book is a collection of HOWTOs added to Samba documentation over the years. I try to ensure that all are current, but sometimes the is a larger job @@ -61,18 +59,17 @@ url="mailto:jerry@samba.org">jerry@samba.org or jelmer@samba.org. + + This documentation is distributed under the GNU General Public License (GPL) version 2. A copy of the license is included with the Samba source distribution. A copy can be found on-line at http://www.fsf.org/licenses/gpl.txt + + - -Cheers, jerry - - - @@ -140,5 +137,3 @@ part each cover one specific feature. &BUGS; &Diagnosis; - - diff --git a/docs/docbook/projdoc/securing-samba.sgml b/docs/docbook/projdoc/securing-samba.sgml index bfedc5456f..03d0c3d9e7 100644 --- a/docs/docbook/projdoc/securing-samba.sgml +++ b/docs/docbook/projdoc/securing-samba.sgml @@ -1,10 +1,7 @@ - - AndrewTridgell - Samba Team - + &author.tridge; 17 March 2003 diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml index e3d7c6ac1f..1c4c3f61ca 100644 --- a/docs/docbook/projdoc/security_level.sgml +++ b/docs/docbook/projdoc/security_level.sgml @@ -1,12 +1,7 @@ - - AndrewTridgell - - Samba Team -
samba@samba.org
- - + &author.tridge; + &author.jelmer; Samba as Stand-Alone Server - - JelmerVernooij - - Samba Team -
jelmer@samba.org
- - + &author.jelmer; 25 March 2003 diff --git a/docs/docbook/projdoc/upgrading-to-3.0.sgml b/docs/docbook/projdoc/upgrading-to-3.0.sgml index cd0ec2064d..ec4b29386a 100644 --- a/docs/docbook/projdoc/upgrading-to-3.0.sgml +++ b/docs/docbook/projdoc/upgrading-to-3.0.sgml @@ -1,9 +1,6 @@ - - JelmerVernooij - Samba Team - + &author.jelmer; 25 October 2002 @@ -12,7 +9,11 @@ Charsets -FIXME +You might experience problems with special characters +when communicating with old DOS clients. Codepage +support has changed in samba 3.0. Read the chapter +Unicode support for details. + diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml index 2d38ea44d4..460038aea9 100644 --- a/docs/docbook/projdoc/winbind.sgml +++ b/docs/docbook/projdoc/winbind.sgml @@ -1,6 +1,5 @@ - @@ -10,32 +9,15 @@
tpot@linuxcare.com.au
 - - AndrewTridgell - - Samba Team -
tridge@linuxcare.com.au
- - - - JohnTrostel - - Snapserver -
jtrostel@snapserver.com
- - + &author.tridge; + &author.jht; NaagMummaneni
getnag@rediffmail.com
 - - JelmerVernooij - -
jelmer@nl.linux.org
- - + &author.jelmer; 27 June 2002 -- cgit From 56a251ee25533890044a1b4b21e4ab772c1979e2 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 5 Apr 2003 00:48:15 +0000 Subject: Some layout updates (This used to be commit 5827981c0dc8fd7e2af0c4490225566dafe9c334) --- docs/docbook/projdoc/ADS-HOWTO.sgml | 30 ++++++----- docs/docbook/projdoc/AdvancedNetworkAdmin.sgml | 2 +- docs/docbook/projdoc/Browsing-Quickguide.sgml | 72 +++++++++++++++----------- 3 files changed, 59 insertions(+), 45 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index a0bba36e99..5e93c62876 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -2,7 +2,8 @@ &author.tridge; - 2002 + &author.jelmer; + 2002/2003 Samba as a ADS domain member @@ -43,7 +44,7 @@ In case samba can't figure out your ads server using your realm name, use the Setup your <filename>/etc/krb5.conf</filename> -The minimal configuration for krb5.conf is: +The minimal configuration for krb5.conf is: [realms] @@ -52,7 +53,7 @@ In case samba can't figure out your ads server using your realm name, use the } -Test your config by doing a "kinit USERNAME@REALM" and making sure that +Test your config by doing a kinit USERNAME@REALM and making sure that your password is accepted by the Win2000 KDC. The realm must be uppercase. @@ -66,21 +67,24 @@ followed by the realm. -The easiest way to ensure you get this right is to add a /etc/hosts -entry mapping the IP address of your KDC to its netbios name. If you -don't get this right then you will get a "local error" when you try -to join the realm. +The easiest way to ensure you get this right is to add a +/etc/hosts entry mapping the IP address of your KDC to +its netbios name. If you don't get this right then you will get a +"local error" when you try to join the realm. If all you want is kerberos support in smbclient then you can skip -straight to step 5 now. Step 3 is only needed if you want kerberos +straight to Test with smbclient now. +Creating a computer account +and testing your servers +is only needed if you want kerberos support for smbd and winbindd. - + Create the computer account @@ -103,19 +107,19 @@ As a user that has write permission on the Samba private directory - + Test your server setup -On a Windows 2000 client try net use * \\server\share. You should +On a Windows 2000 client try net use * \\server\share. You should be logged in with kerberos without needing to know a password. If -this fails then run klist tickets. Did you get a ticket for the +this fails then run klist tickets. Did you get a ticket for the server? Does it have an encoding type of DES-CBC-MD5 ? - + Testing with smbclient diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml index 525ab6dd37..58bc9a444e 100644 --- a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml +++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml @@ -35,7 +35,7 @@ Samba stores the per share access control settings in a file called sh The location of this file on your system will depend on how samba was compiled. The default location for samba's tdb files is under /usr/local/samba/var. If the tdbdump utility has been compiled and installed on your system then you can examine the contents of this file -by: tdbdump share_info.tdb. +by: tdbdump share_info.tdb. diff --git a/docs/docbook/projdoc/Browsing-Quickguide.sgml b/docs/docbook/projdoc/Browsing-Quickguide.sgml index 3a26ebcb21..a2b67983f8 100644 --- a/docs/docbook/projdoc/Browsing-Quickguide.sgml +++ b/docs/docbook/projdoc/Browsing-Quickguide.sgml @@ -35,9 +35,11 @@ TCP/IP this uses UDP based messaging. UDP messages can be broadcast or unicast. Normally, only unicast UDP messaging can be forwarded by routers. The -"remote announce" parameter to smb.conf helps to project browse announcements -to remote network segments via unicast UDP. Similarly, the "remote browse sync" -parameter of smb.conf implements browse list collation using unicast UDP. +remote announce +parameter to smb.conf helps to project browse announcements +to remote network segments via unicast UDP. Similarly, the +remote browse sync parameter of smb.conf +implements browse list collation using unicast UDP. @@ -45,18 +47,19 @@ Secondly, in those networks where Samba is the only SMB server technology wherever possible nmbd should be configured on one (1) machine as the WINS server. This makes it easy to manage the browsing environment. If each network segment is configured with it's own Samba WINS server, then the only way to -get cross segment browsing to work is by using the "remote announce" and -the "remote browse sync" parameters to your smb.conf file. +get cross segment browsing to work is by using the +remote announce and the remote browse sync +parameters to your smb.conf file. If only one WINS server is used for an entire multi-segment network then -the use of the "remote announce" and the "remote browse sync" parameters -should NOT be necessary. +the use of the remote announce and the +remote browse sync parameters should NOT be necessary. -As of Samba-3 WINS replication is being worked on. The bulk of the code has +As of Samba 3 WINS replication is being worked on. The bulk of the code has been committed, but it still needs maturation. @@ -64,8 +67,9 @@ been committed, but it still needs maturation. Right now samba WINS does not support MS-WINS replication. This means that when setting up Samba as a WINS server there must only be one nmbd configured as a WINS server on the network. Some sites have used multiple Samba WINS -servers for redundancy (one server per subnet) and then used "remote browse -sync" and "remote announce" to affect browse list collation across all +servers for redundancy (one server per subnet) and then used +remote browse sync and remote announce +to affect browse list collation across all segments. Note that this means clients will only resolve local names, and must be configured to use DNS to resolve names on other subnets in order to resolve the IP addresses of the servers they can see on other @@ -102,7 +106,8 @@ well as name lookups are done by UDP broadcast. This isolates name resolution to the local subnet, unless LMHOSTS is used to list all names and IP addresses. In such situations Samba provides a means by which the samba server name may be forcibly injected into the browse -list of a remote MS Windows network (using the "remote announce" parameter). +list of a remote MS Windows network (using the +remote announce parameter). @@ -140,14 +145,14 @@ inability to use the network services. Samba supports a feature that allows forced synchonisation -of browse lists across routed networks using the "remote -browse sync" parameter in the smb.conf file. This causes Samba -to contact the local master browser on a remote network and +of browse lists across routed networks using the remote +browse sync parameter in the smb.conf file. +This causes Samba to contact the local master browser on a remote network and to request browse list synchronisation. This effectively bridges two networks that are separated by routers. The two remote networks may use either broadcast based name resolution or WINS -based name resolution, but it should be noted that the "remote -browse sync" parameter provides browse list synchronisation - and +based name resolution, but it should be noted that the remote +browse sync parameter provides browse list synchronisation - and that is distinct from name to address resolution, in other words, for cross subnet browsing to function correctly it is essential that a name to address resolution mechanism be provided. @@ -158,22 +163,24 @@ and so on. -Use of the "Remote Announce" parameter +Use of the <command>Remote Announce</command> parameter -The "remote announce" parameter of smb.conf can be used to forcibly ensure +The remote announce parameter of +smb.conf can be used to forcibly ensure that all the NetBIOS names on a network get announced to a remote network. -The syntax of the "remote announce" parameter is: +The syntax of the remote announce parameter is: - remote announce = a.b.c.d [e.f.g.h] ... + remote announce = a.b.c.d [e.f.g.h] ... _or_ - remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ... + remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ... where: -a.b.c.d and e.f.g.h +a.b.c.d and +e.f.g.h is either the LMB (Local Master Browser) IP address or the broadcst address of the remote network. ie: the LMB is at 192.168.1.10, or the address @@ -187,7 +194,7 @@ the IP address of the remote LMB. -WORKGROUP +WORKGROUP is optional and can be either our own workgroup or that of the remote network. If you use the workgroup name of the remote network then our @@ -202,23 +209,24 @@ name resolution problems and should be avoided. -Use of the "Remote Browse Sync" parameter +Use of the <command>Remote Browse Sync</command> parameter -The "remote browse sync" parameter of smb.conf is used to announce to +The remote browse sync parameter of +smb.conf is used to announce to another LMB that it must synchronise it's NetBIOS name list with our Samba LMB. It works ONLY if the Samba server that has this option is simultaneously the LMB on it's network segment. -The syntax of the "remote browse sync" parameter is: +The syntax of the remote browse sync parameter is: -remote browse sync = a.b.c.d +remote browse sync = a.b.c.d -where a.b.c.d is either the IP address of the remote LMB or else is the network broadcast address of the remote segment. +where a.b.c.d is either the IP address of the remote LMB or else is the network broadcast address of the remote segment. @@ -251,7 +259,8 @@ of all names that have registered the NetLogon service name_type. This saves broadcast traffic and greatly expedites logon processing. Since broadcast name resolution can not be used across network segments this type of information can only be provided via WINS _or_ via statically configured -"lmhosts" files that must reside on all clients in the absence of WINS. +lmhosts files that must reside on all clients in the +absence of WINS. @@ -275,8 +284,9 @@ errors. -To configure Samba as a WINS server just add "wins support = yes" to the -smb.conf file [globals] section. +To configure Samba as a WINS server just add +wins support = yes to the smb.conf +file [globals] section. -- cgit From 2a9e71aa9bd171af47e4ed73c932e75160b32d88 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 5 Apr 2003 07:33:29 +0000 Subject: More edits on profile management. (This used to be commit 7dac688c4d296433a62cc8665aab90ce387f6599) --- docs/docbook/projdoc/ProfileMgmt.sgml | 252 +++++++++++++++++++++++++++++++++- 1 file changed, 247 insertions(+), 5 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/ProfileMgmt.sgml b/docs/docbook/projdoc/ProfileMgmt.sgml index 9d11c80ffb..8eded5e9fb 100644 --- a/docs/docbook/projdoc/ProfileMgmt.sgml +++ b/docs/docbook/projdoc/ProfileMgmt.sgml @@ -412,7 +412,7 @@ nominated. Done. You now have a profile that can be editted using the samba-3.0.0 -profiles tool. +profiles tool. @@ -619,9 +619,29 @@ subkey, you will see a string value named ProfileImagePath. Mandatory profiles -The above method can be used to create mandatory profiles also. To convert -a group profile into a mandatory profile simply locate the NTUser.DAT file -in the copied profile and rename it to NTUser.MAN. +A Mandatory Profile is a profile that the user does NOT have the ability to overwrite. +During the user's session it may be possible to change the desktop environment, but +as the user logs out all changes made will be lost. If it is desired to NOT allow the +user any ability to change the desktop environment then this must be done through +policy settings. See previous chapter. + + + + +Under NO circumstances should the profile directory (or it's contents) be made read-only +as this may render the profile un-usable. + + + + +For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles +also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT +file in the copied profile and rename it to NTUser.MAN. + + + +For MS Windows 9x / Me it is the User.DAT file that must be renamed to User.MAN to +affect a mandatory profile. @@ -630,7 +650,229 @@ in the copied profile and rename it to NTUser.MAN. Creating/Managing Group Profiles -Blah goes here. +Most organisations are arranged into departments. There is a nice benenfit in +this fact since usually most users in a department will require the same desktop +applications and the same desktop layout. MS Windows NT4/200x/XP will allow the +use of Group Profiles. A Group Profile is a profile that is created firstly using +a template (example) user. Then using the profile migration tool (see above) the +profile is assigned access rights for the user group that needs to be given access +to the group profile. + + + +The next step is rather important. PLEASE NOTE: Instead of assigning a group profile +to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned +the now modified profile. + + + + Be careful with group profiles, if the user who is a member of a group also + has a personal profile, then the result will be a fusion (merge) of the two. + + + + + +Default Profile for Windows Users + + +MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom +a profile does not already exist. Armed with a knowledge of where the default profile +is located on the Windows workstation, and knowing which registry keys affect the path +from which the default profile is created, it is possible to modify the default profile +to one that has been optimised for the site. This has significant administrative +advantages. + + + +MS Windows 9x/Me + + +To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System +Policy Editor or change the registry directly. + + + +To enable default per user profiles in Windows 9x / Me, launch the System Policy Editor, then +select File -> Open Registry, then click on the Local Computer icon, click on Windows 98 System, +select User Profiles, click on the enable box. Do not forget to save the registry changes. + + + +To modify the registry directly, launch the Registry Editor (regedit.exe), select the hive +HKEY_LOCAL_MACHINE\Network\Logon. Now add a DWORD type key with the name +"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0. + + + + + +MS Windows NT4 Workstation + + +Document NT4 default profile handling stuff here! Someone - please contribute appropriate +material here. Email your contribution to jht@samba.org. + + + + + +MS Windows 200x/XP + + + + MS Windows XP Home Edition does use default per user profiles, but can not participate + in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile + only from itself. While there are benefits in doing this the beauty of those MS Windows + clients that CAN participate in domain logon processes allows the administrator to create + a global default profile and to enforce it through the use of Group Policy Objects (GPOs). + + + + +When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from +C:\Documents and Settings\Default User. The administrator can modify (or change +the contents of this location and MS Windows 200x/XP will gladly user it. This is far from the optimum +arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client +workstation. + + + +When MS Windows 200x/XP participate in a domain security context, and if the default user +profile is not found, then the client will search for a default profile in the NETLOGON share +of the authenticating server. ie: In MS Windows parlance: +%LOGONSERVER%\NETLOGON\Default User and if one exits there it will copy this +to the workstation to the C:\Documents and Settings\ under the Windows +login name of the user. + + + + + This path translates, in Samba parlance, to the smb.conf [NETLOGON] share. The directory + should be created at the root of this share and msut be called Default Profile. + + + + +If a default profile does not exist in this location then MS Windows 200x/XP will use the local +default profile. + + + +On loging out, the users' desktop profile will be stored to the location specified in the registry +settings that pertain to the user. If no specific policies have been created, or passed to the client +during the login process (as Samba does automatically), then the user's profile will be written to +the local machine only under the path C:\Documents and Settings\%USERNAME%. + + + +Those wishing to modify the default behaviour can do so through up to three methods: + + + + + + Modify the registry keys on the local machine manually and place the new default profile in the + NETLOGON share root - NOT recommended as it is maintenance intensive. + + + + + + Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file + in the root of the NETLOGON share along with the new default profile. + + + + + + Create a GPO that enforces this through Active Directory, and place the new default profile + in the NETLOGON share. + + + + + +The Registry Hive key that affects the behaviour of folders that are part of the default user profile +are controlled by entries on Windows 200x/XP is: + + + + + HKEY_CURRENT_USER + \Software + \Microsoft + \Windows NT + \CurrentVersion + \Explorer + \User Shell Folders\ + + + + +The above hive key contains a list of automatically managed folders. The default entries are: + + + + + Name Default Value + -------------- ----------------------------------------- + AppData %USERPROFILE%\Application Data + Cache %USERPROFILE%\Local Settings\Temporary Internet Files + Cookies %USERPROFILE%\Cookies + Desktop %USERPROFILE%\Desktop + Favorites %USERPROFILE%\Favorites + History %USERPROFILE%\Local Settings\History + Local AppData %USERPROFILE%\Local Settings\Application Data + Local Settings %USERPROFILE%\Local Settings + My Pictures %USERPROFILE%\My Documents\My Pictures + NetHood %USERPROFILE%\NetHood + Personal %USERPROFILE%\My Documents + PrintHood %USERPROFILE%\PrintHood + Programs %USERPROFILE%\Start Menu\Programs + Recent %USERPROFILE%\Recent + SendTo %USERPROFILE%\SendTo + Start Menu %USERPROFILE%\Start Menu + Startup %USERPROFILE%\Start Menu\Programs\Startup + Templates %USERPROFILE%\Templates + + + + +There is also an entry called "Default" that has no value set. The default entry is of type REG_SZ, all +the others are of type REG_EXPAND_SZ. + + + +It makes a huge difference to the speed of handling roaming user profiles if all the folders are +stored on a dedicated location on a network server. This means that it will NOT be necessary to +write Outlook PST file over the network for every login and logout. + + + +To set this to a network location you could use the followin examples: + + %LOGONSERVER%\%USERNAME%\Default Folders + +This would store the folders in the user's home directory under a directory called "Default Folders" + +You could also use: + + \\SambaServer\FolderShare\%USERNAME% + +in which case the default folders will be stored in the server named SambaServer +in the share called FolderShare under a directory that has the name of the MS Windows +user as seen by the Linux/Unix file system. + + + +Please note that once you have created a default profile share, you MUST migrate a user's profile +(default or custom) to it. + + + + -- cgit From edb56d184679d276d011af857f7d1ab0c6817f0a Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 5 Apr 2003 14:08:20 +0000 Subject: Fix typos / layout (This used to be commit fb20589e7c043ab1306051e80ca3f7476b1c6c58) --- docs/docbook/projdoc/ADS-HOWTO.sgml | 2 +- docs/docbook/projdoc/Browsing.sgml | 102 ++++++++++----------- docs/docbook/projdoc/Bugs.sgml | 24 ++--- docs/docbook/projdoc/Compiling.sgml | 42 ++++----- .../projdoc/PAM-Authentication-And-Samba.sgml | 2 +- 5 files changed, 84 insertions(+), 88 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index 5e93c62876..8146df0781 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -125,7 +125,7 @@ server? Does it have an encoding type of DES-CBC-MD5 ? On your Samba server try to login to a Win2000 server or your Samba server using smbclient and kerberos. Use smbclient as usual, but -specify the -k option to choose kerberos authentication. +specify the -k option to choose kerberos authentication. diff --git a/docs/docbook/projdoc/Browsing.sgml b/docs/docbook/projdoc/Browsing.sgml index 2de0f446a6..43cc498618 100644 --- a/docs/docbook/projdoc/Browsing.sgml +++ b/docs/docbook/projdoc/Browsing.sgml @@ -16,7 +16,7 @@ SMB networking provides a mechanism by which clients can access a list -of machines in a network, a so-called "browse list". This list +of machines in a network, a so-called browse list. This list contains machines that are ready to offer file and/or print services to other machines within the network. Thus it does not include machines which aren't currently able to do server tasks. The browse @@ -26,7 +26,7 @@ document. -MS Windows 2000 and later, as with Samba-3 and later, can be +MS Windows 2000 and later, as with Samba 3 and later, can be configured to not use NetBIOS over TCP/IP. When configured this way it is imperative that name resolution (using DNS/LDAP/ADS) be correctly configured and operative. Browsing will NOT work if name resolution @@ -80,15 +80,16 @@ recommended that you use one and only one Samba server as your WINS server. To get browsing to work you need to run nmbd as usual, but will need -to use the "workgroup" option in smb.conf to control what workgroup -Samba becomes a part of. +to use the workgroup option in smb.conf +to control what workgroup Samba becomes a part of. Samba also has a useful option for a Samba server to offer itself for browsing on another subnet. It is recommended that this option is only used for 'unusual' purposes: announcements over the internet, for -example. See "remote announce" in the smb.conf man page. +example. See remote announce in the +smb.conf man page. @@ -99,19 +100,19 @@ example. See "remote announce" in the smb.conf man page. If something doesn't work then hopefully the log.nmb file will help you track down the problem. Try a debug level of 2 or 3 for finding problems. Also note that the current browse list usually gets stored -in text form in a file called browse.dat. +in text form in a file called browse.dat. Note that if it doesn't work for you, then you should still be able to -type the server name as \\SERVER in filemanager then hit enter and -filemanager should display the list of available shares. +type the server name as \\SERVER in filemanager then +hit enter and filemanager should display the list of available shares. Some people find browsing fails because they don't have the global -"guest account" set to a valid account. Remember that the IPC$ -connection that lists the shares is done as guest, and thus you must +guest account set to a valid account. Remember that the +IPC$ connection that lists the shares is done as guest, and thus you must have a valid guest account. @@ -124,15 +125,6 @@ name of the currently logged in user to query the IPC$ share. MS Windows server resources. - -Also, a lot of people are getting bitten by the problem of too many -parameters on the command line of nmbd in inetd.conf. This trick is to -not use spaces between the option and the parameter (eg: -d2 instead -of -d 2), and to not use the -B and -N options. New versions of nmbd -are now far more likely to correctly find your broadcast and network -address, so in most cases these aren't needed. - - The other big problem people have is that their broadcast address, netmask or IP address is wrong (specified with the "interfaces" option @@ -436,13 +428,13 @@ least set the parameter to 'no' on all these machines. -Machines with "wins support = yes" will keep a list of +Machines with wins support = yes will keep a list of all NetBIOS names registered with them, acting as a DNS for NetBIOS names. You should set up only ONE wins server. Do NOT set the -"wins support = yes" option on more than one Samba +wins support = yes option on more than one Samba server. @@ -455,8 +447,8 @@ refuse to document these replication protocols Samba cannot currently participate in these replications. It is possible in the future that a Samba->Samba WINS replication protocol may be defined, in which case more than one Samba machine could be set up as a WINS server -but currently only one Samba server should have the "wins support = yes" -parameter set. +but currently only one Samba server should have the +wins support = yes parameter set. @@ -482,8 +474,8 @@ machine or its IP address. Note that this line MUST NOT BE SET in the smb.conf file of the Samba server acting as the WINS server itself. If you set both the -"wins support = yes" option and the -"wins server = <name>" option then +wins support = yes option and the +wins server = <name> option then nmbd will fail to start. @@ -572,17 +564,18 @@ master browser. -The "local master" parameter allows Samba to act as a local master -browser. The "preferred master" causes nmbd to force a browser -election on startup and the "os level" parameter sets Samba high -enough so that it should win any browser elections. +The local master parameter allows Samba to act as a +local master browser. The preferred master causes nmbd +to force a browser election on startup and the os level +parameter sets Samba high enough so that it should win any browser elections. If you have an NT machine on the subnet that you wish to be the local master browser then you can disable Samba from becoming a local master browser by setting the following -options in the [global] section of the smb.conf file : +options in the [global] section of the +smb.conf file : @@ -605,15 +598,16 @@ you must not set up a Samba server as a domain master browser. By default, a Windows NT Primary Domain Controller for a Domain name is also the Domain master browser for that name, and many things will break if a Samba server registers the Domain master -browser NetBIOS name (DOMAIN<1B>) with WINS instead of the PDC. +browser NetBIOS name (DOMAIN<1B>) +with WINS instead of the PDC. For subnets other than the one containing the Windows NT PDC you may set up Samba servers as local master browsers as described. To make a Samba server a local master browser set -the following options in the [global] section of the smb.conf -file : +the following options in the [global] section +of the smb.conf file : @@ -627,10 +621,11 @@ os level = 65 If you wish to have a Samba server fight the election with machines -on the same subnet you may set the "os level" parameter to lower -levels. By doing this you can tune the order of machines that +on the same subnet you may set the os level parameter +to lower levels. By doing this you can tune the order of machines that will become local master browsers if they are running. For -more details on this see the section "FORCING SAMBA TO BE THE MASTER" +more details on this see the section +Forcing samba to be the master browser below. @@ -639,7 +634,8 @@ If you have Windows NT machines that are members of the domain on all subnets, and you are sure they will always be running then you can disable Samba from taking part in browser elections and ever becoming a local master browser by setting following options -in the [global] section of the smb.conf file : +in the [global] section of the smb.conf +file : @@ -653,26 +649,26 @@ in the [global] section of the smb.conf file : - + Forcing samba to be the master -Who becomes the "master browser" is determined by an election process -using broadcasts. Each election packet contains a number of parameters +Who becomes the master browser is determined by an election +process using broadcasts. Each election packet contains a number of parameters which determine what precedence (bias) a host should have in the election. By default Samba uses a very low precedence and thus loses elections to just about anyone else. -If you want Samba to win elections then just set the "os level" global -option in smb.conf to a higher number. It defaults to 0. Using 34 +If you want Samba to win elections then just set the os level global +option in smb.conf to a higher number. It defaults to 0. Using 34 would make it win all elections over every other system (except other samba systems!) -A "os level" of 2 would make it beat WfWg and Win95, but not MS Windows +A os level of 2 would make it beat WfWg and Win95, but not MS Windows NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32. @@ -680,18 +676,18 @@ NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32. If you want samba to force an election on startup, then set the -"preferred master" global option in smb.conf to "yes". Samba will +preferred master global option in smb.conf to "yes". Samba will then have a slight advantage over other potential master browsers that are not preferred master browsers. Use this parameter with care, as if you have two hosts (whether they are windows 95 or NT or -samba) on the same local subnet both set with "preferred master" to +samba) on the same local subnet both set with preferred master to "yes", then periodically and continually they will force an election in order to become the local master browser. -If you want samba to be a "domain master browser", then it is -recommended that you also set "preferred master" to "yes", because +If you want samba to be a domain master browser, then it is +recommended that you also set preferred master to "yes", because samba will not become a domain master browser for the whole of your LAN or WAN if it is not also a local master browser on its own broadcast isolated subnet. @@ -715,8 +711,8 @@ the current domain master browser fail. The domain master is responsible for collating the browse lists of multiple subnets so that browsing can occur between subnets. You can -make samba act as the domain master by setting "domain master = yes" -in smb.conf. By default it will not be a domain master. +make samba act as the domain master by setting domain master = yes +in smb.conf. By default it will not be a domain master. @@ -733,8 +729,8 @@ browse lists. If you want samba to be the domain master then I suggest you also set -the "os level" high enough to make sure it wins elections, and set -"preferred master" to "yes", to get samba to force an election on +the os level high enough to make sure it wins elections, and set +preferred master to "yes", to get samba to force an election on startup. @@ -804,8 +800,8 @@ that browsing and name lookups won't work. Samba now supports machines with multiple network interfaces. If you -have multiple interfaces then you will need to use the "interfaces" -option in smb.conf to configure them. See smb.conf(5) for details. +have multiple interfaces then you will need to use the interfaces +option in smb.conf to configure them. See smb.conf(5) for details. diff --git a/docs/docbook/projdoc/Bugs.sgml b/docs/docbook/projdoc/Bugs.sgml index 4e4f7b9084..9c6be75c8d 100644 --- a/docs/docbook/projdoc/Bugs.sgml +++ b/docs/docbook/projdoc/Bugs.sgml @@ -100,8 +100,8 @@ include = /usr/local/samba/lib/smb.conf.%m then create a file -/usr/local/samba/lib/smb.conf.machine where -"machine" is the name of the client you wish to debug. In that file +/usr/local/samba/lib/smb.conf.machine where +machine is the name of the client you wish to debug. In that file put any smb.conf commands you want, for example log level= may be useful. This also allows you to experiment with different security systems, protocol levels etc on just @@ -112,7 +112,7 @@ one machine. The smb.conf entry log level = is synonymous with the entry debuglevel = that has been used in older versions of Samba and is being retained for backwards -compatibility of smb.conf files. +compatibility of smb.conf files. @@ -132,7 +132,7 @@ large volume of log data. If you get a "INTERNAL ERROR" message in your log files it means that Samba got an unexpected signal while running. It is probably a segmentation fault and almost certainly means a bug in Samba (unless -you have faulty hardware or system software) +you have faulty hardware or system software). @@ -148,7 +148,7 @@ possible. Please make this reasonably detailed. -You may also find that a core file appeared in a "corefiles" +You may also find that a core file appeared in a corefiles subdirectory of the directory where you keep your samba log files. This file is the most useful tool for tracking down the bug. To use it you do this: @@ -158,13 +158,13 @@ use it you do this: adding appropriate paths to smbd and core so gdb can find them. If you -don't have gdb then try "dbx". Then within the debugger use the -command "where" to give a stack trace of where the problem +don't have gdb then try dbx. Then within the debugger use the +command where to give a stack trace of where the problem occurred. Include this in your mail. -If you known any assembly language then do a "disass" of the routine +If you known any assembly language then do a disass of the routine where the problem occurred (if its in a library routine then disassemble the routine that called it) and try to work out exactly where the problem is by looking at the surrounding code. Even if you @@ -180,8 +180,8 @@ useful. Unfortunately some unixes (in particular some recent linux kernels) refuse to dump a core file if the task has changed uid (which smbd does often). To debug with this sort of system you could try to attach -to the running process using "gdb smbd PID" where you get PID from -smbstatus. Then use "c" to continue and try to cause the core dump +to the running process using gdb smbd PID where you get PID from +smbstatus. Then use c to continue and try to cause the core dump using the client. The debugger should catch the fault and tell you where it occurred. @@ -193,8 +193,8 @@ where it occurred. The best sort of bug report is one that includes a fix! If you send us -patches please use diff -u format if your version of -diff supports it, otherwise use diff -c4. Make sure +patches please use diff -u format if your version of +diff supports it, otherwise use diff -c4. Make sure your do the diff against a clean version of the source and let me know exactly what version you used. diff --git a/docs/docbook/projdoc/Compiling.sgml b/docs/docbook/projdoc/Compiling.sgml index a5ff783244..1578522139 100644 --- a/docs/docbook/projdoc/Compiling.sgml +++ b/docs/docbook/projdoc/Compiling.sgml @@ -107,7 +107,7 @@ on this system just substitute the correct package name - cvs -d :pserver:cvs@samba.org:/cvsroot login + cvs -d :pserver:cvs@samba.org:/cvsroot login @@ -122,7 +122,7 @@ on this system just substitute the correct package name - cvs -d :pserver:cvs@samba.org:/cvsroot co samba + cvs -d :pserver:cvs@samba.org:/cvsroot co samba @@ -135,11 +135,11 @@ on this system just substitute the correct package name CVS branches other HEAD can be obtained by using the -r and defining a tag name. A list of branch tag names can be found on the "Development" page of the samba web site. A common request is to obtain the - latest 2.2 release code. This could be done by using the following command. + latest 2.2 release code. This could be done by using the following userinput. - cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba + cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba @@ -150,7 +150,7 @@ on this system just substitute the correct package name - cvs update -d -P + cvs update -d -P @@ -180,8 +180,8 @@ on this system just substitute the correct package name Building the Binaries - To do this, first run the program ./configure - in the source directory. This should automatically + To do this, first run the program ./configure + in the source directory. This should automatically configure Samba for your operating system. If you have unusual needs then you may wish to run @@ -282,18 +282,18 @@ on this system just substitute the correct package name Starting the smbd and nmbd You must choose to start smbd and nmbd either - as daemons or from inetd. Don't try + as daemons or from inetdDon't try to do both! Either you can put them in inetd.conf and have them started on demand - by inetd, or you can start them as + by inetd, or you can start them as daemons either from the command line or in /etc/rc.local. See the man pages for details on the command line options. Take particular care to read the bit about what user you need to be in order to start Samba. In many cases you must be root. - The main advantage of starting smbd - and nmbd using the recommended daemon method + The main advantage of starting smbd + and nmbd using the recommended daemon method is that they will respond slightly more quickly to an initial connection request. @@ -332,21 +332,21 @@ on this system just substitute the correct package name NOTE: On many systems you may need to use the "interfaces" option in smb.conf to specify the IP address - and netmask of your interfaces. Run ifconfig + and netmask of your interfaces. Run ifconfig as root if you don't know what the broadcast is for your - net. nmbd tries to determine it at run - time, but fails on some unixes. See the section on "testing nmbd" - for a method of finding if you need to do this. + net. nmbd tries to determine it at run + time, but fails on some unixes. + - !!!WARNING!!! Many unixes only accept around 5 + Many unixes only accept around 5 parameters on the command line in inetd.conf. This means you shouldn't use spaces between the options and arguments, or you should use a script, and start the script - from inetd. + from inetd. Restart inetd, perhaps just send - it a HUP. If you have installed an earlier version of - nmbd then you may need to kill nmbd as well. + it a HUP. If you have installed an earlier version of + nmbd then you may need to kill nmbd as well. @@ -372,9 +372,9 @@ on this system just substitute the correct package name To kill it send a kill signal to the processes nmbd and smbd. - NOTE: If you use the SVR4 style init system then + If you use the SVR4 style init system then you may like to look at the examples/svr4-startup - script to make Samba fit into that system. + script to make Samba fit into that system. diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml index e13a81eac5..ac9385f3de 100644 --- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml +++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml @@ -37,7 +37,7 @@ or by editing individual files that are located in /etc/pam.d - eg: "auth required /other_path/pam_strange_module.so" + auth required /other_path/pam_strange_module.so -- cgit From 5ac9305f22d3887698f308d9f185beed842569f5 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 5 Apr 2003 23:27:16 +0000 Subject: Filling in some more blanks. (This used to be commit 157a5525d371b6c90d9d634eaf3d98fed648569a) --- docs/docbook/projdoc/PolicyMgmt.sgml | 56 ++++-- docs/docbook/projdoc/ProfileMgmt.sgml | 345 ++++++++++++++++++++++++++-------- 2 files changed, 309 insertions(+), 92 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml index 9dee288b1f..867f5740e7 100644 --- a/docs/docbook/projdoc/PolicyMgmt.sgml +++ b/docs/docbook/projdoc/PolicyMgmt.sgml @@ -248,40 +248,68 @@ use this powerful tool. Please refer to the resource kit manuals for specific us Managing Account/User Policies -Document what are user policies (ie: Account Policies) here. +Policies can define a specific user's settings or the settings for a group of users. The resulting +policy file contains the registry settings for all users, groups, and computers that will be using +the policy file. Separate policy files for each user, group, or computer are not not necessary. - -With Windows NT4/200x + +If you create a policy that will be automatically downloaded from validating domain controllers, +you should name the file NTconfig.POL. As system administrator, you have the option of renaming the +policy file and, by modifying the Windows NT-based workstation, directing the computer to update +the policy from a manual path. You can do this by either manually changing the registry or by using +the System Policy Editor. This path can even be a local path such that each machine has its own policy file, +but if a change is necessary to all machines, this change must be made individually to each workstation. + -Brief overview of the tools and how to use them. +When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain +controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then +applied to the user's part of the registry. - -Windows NT4 Tools + +MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally, +acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory +itself. The key benefit of using AS GPOs is that they impose no registry tatooing effect. +This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates. + -Blah, blah, blah ... +Inaddition to user access controls that may be imposed or applied via system and/or group policies +in a manner that works in conjunction with user profiles, the user management environment under +MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied. +Common restrictions that are frequently used includes: - + + + Logon Hours + Password Aging + Permitted Logon from certain machines only + Account type (Local or Global) + User Rights + + - -Windows 200x Tools + +With Windows NT4/200x -Blah, blah, blah ... +The tools that may be used to configure these types of controls from the MS Windows environment are: +The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe). +Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate +"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor. - - With a Samba PDC -Document the HOWTO here. +With a Samba Domain Controller, the new tools for managing of user account and policy information includes: +smbpasswd, pdbedit, smbgroupedit, net, rpcclient.. The administrator should read the +man pages for these tools and become familiar with their use. diff --git a/docs/docbook/projdoc/ProfileMgmt.sgml b/docs/docbook/projdoc/ProfileMgmt.sgml index 8eded5e9fb..d894093c63 100644 --- a/docs/docbook/projdoc/ProfileMgmt.sgml +++ b/docs/docbook/projdoc/ProfileMgmt.sgml @@ -151,16 +151,16 @@ and deny them write access to this file. - + On the Windows 9x / Me machine, go to Control Panel -> Passwords and select the User Profiles tab. Select the required level of roaming preferences. Press OK, but do _not_ allow the computer to reboot. - + - + On the Windows 9x / Me machine, go to Control Panel -> Network -> Client for Microsoft Networks -> Preferences. Select 'Log on to @@ -168,8 +168,7 @@ and deny them write access to this file. Microsoft Networks'. Press OK, and this time allow the computer to reboot. - - + @@ -228,13 +227,14 @@ they will be told that they are logging in "for the first time". - + instead of logging in under the [user, password, domain] dialog, press escape. - - + + + run the regedit.exe program, and look in: @@ -251,7 +251,7 @@ they will be told that they are logging in "for the first time". [Exit the registry editor]. - + @@ -362,52 +362,52 @@ profile on the MS Windows workstation as follows: - -Log on as the LOCAL workstation administrator. - - - -Right click on the 'My Computer' Icon, select 'Properties' - - - -Click on the 'User Profiles' tab - - - -Select the profile you wish to convert (click on it once) - - - -Click on the button 'Copy To' - - - -In the "Permitted to use" box, click on the 'Change' button. - - - -Click on the 'Look in" area that lists the machine name, when you click -here it will open up a selection box. Click on the domain to which the -profile must be accessible. - + + Log on as the LOCAL workstation administrator. + + + + Right click on the 'My Computer' Icon, select 'Properties' + + + + Click on the 'User Profiles' tab + + + + Select the profile you wish to convert (click on it once) + + + + Click on the button 'Copy To' + + + + In the "Permitted to use" box, click on the 'Change' button. + + + + Click on the 'Look in" area that lists the machine name, when you click + here it will open up a selection box. Click on the domain to which the + profile must be accessible. + -You will need to log on if a logon box opens up. Eg: In the connect -as: MIDEARTH\root, password: mypassword. - + You will need to log on if a logon box opens up. Eg: In the connect + as: MIDEARTH\root, password: mypassword. + - -To make the profile capable of being used by anyone select 'Everyone' - + + To make the profile capable of being used by anyone select 'Everyone' + - -Click OK. The Selection box will close. - + + Click OK. The Selection box will close. + - -Now click on the 'Ok' button to create the profile in the path you -nominated. - + + Now click on the 'Ok' button to create the profile in the path you + nominated. + @@ -450,29 +450,29 @@ same way as a domain group policy): On the XP workstation log in with an Administrator account. -Click: "Start", "Run" -Type: "mmc" -Click: "OK" - -A Microsoft Management Console should appear. -Click: File, "Add/Remove Snap-in...", "Add" -Double-Click: "Group Policy" -Click: "Finish", "Close" -Click: "OK" - -In the "Console Root" window: -Expand: "Local Computer Policy", "Computer Configuration", -"Administrative Templates", "System", "User Profiles" -Double-Click: "Do not check for user ownership of Roaming Profile -Folders" -Select: "Enabled" -Click: OK" - -Close the whole console. You do not need to save the settings (this -refers to the console settings rather than the policies you have -changed). - -Reboot + Click: "Start", "Run" + Type: "mmc" + Click: "OK" + + A Microsoft Management Console should appear. + Click: File, "Add/Remove Snap-in...", "Add" + Double-Click: "Group Policy" + Click: "Finish", "Close" + Click: "OK" + + In the "Console Root" window: + Expand: "Local Computer Policy", "Computer Configuration", + "Administrative Templates", "System", "User Profiles" + Double-Click: "Do not check for user ownership of Roaming Profile + Folders" + Select: "Enabled" + Click: OK" + + Close the whole console. You do not need to save the settings (this + refers to the console settings rather than the policies you have + changed). + + Reboot @@ -706,14 +706,186 @@ To modify the registry directly, launch the Registry Editor (regedit.exe), selec "User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0. + +How User Profiles Are Handled in Windows 9x / Me? + +When a user logs on to a Windows 9x / Me machine, the local profile path, +HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList, is checked +for an existing entry for that user: + + + +If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached +version of the user profile. Windows 9x / Me also checks the user's home directory (or other +specified directory if the location has been modified) on the server for the User Profile. +If a profile exists in both locations, the newer of the two is used. If the User Profile exists +on the server, but does not exist on the local machine, the profile on the server is downloaded +and used. If the User Profile only exists on the local machine, that copy is used. + + + +If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me +machine is used and is copied to a newly created folder for the logged on user. At log off, any +changes that the user made are written to the user's local profile. If the user has a roaming +profile, the changes are written to the user's profile on the server. + + MS Windows NT4 Workstation -Document NT4 default profile handling stuff here! Someone - please contribute appropriate -material here. Email your contribution to jht@samba.org. +On MS Windows NT4 the default user profile is obtained from the location +%SystemRoot%\Profiles which in a default installation will translate to +C:\WinNT\Profiles. Under this directory on a clean install there will be +three (3) directories: Administrator, All Users, Default User. + + + +The All Users directory contains menu settings that are common across all +system users. The Default User directory contains menu entries that are +customisable per user depending on the profile settings chosen/created. + + + +When a new user first logs onto an MS Windows NT4 machine a new profile is created from: + + + + All Users settings + Default User settings (contains the default NTUser.DAT file) + + + +When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain +the following steps are followed in respect of profile handling: + + + + + + The users' account information which is obtained during the logon process contains + the location of the users' desktop profile. The profile path may be local to the + machine or it may be located on a network share. If there exists a profile at the location + of the path from the user account, then this profile is copied to the location + %SystemRoot%\Profiles\%USERNAME%. This profile then inherits the + settings in the All Users profile in the %SystemRoot%\Profiles + location. + + + + + + If the user account has a profile path, but at it's location a profile does not exist, + then a new profile is created in the %SystemRoot%\Profiles\%USERNAME% + directory from reading the Default User profile. + + + + + + If the NETLOGON share on the authenticating server (logon server) contains a policy file + (NTConfig.POL) then it's contents are applied to the NTUser.DAT + which is applied to the HKEY_CURRENT_USER part of the registry. + + + + + + When the user logs out, if the profile is set to be a roaming profile it will be written + out to the location of the profile. The NTuser.DAT file is then + re-created from the contents of the HKEY_CURRENT_USER contents. + Thus, should there not exist in the NETLOGON share an NTConfig.POL at the + next logon, the effect of the provious NTConfig.POL will still be held + in the profile. The effect of this is known as tatooing. + + + + + +MS Windows NT4 profiles may be Local or Roaming. A Local profile +will stored in the %SystemRoot%\Profiles\%USERNAME% location. A roaming profile will +also remain stored in the same way, unless the following registry key is created: + + + + + HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\ + "DeleteRoamingCache"=dword:00000001 + + +In which case, the local copy (in %SystemRoot%\Profiles\%USERNAME%) will be +deleted on logout. + + + +Under MS Windows NT4 default locations for common resources (like My Documents +may be redirected to a network share by modifying the following registry keys. These changes may be affected +via use of the System Policy Editor (to do so may require that you create your owns template extension +for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first +creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings. + + + +The Registry Hive key that affects the behaviour of folders that are part of the default user profile +are controlled by entries on Windows NT4 is: + + + + + HKEY_CURRENT_USER + \Software + \Microsoft + \Windows + \CurrentVersion + \Explorer + \User Shell Folders\ + + + + +The above hive key contains a list of automatically managed folders. The default entries are: + + + + + Name Default Value + -------------- ----------------------------------------- + AppData %USERPROFILE%\Application Data + Desktop %USERPROFILE%\Desktop + Favorites %USERPROFILE%\Favorites + NetHood %USERPROFILE%\NetHood + PrintHood %USERPROFILE%\PrintHood + Programs %USERPROFILE%\Start Menu\Programs + Recent %USERPROFILE%\Recent + SendTo %USERPROFILE%\SendTo + Start Menu %USERPROFILE%\Start Menu + Startup %USERPROFILE%\Start Menu\Programs\Startup + + + + +The registry key that contains the location of the default profile settings is: + + + HKEY_LOCAL_MACHINE + \SOFTWARE + \Microsoft + \Windows + \CurrentVersion + \Explorer + \User Shell Folders + + +The default entries are: + + + Common Desktop %SystemRoot%\Profiles\All Users\Desktop + Common Programs %SystemRoot%\Profiles\All Users\Programs + Common Start Menu %SystemRoot%\Profiles\All Users\Start Menu + Common Startu p %SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup + @@ -804,7 +976,7 @@ are controlled by entries on Windows 200x/XP is: HKEY_CURRENT_USER \Software \Microsoft - \Windows NT + \Windows \CurrentVersion \Explorer \User Shell Folders\ @@ -852,15 +1024,19 @@ write Outlook PST file over the network for every login and logout. -To set this to a network location you could use the followin examples: +To set this to a network location you could use the following examples: + %LOGONSERVER%\%USERNAME%\Default Folders + This would store the folders in the user's home directory under a directory called "Default Folders" You could also use: + \\SambaServer\FolderShare\%USERNAME% + in which case the default folders will be stored in the server named SambaServer in the share called FolderShare under a directory that has the name of the MS Windows @@ -872,6 +1048,19 @@ Please note that once you have created a default profile share, you MUST migrate (default or custom) to it. + +MS Windows 200x/XP profiles may be Local or Roaming. +A roaming profile will be cached locally unless the following registry key is created: + + + + + HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\ + "DeleteRoamingCache"=dword:00000001 + + +In which case, the local cache copy will be deleted on logout. + -- cgit From d164bb1772e6c4b1761bea86dc4b8f0940764995 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 5 Apr 2003 23:39:01 +0000 Subject: Update for other contributors to. (This used to be commit d12a1bb8260673a5c280960b21957e68b241e540) --- docs/docbook/projdoc/ProfileMgmt.sgml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/ProfileMgmt.sgml b/docs/docbook/projdoc/ProfileMgmt.sgml index d894093c63..94bc60b464 100644 --- a/docs/docbook/projdoc/ProfileMgmt.sgml +++ b/docs/docbook/projdoc/ProfileMgmt.sgml @@ -706,9 +706,10 @@ To modify the registry directly, launch the Registry Editor (regedit.exe), selec "User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0. - + How User Profiles Are Handled in Windows 9x / Me? + When a user logs on to a Windows 9x / Me machine, the local profile path, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList, is checked for an existing entry for that user: @@ -730,6 +731,7 @@ changes that the user made are written to the user's local profile. If the user profile, the changes are written to the user's profile on the server. + -- cgit From 9496f1e2063eb0b93142bfaf86979b21bf8b56e6 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Sun, 6 Apr 2003 13:07:44 +0000 Subject: Convert 'Security' section of smb.conf to new format (This used to be commit 85eadec0838bdcb5604d5cf66b204ee610e2ad7a) --- docs/docbook/smbdotconf/security/adminusers.xml | 26 +- .../smbdotconf/security/algorithmicridbase.xml | 43 +- docs/docbook/smbdotconf/security/allowhosts.xml | 14 +- .../smbdotconf/security/allowtrusteddomains.xml | 42 +- docs/docbook/smbdotconf/security/authmethods.xml | 31 +- docs/docbook/smbdotconf/security/createmask.xml | 84 ++-- docs/docbook/smbdotconf/security/createmode.xml | 13 +- docs/docbook/smbdotconf/security/denyhosts.xml | 14 +- docs/docbook/smbdotconf/security/directorymask.xml | 88 ++-- docs/docbook/smbdotconf/security/directorymode.xml | 13 +- .../smbdotconf/security/directorysecuritymask.xml | 58 +-- .../smbdotconf/security/encryptpasswords.xml | 43 +- .../smbdotconf/security/forcecreatemode.xml | 45 +- .../smbdotconf/security/forcedirectorymode.xml | 47 +- .../security/forcedirectorysecuritymode.xml | 57 +-- docs/docbook/smbdotconf/security/forcegroup.xml | 64 +-- .../smbdotconf/security/forcesecuritymode.xml | 59 +-- docs/docbook/smbdotconf/security/forceuser.xml | 44 +- docs/docbook/smbdotconf/security/group.xml | 14 +- docs/docbook/smbdotconf/security/guestaccount.xml | 50 ++- docs/docbook/smbdotconf/security/guestok.xml | 32 +- docs/docbook/smbdotconf/security/guestonly.xml | 25 +- docs/docbook/smbdotconf/security/hostsallow.xml | 86 ++-- docs/docbook/smbdotconf/security/hostsdeny.xml | 26 +- docs/docbook/smbdotconf/security/hostsequiv.xml | 49 ++- docs/docbook/smbdotconf/security/inheritacls.xml | 26 +- .../smbdotconf/security/inheritpermissions.xml | 64 +-- docs/docbook/smbdotconf/security/invalidusers.xml | 58 +-- docs/docbook/smbdotconf/security/lanmanauth.xml | 23 +- docs/docbook/smbdotconf/security/maptoguest.xml | 99 +++-- .../smbdotconf/security/minpasswdlength.xml | 16 +- .../smbdotconf/security/minpasswordlength.xml | 27 +- .../smbdotconf/security/nonunixaccountrange.xml | 40 +- docs/docbook/smbdotconf/security/ntlmauth.xml | 27 +- docs/docbook/smbdotconf/security/nullpasswords.xml | 20 +- .../smbdotconf/security/obeypamrestrictions.xml | 32 +- docs/docbook/smbdotconf/security/onlyguest.xml | 14 +- docs/docbook/smbdotconf/security/onlyuser.xml | 44 +- .../smbdotconf/security/pampasswordchange.xml | 31 +- docs/docbook/smbdotconf/security/passdbbackend.xml | 174 ++++---- docs/docbook/smbdotconf/security/passwdchat.xml | 120 +++--- .../smbdotconf/security/passwdchatdebug.xml | 48 ++- docs/docbook/smbdotconf/security/passwdprogram.xml | 64 +-- docs/docbook/smbdotconf/security/passwordlevel.xml | 84 ++-- .../docbook/smbdotconf/security/passwordserver.xml | 164 +++---- docs/docbook/smbdotconf/security/printeradmin.xml | 25 +- docs/docbook/smbdotconf/security/privatedir.xml | 21 +- docs/docbook/smbdotconf/security/public.xml | 15 +- docs/docbook/smbdotconf/security/readlist.xml | 35 +- docs/docbook/smbdotconf/security/readonly.xml | 29 +- .../smbdotconf/security/restrictanonymous.xml | 20 +- docs/docbook/smbdotconf/security/root.xml | 16 +- docs/docbook/smbdotconf/security/rootdir.xml | 16 +- docs/docbook/smbdotconf/security/rootdirectory.xml | 58 +-- docs/docbook/smbdotconf/security/security.xml | 477 +++++++++++---------- docs/docbook/smbdotconf/security/securitymask.xml | 59 +-- .../docbook/smbdotconf/security/serverschannel.xml | 43 +- docs/docbook/smbdotconf/security/smbpasswdfile.xml | 25 +- .../smbdotconf/security/unixpasswordsync.xml | 36 +- .../smbdotconf/security/updateencrypted.xml | 55 +-- docs/docbook/smbdotconf/security/user.xml | 14 +- docs/docbook/smbdotconf/security/username.xml | 124 +++--- docs/docbook/smbdotconf/security/usernamelevel.xml | 40 +- docs/docbook/smbdotconf/security/usernamemap.xml | 169 ++++---- docs/docbook/smbdotconf/security/users.xml | 15 +- docs/docbook/smbdotconf/security/validusers.xml | 38 +- docs/docbook/smbdotconf/security/writable.xml | 14 +- docs/docbook/smbdotconf/security/writeable.xml | 14 +- docs/docbook/smbdotconf/security/writelist.xml | 35 +- docs/docbook/smbdotconf/security/writeok.xml | 14 +- 70 files changed, 1953 insertions(+), 1696 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/smbdotconf/security/adminusers.xml b/docs/docbook/smbdotconf/security/adminusers.xml index 2e1abaf6e1..09989aa79a 100644 --- a/docs/docbook/smbdotconf/security/adminusers.xml +++ b/docs/docbook/smbdotconf/security/adminusers.xml @@ -1,15 +1,17 @@ - - admin users (S) - This is a list of users who will be granted - administrative privileges on the share. This means that they - will do all file operations as the super-user (root). + + + This is a list of users who will be granted + administrative privileges on the share. This means that they + will do all file operations as the super-user (root). - You should use this option very carefully, as any user in - this list will be able to do anything they like on the share, - irrespective of file permissions. + You should use this option very carefully, as any user in + this list will be able to do anything they like on the share, + irrespective of file permissions. - Default: no admin users + Default: no admin users - Example: admin users = jason - - + Example: admin users = jason + + diff --git a/docs/docbook/smbdotconf/security/algorithmicridbase.xml b/docs/docbook/smbdotconf/security/algorithmicridbase.xml index 3c2bf8686e..d1d33d419b 100644 --- a/docs/docbook/smbdotconf/security/algorithmicridbase.xml +++ b/docs/docbook/smbdotconf/security/algorithmicridbase.xml @@ -1,22 +1,27 @@ - - algorithmic rid base (G) - This determines how Samba will use its - algorithmic mapping from uids/gid to the RIDs needed to construct - NT Security Identifiers. + + + This determines how Samba will use its + algorithmic mapping from uids/gid to the RIDs needed to construct + NT Security Identifiers. + - Setting this option to a larger value could be useful to sites - transitioning from WinNT and Win2k, as existing user and - group rids would otherwise clash with sytem users etc. - + Setting this option to a larger value could be useful to sites + transitioning from WinNT and Win2k, as existing user and + group rids would otherwise clash with sytem users etc. + - All UIDs and GIDs must be able to be resolved into SIDs for - the correct operation of ACLs on the server. As such the algorithmic - mapping can't be 'turned off', but pushing it 'out of the way' should - resolve the issues. Users and groups can then be assigned 'low' RIDs - in arbitary-rid supporting backends. + All UIDs and GIDs must be able to be resolved into SIDs for + the correct operation of ACLs on the server. As such the algorithmic + mapping can't be 'turned off', but pushing it 'out of the way' should + resolve the issues. Users and groups can then be assigned 'low' RIDs + in arbitary-rid supporting backends. + - Default: algorithmic rid base = 1000 - - Example: algorithmic rid base = 100000 - - + Default: algorithmic rid base = 1000 + + Example: algorithmic rid base = 100000 + + diff --git a/docs/docbook/smbdotconf/security/allowhosts.xml b/docs/docbook/smbdotconf/security/allowhosts.xml index 7fd2f426f8..ea7c0fa05e 100644 --- a/docs/docbook/smbdotconf/security/allowhosts.xml +++ b/docs/docbook/smbdotconf/security/allowhosts.xml @@ -1,5 +1,9 @@ - - allow hosts (S) - Synonym for - hosts allow. - + + + Synonym for + hosts allow. + + diff --git a/docs/docbook/smbdotconf/security/allowtrusteddomains.xml b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml index 35dcd76cbd..63363d2607 100644 --- a/docs/docbook/smbdotconf/security/allowtrusteddomains.xml +++ b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml @@ -1,22 +1,26 @@ - - allow trusted domains (G) - This option only takes effect when the security option is set to - server or domain. - If it is set to no, then attempts to connect to a resource from - a domain or workgroup other than the one which smbd is running - in will fail, even if that domain is trusted by the remote server - doing the authentication. + + + This option only takes effect when the + security option is set to + server or domain. + If it is set to no, then attempts to connect to a resource from + a domain or workgroup other than the one which smbd is running + in will fail, even if that domain is trusted by the remote server + doing the authentication. - This is useful if you only want your Samba server to - serve resources to users in the domain it is a member of. As - an example, suppose that there are two domains DOMA and DOMB. DOMB - is trusted by DOMA, which contains the Samba server. Under normal - circumstances, a user with an account in DOMB can then access the - resources of a UNIX account with the same account name on the - Samba server even if they do not have an account in DOMA. This - can make implementing a security boundary difficult. + This is useful if you only want your Samba server to + serve resources to users in the domain it is a member of. As + an example, suppose that there are two domains DOMA and DOMB. DOMB + is trusted by DOMA, which contains the Samba server. Under normal + circumstances, a user with an account in DOMB can then access the + resources of a UNIX account with the same account name on the + Samba server even if they do not have an account in DOMA. This + can make implementing a security boundary difficult. - Default: allow trusted domains = yes + Default: allow trusted domains = yes - - + + diff --git a/docs/docbook/smbdotconf/security/authmethods.xml b/docs/docbook/smbdotconf/security/authmethods.xml index 2e569558a0..0b7965d55b 100644 --- a/docs/docbook/smbdotconf/security/authmethods.xml +++ b/docs/docbook/smbdotconf/security/authmethods.xml @@ -1,16 +1,19 @@ - - auth methods (G) - This option allows the administrator to chose what - authentication methods smbd will use when authenticating - a user. This option defaults to sensible values based on - security. + + + This option allows the administrator to chose what + authentication methods smbd will use when authenticating + a user. This option defaults to sensible values based on + security. - Each entry in the list attempts to authenticate the user in turn, until - the user authenticates. In practice only one method will ever actually - be able to complete the authentication. - + Each entry in the list attempts to authenticate the user in turn, until + the user authenticates. In practice only one method will ever actually + be able to complete the authentication. + - Default: auth methods = <empty string> - Example: auth methods = guest sam ntdomain - - + Default: auth methods = <empty string> + Example: auth methods = guest sam ntdomain + + diff --git a/docs/docbook/smbdotconf/security/createmask.xml b/docs/docbook/smbdotconf/security/createmask.xml index 9a197bf7c3..6765702878 100644 --- a/docs/docbook/smbdotconf/security/createmask.xml +++ b/docs/docbook/smbdotconf/security/createmask.xml @@ -1,39 +1,45 @@ - - create mask (S) - A synonym for this parameter is - create mode - . - - When a file is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX - permissions, and the resulting UNIX mode is then bit-wise 'AND'ed - with this parameter. This parameter may be thought of as a bit-wise - MASK for the UNIX modes of a file. Any bit not - set here will be removed from the modes set on a file when it is - created. - - The default value of this parameter removes the - 'group' and 'other' write and execute bits from the UNIX modes. - - Following this Samba will bit-wise 'OR' the UNIX mode created - from this parameter with the value of the force create mode - parameter which is set to 000 by default. - - This parameter does not affect directory modes. See the - parameter directory mode - for details. - - See also the force - create mode parameter for forcing particular mode - bits to be set on created files. See also the - directory mode parameter for masking - mode bits on created directories. See also the - inherit permissions parameter. - - Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the security mask. - - Default: create mask = 0744 - Example: create mask = 0775 - + + + A synonym for this parameter is + create mode + . + + When a file is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX + permissions, and the resulting UNIX mode is then bit-wise 'AND'ed + with this parameter. This parameter may be thought of as a bit-wise + MASK for the UNIX modes of a file. Any bit not + set here will be removed from the modes set on a file when it is + created. + + The default value of this parameter removes the + 'group' and 'other' write and execute bits from the UNIX modes. + + Following this Samba will bit-wise 'OR' the UNIX mode created + from this parameter with the value of the + force create mode + parameter which is set to 000 by default. + + This parameter does not affect directory modes. See the + parameter directory mode + for details. + + See also the force + create mode parameter for forcing particular mode + bits to be set on created files. See also the + directory mode parameter for masking + mode bits on created directories. See also the + inherit permissions parameter. + + Note that this parameter does not apply to permissions + set by Windows NT/2000 ACL editors. If the administrator wishes to enforce + a mask on access control lists also, they need to set the + security mask. + + Default: create mask = 0744 + + Example: create mask = 0775 + + diff --git a/docs/docbook/smbdotconf/security/createmode.xml b/docs/docbook/smbdotconf/security/createmode.xml index 7e78ab0181..c49acf070d 100644 --- a/docs/docbook/smbdotconf/security/createmode.xml +++ b/docs/docbook/smbdotconf/security/createmode.xml @@ -1,5 +1,8 @@ - - create mode (S) - This is a synonym for - create mask. - + + + This is a synonym for + create mask. + + diff --git a/docs/docbook/smbdotconf/security/denyhosts.xml b/docs/docbook/smbdotconf/security/denyhosts.xml index f50fb33d33..d5ffb0e452 100644 --- a/docs/docbook/smbdotconf/security/denyhosts.xml +++ b/docs/docbook/smbdotconf/security/denyhosts.xml @@ -1,5 +1,9 @@ - - deny hosts (S) - Synonym for hosts - deny. - + + + Synonym for hosts + deny. + + diff --git a/docs/docbook/smbdotconf/security/directorymask.xml b/docs/docbook/smbdotconf/security/directorymask.xml index 0844733ede..d50047d46f 100644 --- a/docs/docbook/smbdotconf/security/directorymask.xml +++ b/docs/docbook/smbdotconf/security/directorymask.xml @@ -1,43 +1,47 @@ - - directory mask (S) - This parameter is the octal modes which are - used when converting DOS modes to UNIX modes when creating UNIX - directories. - - When a directory is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX permissions, - and the resulting UNIX mode is then bit-wise 'AND'ed with this - parameter. This parameter may be thought of as a bit-wise MASK for - the UNIX modes of a directory. Any bit not set - here will be removed from the modes set on a directory when it is - created. - - The default value of this parameter removes the 'group' - and 'other' write bits from the UNIX mode, allowing only the - user who owns the directory to modify it. + + + This parameter is the octal modes which are + used when converting DOS modes to UNIX modes when creating UNIX + directories. + + When a directory is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX permissions, + and the resulting UNIX mode is then bit-wise 'AND'ed with this + parameter. This parameter may be thought of as a bit-wise MASK for + the UNIX modes of a directory. Any bit not set + here will be removed from the modes set on a directory when it is + created. + + The default value of this parameter removes the 'group' + and 'other' write bits from the UNIX mode, allowing only the + user who owns the directory to modify it. - Following this Samba will bit-wise 'OR' the UNIX mode - created from this parameter with the value of the force directory mode - parameter. This parameter is set to 000 by - default (i.e. no extra mode bits are added). - - Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the directory security mask. - - See the force - directory mode parameter to cause particular mode - bits to always be set on created directories. - - See also the create mode - parameter for masking mode bits on created files, - and the directory - security mask parameter. - - Also refer to the - inherit permissions parameter. - - Default: directory mask = 0755 - Example: directory mask = 0775 - - + Following this Samba will bit-wise 'OR' the UNIX mode + created from this parameter with the value of the + force directory mode parameter. + This parameter is set to 000 by default (i.e. no extra mode bits are added). + + Note that this parameter does not apply to permissions + set by Windows NT/2000 ACL editors. If the administrator wishes to enforce + a mask on access control lists also, they need to set the + directory security mask. + + See the force + directory mode parameter to cause particular mode + bits to always be set on created directories. + + See also the create mode + parameter for masking mode bits on created files, + and the directory + security mask parameter. + + Also refer to the + inherit permissions parameter. + + Default: directory mask = 0755 + + Example: directory mask = 0775 + + diff --git a/docs/docbook/smbdotconf/security/directorymode.xml b/docs/docbook/smbdotconf/security/directorymode.xml index 9678cd91ad..3facac2bc1 100644 --- a/docs/docbook/smbdotconf/security/directorymode.xml +++ b/docs/docbook/smbdotconf/security/directorymode.xml @@ -1,5 +1,8 @@ - - directory mode (S) - Synonym for - directory mask - + + + Synonym for + directory mask + + diff --git a/docs/docbook/smbdotconf/security/directorysecuritymask.xml b/docs/docbook/smbdotconf/security/directorysecuritymask.xml index 76d153f6f4..d5413d4578 100644 --- a/docs/docbook/smbdotconf/security/directorysecuritymask.xml +++ b/docs/docbook/smbdotconf/security/directorysecuritymask.xml @@ -1,32 +1,36 @@ - - directory security mask (S) - This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog - box. + + + This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog + box. - This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change. + This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change. - If not set explicitly this parameter is set to 0777 - meaning a user is allowed to modify all the user/group/world - permissions on a directory. + If not set explicitly this parameter is set to 0777 + meaning a user is allowed to modify all the user/group/world + permissions on a directory. - Note that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it as the default of 0777. + Note that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + it as the default of 0777. - See also the - force directory security mode, security mask, - force security mode - parameters. + See also the + force directory security mode, + security mask, + force security mode + parameters. - Default: directory security mask = 0777 - Example: directory security mask = 0700 - - + Default: directory security mask = 0777 + + Example: directory security mask = 0700 + + diff --git a/docs/docbook/smbdotconf/security/encryptpasswords.xml b/docs/docbook/smbdotconf/security/encryptpasswords.xml index d7ceb8d598..4f83a776c8 100644 --- a/docs/docbook/smbdotconf/security/encryptpasswords.xml +++ b/docs/docbook/smbdotconf/security/encryptpasswords.xml @@ -1,21 +1,26 @@ - - encrypt passwords (G) - This boolean controls whether encrypted passwords - will be negotiated with the client. Note that Windows NT 4.0 SP3 and - above and also Windows 98 will by default expect encrypted passwords - unless a registry entry is changed. To use encrypted passwords in - Samba see the file ENCRYPTION.txt in the Samba documentation - directory docs/ shipped with the source code. + + + This boolean controls whether encrypted passwords + will be negotiated with the client. Note that Windows NT 4.0 SP3 and + above and also Windows 98 will by default expect encrypted passwords + unless a registry entry is changed. To use encrypted passwords in + Samba see the file ENCRYPTION.txt in the Samba documentation + directory docs/ shipped + with the source code. - In order for encrypted passwords to work correctly - smbd - 8 must either - have access to a local smbpasswd - 5 file (see the smbpasswd - 8 program for information on how to set up - and maintain this file), or set the security = [server|domain|ads] parameter which - causes smbd to authenticate against another - server. + In order for encrypted passwords to work correctly + smbd + 8 must either + have access to a local smbpasswd + 5 file (see the smbpasswd + 8 program for information on how to set up + and maintain this file), or set the security = [server|domain|ads] parameter which + causes smbd to authenticate against another + server. - Default: encrypt passwords = yes - + Default: encrypt passwords = yes + + diff --git a/docs/docbook/smbdotconf/security/forcecreatemode.xml b/docs/docbook/smbdotconf/security/forcecreatemode.xml index 238340d7c5..66b29950d0 100644 --- a/docs/docbook/smbdotconf/security/forcecreatemode.xml +++ b/docs/docbook/smbdotconf/security/forcecreatemode.xml @@ -1,25 +1,28 @@ - - force create mode (S) - This parameter specifies a set of UNIX mode bit - permissions that will always be set on a - file created by Samba. This is done by bitwise 'OR'ing these bits onto - the mode bits of a file that is being created or having its - permissions changed. The default for this parameter is (in octal) - 000. The modes in this parameter are bitwise 'OR'ed onto the file - mode after the mask set in the create mask - parameter is applied. + + + This parameter specifies a set of UNIX mode bit + permissions that will always be set on a + file created by Samba. This is done by bitwise 'OR'ing these bits onto + the mode bits of a file that is being created or having its + permissions changed. The default for this parameter is (in octal) + 000. The modes in this parameter are bitwise 'OR'ed onto the file + mode after the mask set in the create mask + parameter is applied. - See also the parameter create - mask for details on masking mode bits on files. + See also the parameter create + mask for details on masking mode bits on files. - See also the inherit - permissions parameter. + See also the inherit + permissions parameter. - Default: force create mode = 000 - Example: force create mode = 0755 + Default: force create mode = 000 - would force all created files to have read and execute - permissions set for 'group' and 'other' as well as the - read/write/execute bits set for the 'user'. - - + Example: force create mode = 0755 + + would force all created files to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'. + + diff --git a/docs/docbook/smbdotconf/security/forcedirectorymode.xml b/docs/docbook/smbdotconf/security/forcedirectorymode.xml index 460a7fc6f2..b417f08b24 100644 --- a/docs/docbook/smbdotconf/security/forcedirectorymode.xml +++ b/docs/docbook/smbdotconf/security/forcedirectorymode.xml @@ -1,26 +1,29 @@ - - force directory mode (S) - This parameter specifies a set of UNIX mode bit - permissions that will always be set on a directory - created by Samba. This is done by bitwise 'OR'ing these bits onto the - mode bits of a directory that is being created. The default for this - parameter is (in octal) 0000 which will not add any extra permission - bits to a created directory. This operation is done after the mode - mask in the parameter directory mask is - applied. + + + This parameter specifies a set of UNIX mode bit + permissions that will always be set on a directory + created by Samba. This is done by bitwise 'OR'ing these bits onto the + mode bits of a directory that is being created. The default for this + parameter is (in octal) 0000 which will not add any extra permission + bits to a created directory. This operation is done after the mode + mask in the parameter directory mask is + applied. - See also the parameter - directory mask for details on masking mode bits - on created directories. + See also the parameter + directory mask for details on masking mode bits + on created directories. - See also the - inherit permissions parameter. + See also the + inherit permissions parameter. - Default: force directory mode = 000 - Example: force directory mode = 0755 + Default: force directory mode = 000 - would force all created directories to have read and execute - permissions set for 'group' and 'other' as well as the - read/write/execute bits set for the 'user'. - - + Example: force directory mode = 0755 + + would force all created directories to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'. + + diff --git a/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml b/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml index a01b297b05..8c35ccbf8a 100644 --- a/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml +++ b/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml @@ -1,32 +1,35 @@ - - force directory security mode (S) - This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog box. + + + This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog box. - This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a directory, the user has always set to be 'on'. + This parameter is applied as a mask (OR'ed with) to the + changed permission bits, thus forcing any bits in this mask that + the user may have modified to be on. Essentially, one bits in this + mask may be treated as a set of bits that, when modifying security + on a directory, the user has always set to be 'on'. - If not set explicitly this parameter is 000, which - allows a user to modify all the user/group/world permissions on a - directory without restrictions. + If not set explicitly this parameter is 000, which + allows a user to modify all the user/group/world permissions on a + directory without restrictions. - Note that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it set as 0000. + Note that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + it set as 0000. - See also the - directory security mask, - security mask, - force security mode - parameters. + See also the + directory security mask, + security mask, + force security mode + parameters. - Default: force directory security mode = 0 - Example: force directory security mode = 700 - - + Default: force directory security mode = 0 + + Example: force directory security mode = 700 + + diff --git a/docs/docbook/smbdotconf/security/forcegroup.xml b/docs/docbook/smbdotconf/security/forcegroup.xml index abfec79e03..eafdfe8e23 100644 --- a/docs/docbook/smbdotconf/security/forcegroup.xml +++ b/docs/docbook/smbdotconf/security/forcegroup.xml @@ -1,35 +1,37 @@ - - force group (S) - This specifies a UNIX group name that will be - assigned as the default primary group for all users connecting - to this service. This is useful for sharing files by ensuring - that all access to files on service will use the named group for - their permissions checking. Thus, by assigning permissions for this - group to the files and directories within this service the Samba - administrator can restrict or allow sharing of these files. + + + This specifies a UNIX group name that will be + assigned as the default primary group for all users connecting + to this service. This is useful for sharing files by ensuring + that all access to files on service will use the named group for + their permissions checking. Thus, by assigning permissions for this + group to the files and directories within this service the Samba + administrator can restrict or allow sharing of these files. - In Samba 2.0.5 and above this parameter has extended - functionality in the following way. If the group name listed here - has a '+' character prepended to it then the current user accessing - the share only has the primary group default assigned to this group - if they are already assigned as a member of that group. This allows - an administrator to decide that only users who are already in a - particular group will create files with group ownership set to that - group. This gives a finer granularity of ownership assignment. For - example, the setting force group = +sys means - that only users who are already in group sys will have their default - primary group assigned to sys when accessing this Samba share. All - other users will retain their ordinary primary group. + In Samba 2.0.5 and above this parameter has extended + functionality in the following way. If the group name listed here + has a '+' character prepended to it then the current user accessing + the share only has the primary group default assigned to this group + if they are already assigned as a member of that group. This allows + an administrator to decide that only users who are already in a + particular group will create files with group ownership set to that + group. This gives a finer granularity of ownership assignment. For + example, the setting force group = +sys means + that only users who are already in group sys will have their default + primary group assigned to sys when accessing this Samba share. All + other users will retain their ordinary primary group. - If the force user - parameter is also set the group specified in - force group will override the primary group - set in force user. + If the force user + parameter is also set the group specified in + force group will override the primary group + set in force user. - See also force - user. + See also force user. - Default: no forced group - Example: force group = agroup - - + Default: no forced group + + Example: force group = agroup + + diff --git a/docs/docbook/smbdotconf/security/forcesecuritymode.xml b/docs/docbook/smbdotconf/security/forcesecuritymode.xml index 2db50f1ce3..4151239f53 100644 --- a/docs/docbook/smbdotconf/security/forcesecuritymode.xml +++ b/docs/docbook/smbdotconf/security/forcesecuritymode.xml @@ -1,33 +1,36 @@ - - force security mode (S) - This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog - box. + + + This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security dialog + box. - This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a file, the user has always set to be 'on'. + This parameter is applied as a mask (OR'ed with) to the + changed permission bits, thus forcing any bits in this mask that + the user may have modified to be on. Essentially, one bits in this + mask may be treated as a set of bits that, when modifying security + on a file, the user has always set to be 'on'. - If not set explicitly this parameter is set to 0, - and allows a user to modify all the user/group/world permissions on a file, - with no restrictions. + If not set explicitly this parameter is set to 0, + and allows a user to modify all the user/group/world permissions on a file, + with no restrictions. - Note that users who can access - the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - this set to 0000. + Note that users who can access + the Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + this set to 0000. - See also the - force directory security mode, - directory security - mask, - security mask parameters. + See also the + force directory security mode, + directory security + mask, + security mask parameters. - Default: force security mode = 0 - Example: force security mode = 700 - - + Default: force security mode = 0 + + Example: force security mode = 700 + + diff --git a/docs/docbook/smbdotconf/security/forceuser.xml b/docs/docbook/smbdotconf/security/forceuser.xml index 4747db13fe..79c7aa3806 100644 --- a/docs/docbook/smbdotconf/security/forceuser.xml +++ b/docs/docbook/smbdotconf/security/forceuser.xml @@ -1,25 +1,27 @@ - - force user (S) - This specifies a UNIX user name that will be - assigned as the default user for all users connecting to this service. - This is useful for sharing files. You should also use it carefully - as using it incorrectly can cause security problems. + + + This specifies a UNIX user name that will be + assigned as the default user for all users connecting to this service. + This is useful for sharing files. You should also use it carefully + as using it incorrectly can cause security problems. - This user name only gets used once a connection is established. - Thus clients still need to connect as a valid user and supply a - valid password. Once connected, all file operations will be performed - as the "forced user", no matter what username the client connected - as. This can be very useful. + This user name only gets used once a connection is established. + Thus clients still need to connect as a valid user and supply a + valid password. Once connected, all file operations will be performed + as the "forced user", no matter what username the client connected + as. This can be very useful. - In Samba 2.0.5 and above this parameter also causes the - primary group of the forced user to be used as the primary group - for all file activity. Prior to 2.0.5 the primary group was left - as the primary group of the connecting user (this was a bug). + In Samba 2.0.5 and above this parameter also causes the + primary group of the forced user to be used as the primary group + for all file activity. Prior to 2.0.5 the primary group was left + as the primary group of the connecting user (this was a bug). - See also force group - + See also force group - Default: no forced user - Example: force user = auser - - + Default: no forced user + + Example: force user = auser + + diff --git a/docs/docbook/smbdotconf/security/group.xml b/docs/docbook/smbdotconf/security/group.xml index afc410ce34..453ca0f45b 100644 --- a/docs/docbook/smbdotconf/security/group.xml +++ b/docs/docbook/smbdotconf/security/group.xml @@ -1,5 +1,9 @@ - - group (S) - Synonym for force - group. - + + + Synonym for + force group. + + diff --git a/docs/docbook/smbdotconf/security/guestaccount.xml b/docs/docbook/smbdotconf/security/guestaccount.xml index ab15c4460d..9db3b6362d 100644 --- a/docs/docbook/smbdotconf/security/guestaccount.xml +++ b/docs/docbook/smbdotconf/security/guestaccount.xml @@ -1,27 +1,31 @@ - - guest account (S) - This is a username which will be used for access - to services which are specified as - guest ok (see below). Whatever privileges this - user has will be available to any client connecting to the guest service. - Typically this user will exist in the password file, but will not - have a valid login. The user account "ftp" is often a good choice - for this parameter. If a username is specified in a given service, - the specified username overrides this one. + + + This is a username which will be used for access + to services which are specified as + guest ok (see below). Whatever privileges this + user has will be available to any client connecting to the guest service. + Typically this user will exist in the password file, but will not + have a valid login. The user account "ftp" is often a good choice + for this parameter. If a username is specified in a given service, + the specified username overrides this one. + - One some systems the default guest account "nobody" may not - be able to print. Use another account in this case. You should test - this by trying to log in as your guest user (perhaps by using the - su - command) and trying to print using the - system print command such as lpr(1) or - lp(1). + One some systems the default guest account "nobody" may not + be able to print. Use another account in this case. You should test + this by trying to log in as your guest user (perhaps by using the + su - command) and trying to print using the + system print command such as lpr(1) or + lp(1). - This parameter does not accept % macros, because - many parts of the system require this value to be - constant for correct operation. + This parameter does not accept % macros, because + many parts of the system require this value to be + constant for correct operation. - Default: specified at compile time, usually - "nobody" + Default: specified at compile time, usually "nobody" - Example: guest account = ftp - + Example: guest account = ftp + + diff --git a/docs/docbook/smbdotconf/security/guestok.xml b/docs/docbook/smbdotconf/security/guestok.xml index 2b7a8cee8a..eef1801dc3 100644 --- a/docs/docbook/smbdotconf/security/guestok.xml +++ b/docs/docbook/smbdotconf/security/guestok.xml @@ -1,17 +1,21 @@ - - guest ok (S) - If this parameter is yes for - a service, then no password is required to connect to the service. - Privileges will be those of the - guest account. + + + If this parameter is yes for + a service, then no password is required to connect to the service. + Privileges will be those of the + guest account. - This paramater nullifies the benifits of setting - restrict - anonymous = 2 + This paramater nullifies the benifits of setting + restrict + anonymous = 2 - See the section below on - security for more information about this option. - + See the section below on + security for more information about this option. + - Default: guest ok = no - + Default: guest ok = no + + diff --git a/docs/docbook/smbdotconf/security/guestonly.xml b/docs/docbook/smbdotconf/security/guestonly.xml index ac7f62ad68..f116a5f22c 100644 --- a/docs/docbook/smbdotconf/security/guestonly.xml +++ b/docs/docbook/smbdotconf/security/guestonly.xml @@ -1,13 +1,16 @@ - - guest only (S) - If this parameter is yes for - a service, then only guest connections to the service are permitted. - This parameter will have no effect if - guest ok is not set for the service. + + + If this parameter is yes for + a service, then only guest connections to the service are permitted. + This parameter will have no effect if + guest ok is not set for the service. - See the section below on - security for more information about this option. - + See the section below on + security for more information about this option. + - Default: guest only = no - + Default: guest only = no + + diff --git a/docs/docbook/smbdotconf/security/hostsallow.xml b/docs/docbook/smbdotconf/security/hostsallow.xml index ea91b73903..95aa7ee516 100644 --- a/docs/docbook/smbdotconf/security/hostsallow.xml +++ b/docs/docbook/smbdotconf/security/hostsallow.xml @@ -1,60 +1,62 @@ - - hosts allow (S) - A synonym for this parameter is allow - hosts. + + + A synonym for this parameter is allow + hosts. - This parameter is a comma, space, or tab delimited - set of hosts which are permitted to access a service. + This parameter is a comma, space, or tab delimited + set of hosts which are permitted to access a service. - If specified in the [global] section then it will - apply to all services, regardless of whether the individual - service has a different setting. + If specified in the [global] section then it will + apply to all services, regardless of whether the individual + service has a different setting. - You can specify the hosts by name or IP number. For - example, you could restrict access to only the hosts on a - Class C subnet with something like allow hosts = 150.203.5. - . The full syntax of the list is described in the man - page hosts_access(5). Note that this man - page may not be present on your system, so a brief description will - be given here also. + You can specify the hosts by name or IP number. For + example, you could restrict access to only the hosts on a + Class C subnet with something like allow hosts = 150.203.5. + . The full syntax of the list is described in the man + page hosts_access(5). Note that this man + page may not be present on your system, so a brief description will + be given here also. - Note that the localhost address 127.0.0.1 will always - be allowed access unless specifically denied by a hosts deny option. + Note that the localhost address 127.0.0.1 will always + be allowed access unless specifically denied by a + hosts deny option. - You can also specify hosts by network/netmask pairs and - by netgroup names if your system supports netgroups. The - EXCEPT keyword can also be used to limit a - wildcard list. The following examples may provide some help: + You can also specify hosts by network/netmask pairs and + by netgroup names if your system supports netgroups. The + EXCEPT keyword can also be used to limit a + wildcard list. The following examples may provide some help: - Example 1: allow all IPs in 150.203.*.*; except one + Example 1: allow all IPs in 150.203.*.*; except one - hosts allow = 150.203. EXCEPT 150.203.6.66 + hosts allow = 150.203. EXCEPT 150.203.6.66 - Example 2: allow hosts that match the given network/netmask + Example 2: allow hosts that match the given network/netmask - hosts allow = 150.203.15.0/255.255.255.0 + hosts allow = 150.203.15.0/255.255.255.0 - Example 3: allow a couple of hosts + Example 3: allow a couple of hosts - hosts allow = lapland, arvidsjaur + hosts allow = lapland, arvidsjaur - Example 4: allow only hosts in NIS netgroup "foonet", but - deny access from one particular host + Example 4: allow only hosts in NIS netgroup "foonet", but + deny access from one particular host - hosts allow = @foonet + hosts allow = @foonet - hosts deny = pirate + hosts deny = pirate - Note that access still requires suitable user-level passwords. + Note that access still requires suitable user-level passwords. - See testparm - 1 for a way of testing your host access - to see if it does what you expect. + See testparm + 1 for a way of testing your host access + to see if it does what you expect. - Default: none (i.e., all hosts permitted access) - + Default: none (i.e., all hosts permitted access) - Example: allow hosts = 150.203.5. myhost.mynet.edu.au - - - + Example: allow hosts = 150.203.5. myhost.mynet.edu.au + + diff --git a/docs/docbook/smbdotconf/security/hostsdeny.xml b/docs/docbook/smbdotconf/security/hostsdeny.xml index f37e2b7e4d..e4b47051fa 100644 --- a/docs/docbook/smbdotconf/security/hostsdeny.xml +++ b/docs/docbook/smbdotconf/security/hostsdeny.xml @@ -1,14 +1,16 @@ - - hosts deny (S) - The opposite of hosts allow - - hosts listed here are NOT permitted access to - services unless the specific services have their own lists to override - this one. Where the lists conflict, the allow - list takes precedence. + + + The opposite of hosts allow + - hosts listed here are NOT permitted access to + services unless the specific services have their own lists to override + this one. Where the lists conflict, the allow + list takes precedence. - Default: none (i.e., no hosts specifically excluded) - + Default: none (i.e., no hosts specifically excluded) - Example: hosts deny = 150.203.4. badhost.mynet.edu.au - - + Example: hosts deny = 150.203.4. badhost.mynet.edu.au + + diff --git a/docs/docbook/smbdotconf/security/hostsequiv.xml b/docs/docbook/smbdotconf/security/hostsequiv.xml index 084d8268ef..873053be28 100644 --- a/docs/docbook/smbdotconf/security/hostsequiv.xml +++ b/docs/docbook/smbdotconf/security/hostsequiv.xml @@ -1,26 +1,29 @@ - - hosts equiv (G) - If this global parameter is a non-null string, - it specifies the name of a file to read for the names of hosts - and users who will be allowed access without specifying a password. - + + + If this global parameter is a non-null string, + it specifies the name of a file to read for the names of hosts + and users who will be allowed access without specifying a password. + - This is not be confused with - hosts allow which is about hosts - access to services and is more useful for guest services. - hosts equiv may be useful for NT clients which will - not supply passwords to Samba. + This is not be confused with + hosts allow which is about hosts + access to services and is more useful for guest services. + hosts equiv may be useful for NT clients which will + not supply passwords to Samba. - The use of hosts equiv - can be a major security hole. This is because you are - trusting the PC to supply the correct username. It is very easy to - get a PC to supply a false username. I recommend that the - hosts equiv option be only used if you really - know what you are doing, or perhaps on a home network where you trust - your spouse and kids. And only if you really trust - them :-). + The use of hosts equiv + can be a major security hole. This is because you are + trusting the PC to supply the correct username. It is very easy to + get a PC to supply a false username. I recommend that the + hosts equiv option be only used if you really + know what you are doing, or perhaps on a home network where you trust + your spouse and kids. And only if you really trust + them :-). - Default: no host equivalences - Example: hosts equiv = /etc/hosts.equiv - - + Default: no host equivalences + Example: hosts equiv = /etc/hosts.equiv + + diff --git a/docs/docbook/smbdotconf/security/inheritacls.xml b/docs/docbook/smbdotconf/security/inheritacls.xml index f70c0d9165..6fcfdc19ce 100644 --- a/docs/docbook/smbdotconf/security/inheritacls.xml +++ b/docs/docbook/smbdotconf/security/inheritacls.xml @@ -1,14 +1,14 @@ - - inherit acls (S) - This parameter can be used to ensure - that if default acls exist on parent directories, - they are always honored when creating a subdirectory. - The default behavior is to use the mode specified - when creating the directory. Enabling this option - sets the mode to 0777, thus guaranteeing that - default directory acls are propagated. - + + + This parameter can be used to ensure that if default acls + exist on parent directories, they are always honored when creating a + subdirectory. The default behavior is to use the mode specified when + creating the directory. Enabling this option sets the mode to 0777, + thus guaranteeing that default directory acls are propagated. + - Default: inherit acls = no - - + Default: inherit acls = no + + diff --git a/docs/docbook/smbdotconf/security/inheritpermissions.xml b/docs/docbook/smbdotconf/security/inheritpermissions.xml index 34fade33d0..aacf169863 100644 --- a/docs/docbook/smbdotconf/security/inheritpermissions.xml +++ b/docs/docbook/smbdotconf/security/inheritpermissions.xml @@ -1,36 +1,40 @@ - - inherit permissions (S) - The permissions on new files and directories - are normally governed by - create mask, - directory mask, force create mode - and force - directory mode but the boolean inherit - permissions parameter overrides this. + + + The permissions on new files and directories + are normally governed by + create mask, + directory mask, + force create mode + and force + directory mode but the boolean inherit + permissions parameter overrides this. - New directories inherit the mode of the parent directory, - including bits such as setgid. + New directories inherit the mode of the parent directory, + including bits such as setgid. - New files inherit their read/write bits from the parent - directory. Their execute bits continue to be determined by - map archive - , map hidden - and map system - as usual. + New files inherit their read/write bits from the parent + directory. Their execute bits continue to be determined by + map archive + , map hidden + and map system + as usual. - Note that the setuid bit is never set via - inheritance (the code explicitly prohibits this). + Note that the setuid bit is never set via + inheritance (the code explicitly prohibits this). - This can be particularly useful on large systems with - many users, perhaps several thousand, to allow a single [homes] - share to be used flexibly by each user. + This can be particularly useful on large systems with + many users, perhaps several thousand, to allow a single [homes] + share to be used flexibly by each user. - See also create mask - , - directory mask, - force create mode and force directory mode - . + See also create mask + , + directory mask, + force create mode and + force directory mode + . - Default: inherit permissions = no - - + Default: inherit permissions = no + + diff --git a/docs/docbook/smbdotconf/security/invalidusers.xml b/docs/docbook/smbdotconf/security/invalidusers.xml index 34e534ff28..f9d5d218e8 100644 --- a/docs/docbook/smbdotconf/security/invalidusers.xml +++ b/docs/docbook/smbdotconf/security/invalidusers.xml @@ -1,33 +1,35 @@ - - invalid users (S) - This is a list of users that should not be allowed - to login to this service. This is really a paranoid - check to absolutely ensure an improper setting does not breach - your security. + + + This is a list of users that should not be allowed + to login to this service. This is really a paranoid + check to absolutely ensure an improper setting does not breach + your security. - A name starting with a '@' is interpreted as an NIS - netgroup first (if your system supports NIS), and then as a UNIX - group if the name was not found in the NIS netgroup database. + A name starting with a '@' is interpreted as an NIS + netgroup first (if your system supports NIS), and then as a UNIX + group if the name was not found in the NIS netgroup database. - A name starting with '+' is interpreted only - by looking in the UNIX group database. A name starting with - '&' is interpreted only by looking in the NIS netgroup database - (this requires NIS to be working on your system). The characters - '+' and '&' may be used at the start of the name in either order - so the value +&group means check the - UNIX group database, followed by the NIS netgroup database, and - the value &+group means check the NIS - netgroup database, followed by the UNIX group database (the - same as the '@' prefix). + A name starting with '+' is interpreted only + by looking in the UNIX group database. A name starting with + '&' is interpreted only by looking in the NIS netgroup database + (this requires NIS to be working on your system). The characters + '+' and '&' may be used at the start of the name in either order + so the value +&group means check the + UNIX group database, followed by the NIS netgroup database, and + the value &+group means check the NIS + netgroup database, followed by the UNIX group database (the + same as the '@' prefix). - The current servicename is substituted for %S. - This is useful in the [homes] section. + The current servicename is substituted for %S. + This is useful in the [homes] section. - See also valid users - . + See also valid users + . - Default: no invalid users - Example: invalid users = root fred admin @wheel - - - + Default: no invalid users + + Example: invalid users = root fred admin @wheel + + diff --git a/docs/docbook/smbdotconf/security/lanmanauth.xml b/docs/docbook/smbdotconf/security/lanmanauth.xml index 851b1ae4ac..e293242472 100644 --- a/docs/docbook/smbdotconf/security/lanmanauth.xml +++ b/docs/docbook/smbdotconf/security/lanmanauth.xml @@ -1,11 +1,14 @@ - - lanman auth (G) - This parameter determines whether or not smbd - 8 will attempt to authenticate users - using the LANMAN password hash. If disabled, only clients which support NT - password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not - Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host. + + + This parameter determines whether or not smbd + 8 will attempt to authenticate users + using the LANMAN password hash. If disabled, only clients which support NT + password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not + Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host. - Default : lanman auth = yes - - + Default : lanman auth = yes + + diff --git a/docs/docbook/smbdotconf/security/maptoguest.xml b/docs/docbook/smbdotconf/security/maptoguest.xml index 966260a9b1..4f66319928 100644 --- a/docs/docbook/smbdotconf/security/maptoguest.xml +++ b/docs/docbook/smbdotconf/security/maptoguest.xml @@ -1,53 +1,62 @@ - - map to guest (G) - This parameter is only useful in - security modes other than security = share - - i.e. user, server, - and domain. + + + This parameter is only useful in + security modes other than security = share + - i.e. user, server, + and domain. - This parameter can take three different values, which tell - smbd - 8 what to do with user - login requests that don't match a valid UNIX user in some way. + This parameter can take three different values, which tell + smbd + 8 what to do with user + login requests that don't match a valid UNIX user in some way. - The three settings are : + The three settings are : - - Never - Means user login - requests with an invalid password are rejected. This is the - default. + + + Never - Means user login + requests with an invalid password are rejected. This is the + default. + - Bad User - Means user - logins with an invalid password are rejected, unless the username - does not exist, in which case it is treated as a guest login and - mapped into the - guest account. + + Bad User - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the + guest account. + - Bad Password - Means user logins - with an invalid password are treated as a guest login and mapped - into the guest account. Note that - this can cause problems as it means that any user incorrectly typing - their password will be silently logged on as "guest" - and - will not know the reason they cannot access files they think - they should - there will have been no message given to them - that they got their password wrong. Helpdesk services will - hate you if you set the map to - guest parameter this way :-). - + + Bad Password - Means user logins + with an invalid password are treated as a guest login and mapped + into the guest account. Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + hate you if you set the map to + guest parameter this way :-). + + - Note that this parameter is needed to set up "Guest" - share services when using security modes other than - share. This is because in these modes the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client so the server - cannot make authentication decisions at the correct time (connection - to the share) for "Guest" shares. + Note that this parameter is needed to set up "Guest" + share services when using security modes other than + share. This is because in these modes the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares. - For people familiar with the older Samba releases, this - parameter maps to the old compile-time setting of the - GUEST_SESSSETUP value in local.h. + For people familiar with the older Samba releases, this + parameter maps to the old compile-time setting of the + GUEST_SESSSETUP value in local.h. - Default: map to guest = Never - Example: map to guest = Bad User - - + Default: map to guest = Never + Example: map to guest = Bad User + + diff --git a/docs/docbook/smbdotconf/security/minpasswdlength.xml b/docs/docbook/smbdotconf/security/minpasswdlength.xml index 8e52b923fb..d7ecc3e21b 100644 --- a/docs/docbook/smbdotconf/security/minpasswdlength.xml +++ b/docs/docbook/smbdotconf/security/minpasswdlength.xml @@ -1,6 +1,10 @@ - - min passwd length (G) - Synonym for - min password length. - - + + + Synonym for + min password length. + + + diff --git a/docs/docbook/smbdotconf/security/minpasswordlength.xml b/docs/docbook/smbdotconf/security/minpasswordlength.xml index da1e65a55b..69a1701ea2 100644 --- a/docs/docbook/smbdotconf/security/minpasswordlength.xml +++ b/docs/docbook/smbdotconf/security/minpasswordlength.xml @@ -1,14 +1,17 @@ - - min password length (G) - This option sets the minimum length in characters - of a plaintext password that smbd will accept when performing - UNIX password changing. + + + This option sets the minimum length in characters of a + plaintext password that smbd will + accept when performing UNIX password changing. - See also unix - password sync, - passwd program and passwd chat debug - . + See also unix + password sync, + passwd program and + passwd chat debug. - Default: min password length = 5 - - + Default: min password length = 5 + + diff --git a/docs/docbook/smbdotconf/security/nonunixaccountrange.xml b/docs/docbook/smbdotconf/security/nonunixaccountrange.xml index baa9a783b0..4004af2d94 100644 --- a/docs/docbook/smbdotconf/security/nonunixaccountrange.xml +++ b/docs/docbook/smbdotconf/security/nonunixaccountrange.xml @@ -1,21 +1,25 @@ - - non unix account range (G) - The non unix account range parameter specifies - the range of 'user ids' that are allocated by the various 'non unix - account' passdb backends. These backends allow - the storage of passwords for users who don't exist in /etc/passwd. - This is most often used for machine account creation. - This range of ids should have no existing local or NIS users within - it as strange conflicts can occur otherwise. + + + The non unix account range parameter specifies + the range of 'user ids' that are allocated by the various 'non unix + account' passdb backends. These backends allow + the storage of passwords for users who don't exist in /etc/passwd. + This is most often used for machine account creation. + This range of ids should have no existing local or NIS users within + it as strange conflicts can occur otherwise. - These userids never appear on the system and Samba will never - 'become' these users. They are used only to ensure that the algorithmic - RID mapping does not conflict with normal users. - + + These userids never appear on the system and Samba will never + 'become' these users. They are used only to ensure that the algorithmic + RID mapping does not conflict with normal users. + + - Default: non unix account range = <empty string> - + Default: non unix account range = <empty string> - Example: non unix account range = 10000-20000 - - + Example: non unix account range = 10000-20000 + + diff --git a/docs/docbook/smbdotconf/security/ntlmauth.xml b/docs/docbook/smbdotconf/security/ntlmauth.xml index a3b8caf062..b0b3179ab7 100644 --- a/docs/docbook/smbdotconf/security/ntlmauth.xml +++ b/docs/docbook/smbdotconf/security/ntlmauth.xml @@ -1,16 +1,15 @@ - - ntlm auth (G) - This parameter determines - whether or not smbd - 8 will - attempt to authenticate users using the NTLM password hash. - If disabled, only the lanman password hashes will be used. - + + + This parameter determines whether or not smbd + 8 will attempt to authenticate users using the NTLM password hash. + If disabled, only the lanman password hashes will be used. - Please note that at least this option or lanman auth should - be enabled in order to be able to log in. - + Please note that at least this option or lanman auth should + be enabled in order to be able to log in. - Default : ntlm auth = yes - - + Default : ntlm auth = yes + + diff --git a/docs/docbook/smbdotconf/security/nullpasswords.xml b/docs/docbook/smbdotconf/security/nullpasswords.xml index 40b687fceb..944a307eb7 100644 --- a/docs/docbook/smbdotconf/security/nullpasswords.xml +++ b/docs/docbook/smbdotconf/security/nullpasswords.xml @@ -1,11 +1,13 @@ - - null passwords (G) - Allow or disallow client access to accounts - that have null passwords. + + + Allow or disallow client access to accounts that have null passwords. - See also smbpasswd - 5. + See also smbpasswd + 5. - Default: null passwords = no - - + Default: null passwords = no + + diff --git a/docs/docbook/smbdotconf/security/obeypamrestrictions.xml b/docs/docbook/smbdotconf/security/obeypamrestrictions.xml index 92a6bce22d..42d6b5cc43 100644 --- a/docs/docbook/smbdotconf/security/obeypamrestrictions.xml +++ b/docs/docbook/smbdotconf/security/obeypamrestrictions.xml @@ -1,15 +1,19 @@ - - obey pam restrictions (G) - When Samba 2.2 is configured to enable PAM support - (i.e. --with-pam), this parameter will control whether or not Samba - should obey PAM's account and session management directives. The - default behavior is to use PAM for clear text authentication only - and to ignore any account or session management. Note that Samba - always ignores PAM for authentication in the case of encrypt passwords = yes - . The reason is that PAM modules cannot support the challenge/response - authentication mechanism needed in the presence of SMB password encryption. - + + + When Samba 3.0 is configured to enable PAM support + (i.e. --with-pam), this parameter will control whether or not Samba + should obey PAM's account and session management directives. The + default behavior is to use PAM for clear text authentication only + and to ignore any account or session management. Note that Samba + always ignores PAM for authentication in the case of + encrypt passwords = yes. The reason + is that PAM modules cannot support the challenge/response + authentication mechanism needed in the presence of SMB password encryption. + - Default: obey pam restrictions = no - - + Default: obey pam restrictions = no + + diff --git a/docs/docbook/smbdotconf/security/onlyguest.xml b/docs/docbook/smbdotconf/security/onlyguest.xml index 018fa1a0b5..756c682ab3 100644 --- a/docs/docbook/smbdotconf/security/onlyguest.xml +++ b/docs/docbook/smbdotconf/security/onlyguest.xml @@ -1,6 +1,8 @@ - - only guest (S) - A synonym for - guest only. - - + + + A synonym for + guest only. + + diff --git a/docs/docbook/smbdotconf/security/onlyuser.xml b/docs/docbook/smbdotconf/security/onlyuser.xml index d0bbac7541..9975023ecb 100644 --- a/docs/docbook/smbdotconf/security/onlyuser.xml +++ b/docs/docbook/smbdotconf/security/onlyuser.xml @@ -1,24 +1,26 @@ - - only user (S) - This is a boolean option that controls whether - connections with usernames not in the user - list will be allowed. By default this option is disabled so that a - client can supply a username to be used by the server. Enabling - this parameter will force the server to only use the login - names from the user list and is only really - useful in share level - security. + + + This is a boolean option that controls whether + connections with usernames not in the user + list will be allowed. By default this option is disabled so that a + client can supply a username to be used by the server. Enabling + this parameter will force the server to only use the login + names from the user list and is only really + useful in share level + security. - Note that this also means Samba won't try to deduce - usernames from the service name. This can be annoying for - the [homes] section. To get around this you could use user = - %S which means your user list - will be just the service name, which for home directories is the - name of the user. + Note that this also means Samba won't try to deduce + usernames from the service name. This can be annoying for + the [homes] section. To get around this you could use user = + %S which means your user list + will be just the service name, which for home directories is the + name of the user. - See also the user - parameter. + See also the user + parameter. - Default: only user = no - - + Default: only user = no + + diff --git a/docs/docbook/smbdotconf/security/pampasswordchange.xml b/docs/docbook/smbdotconf/security/pampasswordchange.xml index 8f0e91ae2d..5eb60e5270 100644 --- a/docs/docbook/smbdotconf/security/pampasswordchange.xml +++ b/docs/docbook/smbdotconf/security/pampasswordchange.xml @@ -1,16 +1,17 @@ - - pam password change (G) - With the addition of better PAM support in Samba 2.2, - this parameter, it is possible to use PAM's password change control - flag for Samba. If enabled, then PAM will be used for password - changes when requested by an SMB client instead of the program listed in - passwd program. - It should be possible to enable this without changing your - passwd chat - parameter for most setups. - + + + With the addition of better PAM support in Samba 2.2, + this parameter, it is possible to use PAM's password change control + flag for Samba. If enabled, then PAM will be used for password + changes when requested by an SMB client instead of the program listed in + passwd program. + It should be possible to enable this without changing your + passwd chat + parameter for most setups. - Default: pam password change = no - - - + Default: pam password change = no + + diff --git a/docs/docbook/smbdotconf/security/passdbbackend.xml b/docs/docbook/smbdotconf/security/passdbbackend.xml index 918c802e78..256b6c9709 100644 --- a/docs/docbook/smbdotconf/security/passdbbackend.xml +++ b/docs/docbook/smbdotconf/security/passdbbackend.xml @@ -1,91 +1,119 @@ - - passdb backend (G) - This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both - smbpasswd and tdbsam to be used without a recompile. - Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified. - Experimental backends must still be selected - (eg --with-tdbsam) at configure time. - + + + + This option allows the administrator to chose which backends + to retrieve and store passwords with. This allows (for example) both + smbpasswd and tdbsam to be used without a recompile. Multiple + backends can be specified, separated by spaces. The backends will be + searched in the order they are specified. New users are always added + to the first backend specified. Experimental backends must still be + selected (eg --with-tdbsam) at configure time. - This parameter is in two parts, the backend's name, and a 'location' - string that has meaning only to that particular backed. These are separated - by a : character. + This parameter is in two parts, the backend's name, and a 'location' + string that has meaning only to that particular backed. These are separated + by a : character. - Available backends can include: - - smbpasswd - The default smbpasswd - backend. Takes a path to the smbpasswd file as an optional argument. + Available backends can include: + + + smbpasswd - The default smbpasswd + backend. Takes a path to the smbpasswd file as an optional argument. + + - smbpasswd_nua - The smbpasswd - backend, but with support for 'not unix accounts'. - Takes a path to the smbpasswd file as an optional argument. - See also - non unix account range + + smbpasswd_nua - The smbpasswd + backend, but with support for 'not unix accounts'. + Takes a path to the smbpasswd file as an optional argument. + + See also + non unix account range + - tdbsam - The TDB based password storage - backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb - in the - private dir directory. + + tdbsam - The TDB based password storage + backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb + in the + private dir directory. + - tdbsam_nua - The TDB based password storage - backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb - in the - private dir directory. - See also - non unix account range + + tdbsam_nua - The TDB based password storage + backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb + in the + private dir directory. + + See also + non unix account range + - ldapsam - The LDAP based passdb - backend. Takes an LDAP URL as an optional argument (defaults to - ldap://localhost) + + ldapsam - The LDAP based passdb + backend. Takes an LDAP URL as an optional argument (defaults to + ldap://localhost) + - ldapsam_nua - The LDAP based passdb - backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to - ldap://localhost) + + ldapsam_nua - The LDAP based passdb + backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to + ldap://localhost) - Note: In this module, any account without a matching POSIX account is regarded - as 'non unix'. + Note: In this module, any account without a matching POSIX account is regarded + as 'non unix'. - See also - non unix account - range + See also + non unix account range - LDAP connections should be secured where - possible. This may be done using either - Start-TLS (see - ldap ssl) or by - specifying ldaps:// in - the URL argument. - + LDAP connections should be secured where possible. This may be done using either + Start-TLS (see ldap ssl) or by + specifying ldaps:// in + the URL argument. + - nisplussam - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. + + nisplussam - + The NIS+ based passdb backend. Takes name NIS domain as + an optional argument. Only works with sun NIS+ servers. + + - plugin - Allows Samba to load an - arbitary passdb backend from the .so specified as a compulsary argument. - + + plugin - Allows Samba to load an + arbitary passdb backend from the .so specified as a compulsary argument. + - Any characters after the (optional) second : are passed to the plugin - for its own processing - + Any characters after the (optional) second : are passed to the plugin + for its own processing + - unixsam - Allows samba to map all (other) available unix users + + unixsam - Allows samba to map all (other) + available unix users - This backend uses the standard unix database for retrieving users. Users included - in this pdb are NOT listed in samba user listings and users included in this pdb won't be - able to login. The use of this backend is to always be able to display the owner of a file - on the samba server - even when the user doesn't have a 'real' samba account in one of the - other passdb backends. - + This backend uses the standard unix database for retrieving users. Users included + in this pdb are NOT listed in samba user listings and users included in this pdb won't be + able to login. The use of this backend is to always be able to display the owner of a file + on the samba server - even when the user doesn't have a 'real' samba account in one of the + other passdb backends. + - This backend should always be the last backend listed, since it contains all users in - the unix passdb and might 'override' mappings if specified earlier. It's meant to only return - accounts for users that aren't covered by the previous backends. - - + This backend should always be the last backend listed, since it contains all users in + the unix passdb and might 'override' mappings if specified earlier. It's meant to only return + accounts for users that aren't covered by the previous backends. + + + + + Default: passdb backend = smbpasswd unixsam + + Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd unixsam + + Example: passdb backend = ldapsam_nua:ldaps://ldap.example.com unixsam - Default: passdb backend = smbpasswd unixsam - Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd unixsam - Example: passdb backend = ldapsam_nua:ldaps://ldap.example.com unixsam - Example: passdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb - - + Example: passdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb + + diff --git a/docs/docbook/smbdotconf/security/passwdchat.xml b/docs/docbook/smbdotconf/security/passwdchat.xml index 922f1a878c..fcefd8f8df 100644 --- a/docs/docbook/smbdotconf/security/passwdchat.xml +++ b/docs/docbook/smbdotconf/security/passwdchat.xml @@ -1,58 +1,62 @@ - - passwd chat (G) - This string controls the "chat" - conversation that takes places between smbd - 8 and the local password changing - program to change the user's password. The string describes a - sequence of response-receive pairs that smbd - 8 uses to determine what to send to the - passwd program - and what to expect back. If the expected output is not - received then the password is not changed. - - This chat sequence is often quite site specific, depending - on what local methods are used for password control (such as NIS - etc). - Note that this parameter only is only used if the unix - password sync parameter is set to yes. This - sequence is then called AS ROOT when the SMB password - in the smbpasswd file is being changed, without access to the old - password cleartext. This means that root must be able to reset the user's password - without knowing the text of the previous password. In the presence of NIS/YP, - this means that the passwd program must be - executed on the NIS master. - - - - The string can contain the macro %n which is substituted - for the new password. The chat sequence can also contain the standard - macros \\n, \\r, - \\t and \\s to give line-feed, - carriage-return, tab and space. The chat sequence string can also contain - a '*' which matches any sequence of characters. - Double quotes can be used to collect strings with spaces - in them into a single string. - - If the send string in any part of the chat sequence - is a full stop ".", then no string is sent. Similarly, - if the expect string is a full stop then no string is expected. - - If the pam - password change parameter is set to yes, the chat pairs - may be matched in any order, and success is determined by the PAM result, - not any particular output. The \n macro is ignored for PAM conversions. - - - See also unix password - sync, - passwd program , - passwd chat debug and - pam password change. - - Default: passwd chat = *new*password* %n\\n - *new*password* %n\\n *changed* - Example: passwd chat = "*Enter OLD password*" %o\\n - "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password - changed*" - - + + + This string controls the "chat" + conversation that takes places between smbd + 8 and the local password changing + program to change the user's password. The string describes a + sequence of response-receive pairs that smbd + 8 uses to determine what to send to the + passwd program + and what to expect back. If the expected output is not + received then the password is not changed. + + This chat sequence is often quite site specific, depending + on what local methods are used for password control (such as NIS + etc). + + Note that this parameter only is only used if the unix password sync + parameter is set to yes. This sequence is + then called AS ROOT when the SMB password in the + smbpasswd file is being changed, without access to the old password + cleartext. This means that root must be able to reset the user's password without + knowing the text of the previous password. In the presence of + NIS/YP, this means that the passwd program must + be executed on the NIS master. + + + + The string can contain the macro %n which is substituted + for the new password. The chat sequence can also contain the standard + macros \\n, \\r, \\t and \\s to + give line-feed, carriage-return, tab and space. The chat sequence string can also contain + a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces + in them into a single string. + + If the send string in any part of the chat sequence is a full + stop ".", then no string is sent. Similarly, if the + expect string is a full stop then no string is expected. + + If the pam + password change parameter is set to yes, the chat pairs + may be matched in any order, and success is determined by the PAM result, + not any particular output. The \n macro is ignored for PAM conversions. + + + See also unix password + sync, + passwd program , + passwd chat debug and + pam password change. + + Default: passwd chat = *new*password* %n\\n + *new*password* %n\\n *changed* + + Example: passwd chat = "*Enter OLD password*" %o\\n + "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n + "*Password changed*" + + diff --git a/docs/docbook/smbdotconf/security/passwdchatdebug.xml b/docs/docbook/smbdotconf/security/passwdchatdebug.xml index a5771b72d2..2d731b5d11 100644 --- a/docs/docbook/smbdotconf/security/passwdchatdebug.xml +++ b/docs/docbook/smbdotconf/security/passwdchatdebug.xml @@ -1,25 +1,27 @@ - - passwd chat debug (G) - This boolean specifies if the passwd chat script - parameter is run in debug mode. In this mode the - strings passed to and received from the passwd chat are printed - in the smbd - 8 log with a - debug level - of 100. This is a dangerous option as it will allow plaintext passwords - to be seen in the smbd log. It is available to help - Samba admins debug their passwd chat scripts - when calling the passwd program and should - be turned off after this has been done. This option has no effect if the - pam password change - paramter is set. This parameter is off by default. + + + This boolean specifies if the passwd chat script + parameter is run in debug mode. In this mode the + strings passed to and received from the passwd chat are printed + in the smbd + 8 log with a + debug level + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the smbd log. It is available to help + Samba admins debug their passwd chat scripts + when calling the passwd program and should + be turned off after this has been done. This option has no effect if the + pam password change + paramter is set. This parameter is off by default. + See also passwd chat + , pam password change + , passwd program + . - See also passwd chat - , pam password change - , passwd program - . - - Default: passwd chat debug = no - - + Default: passwd chat debug = no + + diff --git a/docs/docbook/smbdotconf/security/passwdprogram.xml b/docs/docbook/smbdotconf/security/passwdprogram.xml index dae24e22a1..dbcc261ce4 100644 --- a/docs/docbook/smbdotconf/security/passwdprogram.xml +++ b/docs/docbook/smbdotconf/security/passwdprogram.xml @@ -1,35 +1,39 @@ - - passwd program (G) - The name of a program that can be used to set - UNIX user passwords. Any occurrences of %u - will be replaced with the user name. The user name is checked for - existence before calling the password changing program. + + + The name of a program that can be used to set + UNIX user passwords. Any occurrences of %u + will be replaced with the user name. The user name is checked for + existence before calling the password changing program. - Also note that many passwd programs insist in reasonable - passwords, such as a minimum length, or the inclusion - of mixed case chars and digits. This can pose a problem as some clients - (such as Windows for Workgroups) uppercase the password before sending - it. + Also note that many passwd programs insist in reasonable + passwords, such as a minimum length, or the inclusion + of mixed case chars and digits. This can pose a problem as some clients + (such as Windows for Workgroups) uppercase the password before sending + it. - Note that if the unix - password sync parameter is set to yes - then this program is called AS ROOT - before the SMB password in the smbpasswd(5) - file is changed. If this UNIX password change fails, then - smbd will fail to change the SMB password also - (this is by design). + Note that if the unix + password sync parameter is set to yes + then this program is called AS ROOT + before the SMB password in the + smbpasswd5 + file is changed. If this UNIX password change fails, then + smbd will fail to change the SMB password also + (this is by design). - If the unix password sync parameter - is set this parameter MUST USE ABSOLUTE PATHS - for ALL programs called, and must be examined - for security implications. Note that by default unix - password sync is set to no. + If the unix password sync parameter + is set this parameter MUST USE ABSOLUTE PATHS + for ALL programs called, and must be examined + for security implications. Note that by default unix + password sync is set to no. - See also unix - password sync. + See also unix + password sync. - Default: passwd program = /bin/passwd - Example: passwd program = /sbin/npasswd %u - - - + Default: passwd program = /bin/passwd + + Example: passwd program = /sbin/npasswd %u + + diff --git a/docs/docbook/smbdotconf/security/passwordlevel.xml b/docs/docbook/smbdotconf/security/passwordlevel.xml index 408082f838..28b9999731 100644 --- a/docs/docbook/smbdotconf/security/passwordlevel.xml +++ b/docs/docbook/smbdotconf/security/passwordlevel.xml @@ -1,40 +1,44 @@ - - password level (G) - Some client/server combinations have difficulty - with mixed-case passwords. One offending client is Windows for - Workgroups, which for some reason forces passwords to upper - case when using the LANMAN1 protocol, but leaves them alone when - using COREPLUS! Another problem child is the Windows 95/98 - family of operating systems. These clients upper case clear - text passwords even when NT LM 0.12 selected by the protocol - negotiation request/response. - - This parameter defines the maximum number of characters - that may be upper case in passwords. - - For example, say the password given was "FRED". If - password level is set to 1, the following combinations - would be tried if "FRED" failed: - - "Fred", "fred", "fRed", "frEd","freD" - - If password level was set to 2, - the following combinations would also be tried: - - "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", .. - - And so on. - - The higher value this parameter is set to the more likely - it is that a mixed case password will be matched against a single - case password. However, you should be aware that use of this - parameter reduces security and increases the time taken to - process a new connection. - - A value of zero will cause only two attempts to be - made - the password as is and the password in all-lower case. - - Default: password level = 0 - Example: password level = 4 - - + + + Some client/server combinations have difficulty + with mixed-case passwords. One offending client is Windows for + Workgroups, which for some reason forces passwords to upper + case when using the LANMAN1 protocol, but leaves them alone when + using COREPLUS! Another problem child is the Windows 95/98 + family of operating systems. These clients upper case clear + text passwords even when NT LM 0.12 selected by the protocol + negotiation request/response. + + This parameter defines the maximum number of characters + that may be upper case in passwords. + + For example, say the password given was "FRED". If + password level is set to 1, the following combinations + would be tried if "FRED" failed: + + "Fred", "fred", "fRed", "frEd","freD" + + If password level was set to 2, + the following combinations would also be tried: + + "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", .. + + And so on. + + The higher value this parameter is set to the more likely + it is that a mixed case password will be matched against a single + case password. However, you should be aware that use of this + parameter reduces security and increases the time taken to + process a new connection. + + A value of zero will cause only two attempts to be + made - the password as is and the password in all-lower case. + + Default: password level = 0 + + Example: password level = 4 + + diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml index b803816d88..e40ff32b75 100644 --- a/docs/docbook/smbdotconf/security/passwordserver.xml +++ b/docs/docbook/smbdotconf/security/passwordserver.xml @@ -1,92 +1,98 @@ - - password server (G) - By specifying the name of another SMB server (such - as a WinNT box) with this option, and using security = domain - or security = server you can get Samba - to do all its username/password validation via a remote server. + + + By specifying the name of another SMB server (such + as a WinNT box) with this option, and using security = domain + or security = server you can get Samba + to do all its username/password validation via a remote server. - This option sets the name of the password server to use. - It must be a NetBIOS name, so if the machine's NetBIOS name is - different from its Internet name then you may have to add its NetBIOS - name to the lmhosts file which is stored in the same directory - as the smb.conf file. + This option sets the name of the password server to use. + It must be a NetBIOS name, so if the machine's NetBIOS name is + different from its Internet name then you may have to add its NetBIOS + name to the lmhosts file which is stored in the same directory + as the smb.conf file. - The name of the password server is looked up using the - parameter name - resolve order and so may resolved - by any method and order described in that parameter. + The name of the password server is looked up using the + parameter name + resolve order and so may resolved + by any method and order described in that parameter. - The password server must be a machine capable of using - the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in - user level security mode. + The password server must be a machine capable of using + the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in + user level security mode. - Using a password server - means your UNIX box (running Samba) is only as secure as your - password server. DO NOT CHOOSE A PASSWORD SERVER THAT - YOU DON'T COMPLETELY TRUST. + Using a password server means your UNIX box (running + Samba) is only as secure as your password server. DO NOT + CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. + - Never point a Samba server at itself for password - serving. This will cause a loop and could lock up your Samba - server! + Never point a Samba server at itself for password serving. + This will cause a loop and could lock up your Samba server! - The name of the password server takes the standard - substitutions, but probably the only useful one is %m - , which means the Samba server will use the incoming - client as the password server. If you use this then you better - trust your clients, and you had better restrict them with hosts allow! + The name of the password server takes the standard + substitutions, but probably the only useful one is %m + , which means the Samba server will use the incoming + client as the password server. If you use this then you better + trust your clients, and you had better restrict them with hosts allow! - If the security parameter is set to - domain, then the list of machines in this - option must be a list of Primary or Backup Domain controllers for the - Domain or the character '*', as the Samba server is effectively - in that domain, and will use cryptographically authenticated RPC calls - to authenticate the user logging on. The advantage of using - security = domain is that if you list several hosts in the - password server option then smbd - will try each in turn till it finds one that responds. This - is useful in case your primary server goes down. + If the security parameter is set to + domain, then the list of machines in this + option must be a list of Primary or Backup Domain controllers for the + Domain or the character '*', as the Samba server is effectively + in that domain, and will use cryptographically authenticated RPC calls + to authenticate the user logging on. The advantage of using + security = domain is that if you list several hosts in the + password server option then smbd + will try each in turn till it finds one that responds. This + is useful in case your primary server goes down. - If the password server option is set - to the character '*', then Samba will attempt to auto-locate the - Primary or Backup Domain controllers to authenticate against by - doing a query for the name WORKGROUP<1C> - and then contacting each server returned in the list of IP - addresses from the name resolution source. + If the password server option is set + to the character '*', then Samba will attempt to auto-locate the + Primary or Backup Domain controllers to authenticate against by + doing a query for the name WORKGROUP<1C> + and then contacting each server returned in the list of IP + addresses from the name resolution source. - If the list of servers contains both names and the '*' - character, the list is treated as a list of preferred - domain controllers, but an auto lookup of all remaining DC's - will be added to the list as well. Samba will not attempt to optimize - this list by locating the closest DC. + If the list of servers contains both names and the '*' + character, the list is treated as a list of preferred + domain controllers, but an auto lookup of all remaining DC's + will be added to the list as well. Samba will not attempt to optimize + this list by locating the closest DC. - If the security parameter is - set to server, then there are different - restrictions that security = domain doesn't - suffer from: + If the security parameter is + set to server, then there are different + restrictions that security = domain doesn't + suffer from: - - You may list several password servers in - the password server parameter, however if an - smbd makes a connection to a password server, - and then the password server fails, no more users will be able - to be authenticated from this smbd. This is a - restriction of the SMB/CIFS protocol when in security = server - mode and cannot be fixed in Samba. + + + You may list several password servers in + the password server parameter, however if an + smbd makes a connection to a password server, + and then the password server fails, no more users will be able + to be authenticated from this smbd. This is a + restriction of the SMB/CIFS protocol when in security = server + mode and cannot be fixed in Samba. + + + + If you are using a Windows NT server as your + password server then you will have to ensure that your users + are able to login from the Samba server, as when in + security = server mode the network logon will appear to + come from there rather than from the users workstation. + + - If you are using a Windows NT server as your - password server then you will have to ensure that your users - are able to login from the Samba server, as when in - security = server mode the network logon will appear to - come from there rather than from the users workstation. - + See also the security + parameter. - See also the security - parameter. - - Default: password server = <empty string> - - Example: password server = NT-PDC, NT-BDC1, NT-BDC2, * - - Example: password server = * - - + Default: password server = <empty string> + + Example: password server = NT-PDC, NT-BDC1, NT-BDC2, * + + Example: password server = * + + diff --git a/docs/docbook/smbdotconf/security/printeradmin.xml b/docs/docbook/smbdotconf/security/printeradmin.xml index 7037facca0..c0640ea188 100644 --- a/docs/docbook/smbdotconf/security/printeradmin.xml +++ b/docs/docbook/smbdotconf/security/printeradmin.xml @@ -1,12 +1,15 @@ - - printer admin (S) - This is a list of users that can do anything to - printers via the remote administration interfaces offered by MS-RPC - (usually using a NT workstation). Note that the root user always - has admin rights. + + + This is a list of users that can do anything to + printers via the remote administration interfaces offered by MS-RPC + (usually using a NT workstation). Note that the root user always + has admin rights. - Default: printer admin = <empty string> - - Example: printer admin = admin, @staff - - + Default: printer admin = <empty string> + + Example: printer admin = admin, @staff + + diff --git a/docs/docbook/smbdotconf/security/privatedir.xml b/docs/docbook/smbdotconf/security/privatedir.xml index ca22089122..1fc7eb0b36 100644 --- a/docs/docbook/smbdotconf/security/privatedir.xml +++ b/docs/docbook/smbdotconf/security/privatedir.xml @@ -1,10 +1,13 @@ - - private dir (G) - This parameters defines the directory - smbd will use for storing such files as smbpasswd - and secrets.tdb. - + + + This parameters defines the directory + smbd will use for storing such files as smbpasswd + and secrets.tdb. + - Default :private dir = ${prefix}/private - - + Default :private dir = ${prefix}/private + + diff --git a/docs/docbook/smbdotconf/security/public.xml b/docs/docbook/smbdotconf/security/public.xml index a1f6a1ee29..a9e942811e 100644 --- a/docs/docbook/smbdotconf/security/public.xml +++ b/docs/docbook/smbdotconf/security/public.xml @@ -1,6 +1,9 @@ - - public (S) - Synonym for guest - ok. - - + + + Synonym for guest + ok. + + diff --git a/docs/docbook/smbdotconf/security/readlist.xml b/docs/docbook/smbdotconf/security/readlist.xml index 15d135d54e..41a97e5ffc 100644 --- a/docs/docbook/smbdotconf/security/readlist.xml +++ b/docs/docbook/smbdotconf/security/readlist.xml @@ -1,17 +1,22 @@ - - read list (S) - This is a list of users that are given read-only - access to a service. If the connecting user is in this list then - they will not be given write access, no matter what the read only - option is set to. The list can include group names using the - syntax described in the - invalid users parameter. + + + This is a list of users that are given read-only + access to a service. If the connecting user is in this list then + they will not be given write access, no matter what the + read only + option is set to. The list can include group names using the + syntax described in the + invalid users parameter. - See also the - write list parameter and the invalid users - parameter. + See also the + write list parameter and the + invalid users + parameter. - Default: read list = <empty string> - Example: read list = mary, @students - - + Default: read list = <empty string> + + Example: read list = mary, @students + + diff --git a/docs/docbook/smbdotconf/security/readonly.xml b/docs/docbook/smbdotconf/security/readonly.xml index 02721935de..e71301c3e5 100644 --- a/docs/docbook/smbdotconf/security/readonly.xml +++ b/docs/docbook/smbdotconf/security/readonly.xml @@ -1,16 +1,19 @@ - - read only (S) - An inverted synonym is - writeable. + + + An inverted synonym is + writeable. - If this parameter is yes, then users - of a service may not create or modify files in the service's - directory. + If this parameter is yes, then users + of a service may not create or modify files in the service's + directory. - Note that a printable service (printable = yes) - will ALWAYS allow writing to the directory - (user privileges permitting), but only via spooling operations. + Note that a printable service (printable = yes) + will ALWAYS allow writing to the directory + (user privileges permitting), but only via spooling operations. - Default: read only = yes - - + Default: read only = yes + + diff --git a/docs/docbook/smbdotconf/security/restrictanonymous.xml b/docs/docbook/smbdotconf/security/restrictanonymous.xml index 4b09b7d2bc..7f78f94a99 100644 --- a/docs/docbook/smbdotconf/security/restrictanonymous.xml +++ b/docs/docbook/smbdotconf/security/restrictanonymous.xml @@ -1,10 +1,12 @@ - - restrict anonymous (G) - This is a integer parameter, and - mirrors as much as possible the functinality the - RestrictAnonymous - registry key does on NT/Win2k. + + + This is a integer parameter, and mirrors as much as possible the functinality the + RestrictAnonymous registry key does on NT/Win2k. + - Default: restrict anonymous = 0 - - + Default: restrict anonymous = 0 + + diff --git a/docs/docbook/smbdotconf/security/root.xml b/docs/docbook/smbdotconf/security/root.xml index f69c1a1ae1..1199d54099 100644 --- a/docs/docbook/smbdotconf/security/root.xml +++ b/docs/docbook/smbdotconf/security/root.xml @@ -1,6 +1,10 @@ - - root (G) - Synonym for - root directory". - - + + + Synonym for + root directory". + + + diff --git a/docs/docbook/smbdotconf/security/rootdir.xml b/docs/docbook/smbdotconf/security/rootdir.xml index 1f543aed6a..e4e5f0e509 100644 --- a/docs/docbook/smbdotconf/security/rootdir.xml +++ b/docs/docbook/smbdotconf/security/rootdir.xml @@ -1,6 +1,10 @@ - - root dir (G) - Synonym for - root directory". - - + + + Synonym for + root directory". + + + diff --git a/docs/docbook/smbdotconf/security/rootdirectory.xml b/docs/docbook/smbdotconf/security/rootdirectory.xml index 9efc11e3c6..9c3e9cfad2 100644 --- a/docs/docbook/smbdotconf/security/rootdirectory.xml +++ b/docs/docbook/smbdotconf/security/rootdirectory.xml @@ -1,28 +1,34 @@ - - root directory (G) - The server will chroot() (i.e. - Change its root directory) to this directory on startup. This is - not strictly necessary for secure operation. Even without it the - server will deny access to files not in one of the service entries. - It may also check for, and deny access to, soft links to other - parts of the filesystem, or attempts to use ".." in file names - to access other directories (depending on the setting of the wide links - parameter). + + + The server will chroot() (i.e. + Change its root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the + wide links + parameter). + - Adding a root directory entry other - than "/" adds an extra level of security, but at a price. It - absolutely ensures that no access is given to files not in the - sub-tree specified in the root directory - option, including some files needed for - complete operation of the server. To maintain full operability - of the server you will need to mirror some system files - into the root directory tree. In particular - you will need to mirror /etc/passwd (or a - subset of it), and any binaries or configuration files needed for - printing (if required). The set of files that must be mirrored is - operating system dependent. + Adding a root directory entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the root directory + option, including some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the root directory tree. In particular + you will need to mirror /etc/passwd (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent. - Default: root directory = / - Example: root directory = /homes/smb - - + Default: root directory = / + + Example: root directory = /homes/smb + + diff --git a/docs/docbook/smbdotconf/security/security.xml b/docs/docbook/smbdotconf/security/security.xml index 8e97d8721f..68c5f2cdd2 100644 --- a/docs/docbook/smbdotconf/security/security.xml +++ b/docs/docbook/smbdotconf/security/security.xml @@ -1,237 +1,254 @@ - - security (G) - This option affects how clients respond to - Samba and is one of the most important settings in the - smb.conf file. - - The option sets the "security mode bit" in replies to - protocol negotiations with smbd - 8 to turn share level security on or off. Clients decide - based on this bit whether (and how) to transfer user and password - information to the server. - - - The default is security = user, as this is - the most common setting needed when talking to Windows 98 and - Windows NT. - - The alternatives are security = share, - security = server or security = domain - . - - In versions of Samba prior to 2.0.0, the default was - security = share mainly because that was - the only option at one stage. - - There is a bug in WfWg that has relevance to this - setting. When in user or server level security a WfWg client - will totally ignore the password you type in the "connect - drive" dialog box. This makes it very difficult (if not impossible) - to connect to a Samba service as anyone except the user that - you are logged into WfWg as. - - If your PCs use usernames that are the same as their - usernames on the UNIX machine then you will want to use - security = user. If you mostly use usernames - that don't exist on the UNIX box then use security = - share. - - You should also use security = share if you - want to mainly setup shares without a password (guest shares). This - is commonly used for a shared printer server. It is more difficult - to setup guest shares with security = user, see - the map to guest - parameter for details. + + + This option affects how clients respond to + Samba and is one of the most important settings in the + smb.conf file. + + The option sets the "security mode bit" in replies to + protocol negotiations with smbd + 8 to turn share level security on or off. Clients decide + based on this bit whether (and how) to transfer user and password + information to the server. + + + The default is security = user, as this is + the most common setting needed when talking to Windows 98 and + Windows NT. + + The alternatives are security = share, + security = server or security = domain + . + + In versions of Samba prior to 2.0.0, the default was + security = share mainly because that was + the only option at one stage. + + There is a bug in WfWg that has relevance to this + setting. When in user or server level security a WfWg client + will totally ignore the password you type in the "connect + drive" dialog box. This makes it very difficult (if not impossible) + to connect to a Samba service as anyone except the user that + you are logged into WfWg as. + + If your PCs use usernames that are the same as their + usernames on the UNIX machine then you will want to use + security = user. If you mostly use usernames + that don't exist on the UNIX box then use security = + share. + + You should also use security = share if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. It is more difficult + to setup guest shares with security = user, see + the map to guest + parameter for details. - It is possible to use smbd in a - hybrid mode where it is offers both user and share - level security under different - NetBIOS aliases. + It is possible to use smbd in a + hybrid mode where it is offers both user and share + level security under different + NetBIOS aliases. - The different settings will now be explained. + The different settings will now be explained. - SECURITY = SHARE - + SECURITY = SHARE - When clients connect to a share level security server they - need not log onto the server with a valid username and password before - attempting to connect to a shared resource (although modern clients - such as Windows 95/98 and Windows NT will send a logon request with - a username but no password when talking to a security = share - server). Instead, the clients send authentication information - (passwords) on a per-share basis, at the time they attempt to connect - to that share. - - Note that smbd ALWAYS - uses a valid UNIX user to act on behalf of the client, even in - security = share level security. - - As clients are not required to send a username to the server - in share level security, smbd uses several - techniques to determine the correct UNIX user to use on behalf - of the client. - - A list of possible UNIX usernames to match with the given - client password is constructed using the following methods : - - - If the guest - only parameter is set, then all the other - stages are missed and only the - guest account username is checked. - - - Is a username is sent with the share connection - request, then this username (after mapping - see username map), - is added as a potential username. - - If the client did a previous logon - request (the SessionSetup SMB call) then the - username sent in this SMB will be added as a potential username. - - - The name of the service the client requested is - added as a potential username. - - The NetBIOS name of the client is added to - the list as a potential username. - - Any users on the - user list are added as potential usernames. - - - - If the guest only parameter is - not set, then this list is then tried with the supplied password. - The first user for whom the password matches will be used as the - UNIX user. - - If the guest only parameter is - set, or no username can be determined then if the share is marked - as available to the guest account, then this - guest user will be used, otherwise access is denied. - - Note that it can be very confusing - in share-level security as to which UNIX username will eventually - be used in granting access. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - SECURITY = USER - - - This is the default security setting in Samba 3.0. - With user-level security a client must first "log-on" with a - valid username and password (which can be mapped using the username map - parameter). Encrypted passwords (see the - encrypted passwords parameter) can also - be used in this security mode. Parameters such as - user and - guest only if set are then applied and - may change the UNIX user to use on this connection, but only after - the user has been successfully authenticated. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest - parameter for details on doing this. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - SECURITY = DOMAIN - - - - This mode will only work correctly if net - 8 has been used to add this - machine into a Windows NT Domain. It expects the encrypted passwords - parameter to be set to yes. In this - mode Samba will try to validate the username/password by passing - it to a Windows NT Primary or Backup Domain Controller, in exactly - the same way that a Windows NT Server would do. - - Note that a valid UNIX user must still - exist as well as the account on the Domain Controller to allow - Samba to have a valid UNIX account to map file access to. - - Note that from the client's point - of view security = domain is the same as security = user - . It only affects how the server deals with the authentication, - it does not in any way affect what the client sees. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest - parameter for details on doing this. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - See also the password - server parameter and the encrypted passwords - parameter. - - SECURITY = SERVER - - - In this mode Samba will try to validate the username/password - by passing it to another SMB server, such as an NT box. If this - fails it will revert to security = - user. It expects the encrypted passwords - parameter to be set to - yes, unless the remote server - does not support them. However note - that if encrypted passwords have been negotiated then Samba cannot - revert back to checking the UNIX password file, it must have a valid - smbpasswd file to check users against. See the - documentation file in the docs/ directory - ENCRYPTION.txt for details on how to set this - up. - - Note this mode of operation - has significant pitfalls, due to the fact that is - activly initiates a man-in-the-middle attack on the - remote SMB server. In particular, this mode of - operation can cause significant resource consuption on - the PDC, as it must maintain an active connection for - the duration of the user's session. Furthermore, if - this connection is lost, there is no way to - reestablish it, and futher authenticaions to the Samba - server may fail. (From a single client, till it - disconnects). - - Note that from the client's point of - view security = server is the same as - security = user. It only affects how the server deals - with the authentication, it does not in any way affect what the - client sees. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest - parameter for details on doing this. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - See also the password - server parameter and the encrypted passwords - parameter. + When clients connect to a share level security server they + need not log onto the server with a valid username and password before + attempting to connect to a shared resource (although modern clients + such as Windows 95/98 and Windows NT will send a logon request with + a username but no password when talking to a security = share + server). Instead, the clients send authentication information + (passwords) on a per-share basis, at the time they attempt to connect + to that share. + + Note that smbd ALWAYS + uses a valid UNIX user to act on behalf of the client, even in + security = share level security. + + As clients are not required to send a username to the server + in share level security, smbd uses several + techniques to determine the correct UNIX user to use on behalf + of the client. + + A list of possible UNIX usernames to match with the given + client password is constructed using the following methods : + + + + If the guest + only parameter is set, then all the other + stages are missed and only the + guest account username is checked. + + + + + Is a username is sent with the share connection + request, then this username (after mapping - see + username map), + is added as a potential username. + + + + + If the client did a previous logon + request (the SessionSetup SMB call) then the + username sent in this SMB will be added as a potential username. + + + + + The name of the service the client requested is + added as a potential username. + + + + + The NetBIOS name of the client is added to + the list as a potential username. + + + + + Any users on the + user list are added as potential usernames. + + + + + If the guest only parameter is + not set, then this list is then tried with the supplied password. + The first user for whom the password matches will be used as the + UNIX user. + + If the guest only parameter is + set, or no username can be determined then if the share is marked + as available to the guest account, then this + guest user will be used, otherwise access is denied. + + Note that it can be very confusing + in share-level security as to which UNIX username will eventually + be used in granting access. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + SECURITY = USER + + This is the default security setting in Samba 3.0. + With user-level security a client must first "log-on" with a + valid username and password (which can be mapped using the + username map + parameter). Encrypted passwords (see the + encrypted passwords parameter) can also + be used in this security mode. Parameters such as + user and + guest only if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the + guest account. + See the map to guest + parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + SECURITY = DOMAIN + + This mode will only work correctly if net + 8 has been used to add this + machine into a Windows NT Domain. It expects the + encrypted passwords + parameter to be set to yes. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do. + + Note that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to. + + Note that from the client's point + of view security = domain is the same + as security = user. It only + affects how the server deals with the authentication, + it does not in any way affect what the client sees. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the + guest account. + See the map to guest + parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + See also the password + server parameter and the + encrypted passwords + parameter. + + SECURITY = SERVER + + In this mode Samba will try to validate the username/password + by passing it to another SMB server, such as an NT box. If this + fails it will revert to security = + user. It expects the + encrypted passwords parameter + to be set to yes, unless the remote server + does not support them. However note that if encrypted passwords have been + negotiated then Samba cannot revert back to checking the UNIX password file, + it must have a valid smbpasswd file to check + users against. See the documentation file in the docs/ directory + ENCRYPTION.txt for details on how to set this up. + + Note this mode of operation has + significant pitfalls, due to the fact that is activly initiates a + man-in-the-middle attack on the remote SMB server. In particular, + this mode of operation can cause significant resource consuption on + the PDC, as it must maintain an active connection for the duration + of the user's session. Furthermore, if this connection is lost, + there is no way to reestablish it, and futher authenticaions to the + Samba server may fail. (From a single client, till it disconnects). + + + Note that from the client's point of + view security = server is the + same as security = user. It + only affects how the server deals with the authentication, it does + not in any way affect what the client sees. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the + guest account. + See the map to guest + parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + See also the password + server parameter and the + encrypted passwords parameter. - Default: security = USER - Example: security = DOMAIN + Default: security = USER + Example: security = DOMAIN - - + + diff --git a/docs/docbook/smbdotconf/security/securitymask.xml b/docs/docbook/smbdotconf/security/securitymask.xml index 9ed0adcbf4..ee3e8f916c 100644 --- a/docs/docbook/smbdotconf/security/securitymask.xml +++ b/docs/docbook/smbdotconf/security/securitymask.xml @@ -1,33 +1,36 @@ - - security mask (S) - This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security - dialog box. + + + This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security + dialog box. - This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change. + This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change. - If not set explicitly this parameter is 0777, allowing - a user to modify all the user/group/world permissions on a file. - + If not set explicitly this parameter is 0777, allowing + a user to modify all the user/group/world permissions on a file. + - Note that users who can access the - Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone - "appliance" systems. Administrators of most normal systems will - probably want to leave it set to 0777. + Note that users who can access the + Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone + "appliance" systems. Administrators of most normal systems will + probably want to leave it set to 0777. - See also the - force directory security mode, - directory - security mask, - force security mode parameters. + See also the + force directory security mode, + directory + security mask, + force security mode parameters. - Default: security mask = 0777 - Example: security mask = 0770 - - + Default: security mask = 0777 + + Example: security mask = 0770 + + diff --git a/docs/docbook/smbdotconf/security/serverschannel.xml b/docs/docbook/smbdotconf/security/serverschannel.xml index 05261fa417..afbc458068 100644 --- a/docs/docbook/smbdotconf/security/serverschannel.xml +++ b/docs/docbook/smbdotconf/security/serverschannel.xml @@ -1,24 +1,25 @@ - - server schannel (G) - + + - This controls whether the server offers or even - demands the use of the netlogon schannel. - server schannel = no does not - offer the schannel, server schannel = - auto offers the schannel but does not - enforce it, and server schannel = - yes denies access if the client is not - able to speak netlogon schannel. This is only the case - for Windows NT4 before SP4. + This controls whether the server offers or even + demands the use of the netlogon schannel. + server schannel = no does not + offer the schannel, server schannel = + auto offers the schannel but does not + enforce it, and server schannel = + yes denies access if the client is not + able to speak netlogon schannel. This is only the case + for Windows NT4 before SP4. - Please note that with this set to - no you will have to apply the - WindowsXP requireSignOrSeal-Registry patch found in - the docs/Registry subdirectory.Please note that with this set to + no you will have to apply the + WindowsXP requireSignOrSeal-Registry patch found in + the docs/Registry subdirectory.Default: server schannel = auto - - Example: server schannel = yes/para> - - \ No newline at end of file + Default: server schannel = auto + Example: server schannel = yes + + \ No newline at end of file diff --git a/docs/docbook/smbdotconf/security/smbpasswdfile.xml b/docs/docbook/smbdotconf/security/smbpasswdfile.xml index 2efbd12169..cb31ba5019 100644 --- a/docs/docbook/smbdotconf/security/smbpasswdfile.xml +++ b/docs/docbook/smbdotconf/security/smbpasswdfile.xml @@ -1,13 +1,14 @@ - - smb passwd file (G) - This option sets the path to the encrypted - smbpasswd file. By default the path to the smbpasswd file - is compiled into Samba. - - Default: smb passwd file = ${prefix}/private/smbpasswd - + + - Example: smb passwd file = /etc/samba/smbpasswd - - - + This option sets the path to the encrypted smbpasswd file. By + default the path to the smbpasswd file is compiled into Samba. + + Default: smb passwd file = ${prefix}/private/smbpasswd + + Example: smb passwd file = /etc/samba/smbpasswd + + diff --git a/docs/docbook/smbdotconf/security/unixpasswordsync.xml b/docs/docbook/smbdotconf/security/unixpasswordsync.xml index 41c6d983d0..0d22ed9c7e 100644 --- a/docs/docbook/smbdotconf/security/unixpasswordsync.xml +++ b/docs/docbook/smbdotconf/security/unixpasswordsync.xml @@ -1,18 +1,22 @@ - - unix password sync (G) - This boolean parameter controls whether Samba - attempts to synchronize the UNIX password with the SMB password - when the encrypted SMB password in the smbpasswd file is changed. - If this is set to yes the program specified in the passwd - programparameter is called AS ROOT - - to allow the new UNIX password to be set without access to the - old UNIX password (as the SMB password change code has no - access to the old password cleartext, only the new). + + + This boolean parameter controls whether Samba + attempts to synchronize the UNIX password with the SMB password + when the encrypted SMB password in the smbpasswd file is changed. + If this is set to yes the program specified in the passwd + programparameter is called AS ROOT - + to allow the new UNIX password to be set without access to the + old UNIX password (as the SMB password change code has no + access to the old password cleartext, only the new). - See also passwd - program, - passwd chat. + See also passwd + program, + passwd chat. + - Default: unix password sync = no - - + Default: unix password sync = no + + diff --git a/docs/docbook/smbdotconf/security/updateencrypted.xml b/docs/docbook/smbdotconf/security/updateencrypted.xml index 45c66e0de2..76b37948d7 100644 --- a/docs/docbook/smbdotconf/security/updateencrypted.xml +++ b/docs/docbook/smbdotconf/security/updateencrypted.xml @@ -1,28 +1,33 @@ - - update encrypted (G) - This boolean parameter allows a user logging - on with a plaintext password to have their encrypted (hashed) - password in the smbpasswd file to be updated automatically as - they log on. This option allows a site to migrate from plaintext - password authentication (users authenticate with plaintext - password over the wire, and are checked against a UNIX account - database) to encrypted password authentication (the SMB - challenge/response authentication mechanism) without forcing - all users to re-enter their passwords via smbpasswd at the time the - change is made. This is a convenience option to allow the change over - to encrypted passwords to be made over a longer period. Once all users - have encrypted representations of their passwords in the smbpasswd - file this parameter should be set to no. + + - In order for this parameter to work correctly the encrypt passwords - parameter must be set to no when - this parameter is set to yes. + This boolean parameter allows a user logging on with + a plaintext password to have their encrypted (hashed) password in + the smbpasswd file to be updated automatically as they log + on. This option allows a site to migrate from plaintext + password authentication (users authenticate with plaintext + password over the wire, and are checked against a UNIX account + database) to encrypted password authentication (the SMB + challenge/response authentication mechanism) without forcing all + users to re-enter their passwords via smbpasswd at the time the + change is made. This is a convenience option to allow the change + over to encrypted passwords to be made over a longer period. + Once all users have encrypted representations of their passwords + in the smbpasswd file this parameter should be set to + no. - Note that even when this parameter is set a user - authenticating to smbd must still enter a valid - password in order to connect correctly, and to update their hashed - (smbpasswd) passwords. + In order for this parameter to work correctly the + encrypt passwords parameter must + be set to no when this parameter is set to yes. - Default: update encrypted = no - - + Note that even when this parameter is set a user + authenticating to smbd must still enter a valid + password in order to connect correctly, and to update their hashed + (smbpasswd) passwords. + + Default: update encrypted = no + + diff --git a/docs/docbook/smbdotconf/security/user.xml b/docs/docbook/smbdotconf/security/user.xml index 9c0502061b..4ca2e18fac 100644 --- a/docs/docbook/smbdotconf/security/user.xml +++ b/docs/docbook/smbdotconf/security/user.xml @@ -1,6 +1,8 @@ - - user (S) - Synonym for - username. - - + + + Synonym for username. + + diff --git a/docs/docbook/smbdotconf/security/username.xml b/docs/docbook/smbdotconf/security/username.xml index 779f24170b..f1aa2fe1f8 100644 --- a/docs/docbook/smbdotconf/security/username.xml +++ b/docs/docbook/smbdotconf/security/username.xml @@ -1,62 +1,64 @@ - - username (S) - Multiple users may be specified in a comma-delimited - list, in which case the supplied password will be tested against - each username in turn (left to right). - - The username line is needed only when - the PC is unable to supply its own username. This is the case - for the COREPLUS protocol or where your users have different WfWg - usernames to UNIX usernames. In both these cases you may also be - better using the \\server\share%user syntax instead. - - The username line is not a great - solution in many cases as it means Samba will try to validate - the supplied password against each of the usernames in the - username line in turn. This is slow and - a bad idea for lots of users in case of duplicate passwords. - You may get timeouts or security breaches using this parameter - unwisely. - - Samba relies on the underlying UNIX security. This - parameter does not restrict who can login, it just offers hints - to the Samba server as to what usernames might correspond to the - supplied password. Users can login as whoever they please and - they will be able to do no more damage than if they started a - telnet session. The daemon runs as the user that they log in as, - so they cannot do anything that user cannot do. - - To restrict a service to a particular set of users you - can use the valid users - parameter. - - If any of the usernames begin with a '@' then the name - will be looked up first in the NIS netgroups list (if Samba - is compiled with netgroup support), followed by a lookup in - the UNIX groups database and will expand to a list of all users - in the group of that name. + + + Multiple users may be specified in a comma-delimited + list, in which case the supplied password will be tested against + each username in turn (left to right). + + The username line is needed only when + the PC is unable to supply its own username. This is the case + for the COREPLUS protocol or where your users have different WfWg + usernames to UNIX usernames. In both these cases you may also be + better using the \\server\share%user syntax instead. + + The username line is not a great + solution in many cases as it means Samba will try to validate + the supplied password against each of the usernames in the + username line in turn. This is slow and + a bad idea for lots of users in case of duplicate passwords. + You may get timeouts or security breaches using this parameter + unwisely. + + Samba relies on the underlying UNIX security. This + parameter does not restrict who can login, it just offers hints + to the Samba server as to what usernames might correspond to the + supplied password. Users can login as whoever they please and + they will be able to do no more damage than if they started a + telnet session. The daemon runs as the user that they log in as, + so they cannot do anything that user cannot do. + + To restrict a service to a particular set of users you + can use the valid users + parameter. + + If any of the usernames begin with a '@' then the name + will be looked up first in the NIS netgroups list (if Samba + is compiled with netgroup support), followed by a lookup in + the UNIX groups database and will expand to a list of all users + in the group of that name. - If any of the usernames begin with a '+' then the name - will be looked up only in the UNIX groups database and will - expand to a list of all users in the group of that name. - - If any of the usernames begin with a '&' then the name - will be looked up only in the NIS netgroups database (if Samba - is compiled with netgroup support) and will expand to a list - of all users in the netgroup group of that name. - - Note that searching though a groups database can take - quite some time, and some clients may time out during the - search. - - See the section NOTE ABOUT - USERNAME/PASSWORD VALIDATION for more information on how - this parameter determines access to the services. - - Default: The guest account if a guest service, - else <empty string>. - - Examples:username = fred, mary, jack, jane, - @users, @pcgroup - - + If any of the usernames begin with a '+' then the name + will be looked up only in the UNIX groups database and will + expand to a list of all users in the group of that name. + + If any of the usernames begin with a '&' then the name + will be looked up only in the NIS netgroups database (if Samba + is compiled with netgroup support) and will expand to a list + of all users in the netgroup group of that name. + + Note that searching though a groups database can take + quite some time, and some clients may time out during the + search. + + See the section NOTE ABOUT + USERNAME/PASSWORD VALIDATION for more information on how + this parameter determines access to the services. + + Default: The guest account if a guest service, + else <empty string>. + + Examples:username = fred, mary, jack, jane, + @users, @pcgroup + + diff --git a/docs/docbook/smbdotconf/security/usernamelevel.xml b/docs/docbook/smbdotconf/security/usernamelevel.xml index a4deff3bf9..3c71e3b710 100644 --- a/docs/docbook/smbdotconf/security/usernamelevel.xml +++ b/docs/docbook/smbdotconf/security/usernamelevel.xml @@ -1,20 +1,24 @@ - - username level (G) - This option helps Samba to try and 'guess' at - the real UNIX username, as many DOS clients send an all-uppercase - username. By default Samba tries all lowercase, followed by the - username with the first letter capitalized, and fails if the - username is not found on the UNIX machine. + + + This option helps Samba to try and 'guess' at + the real UNIX username, as many DOS clients send an all-uppercase + username. By default Samba tries all lowercase, followed by the + username with the first letter capitalized, and fails if the + username is not found on the UNIX machine. - If this parameter is set to non-zero the behavior changes. - This parameter is a number that specifies the number of uppercase - combinations to try while trying to determine the UNIX user name. The - higher the number the more combinations will be tried, but the slower - the discovery of usernames will be. Use this parameter when you have - strange usernames on your UNIX machine, such as AstrangeUser - . + If this parameter is set to non-zero the behavior changes. + This parameter is a number that specifies the number of uppercase + combinations to try while trying to determine the UNIX user name. The + higher the number the more combinations will be tried, but the slower + the discovery of usernames will be. Use this parameter when you have + strange usernames on your UNIX machine, such as AstrangeUser + . - Default: username level = 0 - Example: username level = 5 - - + Default: username level = 0 + + Example: username level = 5 + + diff --git a/docs/docbook/smbdotconf/security/usernamemap.xml b/docs/docbook/smbdotconf/security/usernamemap.xml index 37ee72c235..583a1a872e 100644 --- a/docs/docbook/smbdotconf/security/usernamemap.xml +++ b/docs/docbook/smbdotconf/security/usernamemap.xml @@ -1,90 +1,91 @@ - - username map (G) - This option allows you to specify a file containing - a mapping of usernames from the clients to the server. This can be - used for several purposes. The most common is to map usernames - that users use on DOS or Windows machines to those that the UNIX - box uses. The other is to map multiple users to a single username - so that they can more easily share files. - - The map file is parsed line by line. Each line should - contain a single UNIX username on the left then a '=' followed - by a list of usernames on the right. The list of usernames on the - right may contain names of the form @group in which case they - will match any UNIX username in that group. The special client - name '*' is a wildcard and matches any name. Each line of the - map file may be up to 1023 characters long. - - The file is processed on each line by taking the - supplied username and comparing it with each username on the right - hand side of the '=' signs. If the supplied name matches any of - the names on the right hand side then it is replaced with the name - on the left. Processing then continues with the next line. - - If any line begins with a '#' or a ';' then it is - ignored - - If any line begins with an '!' then the processing - will stop after that line if a mapping was done by the line. - Otherwise mapping continues with every line being processed. - Using '!' is most useful when you have a wildcard mapping line - later in the file. - - For example to map from the name admin - or administrator to the UNIX name - root you would use: - - root = admin administrator - - Or to map anyone in the UNIX group system - to the UNIX name sys you would use: - - sys = @system - - You can have as many mappings as you like in a username - map file. - - - If your system supports the NIS NETGROUP option then - the netgroup database is checked before the /etc/group - database for matching groups. - - You can map Windows usernames that have spaces in them - by using double quotes around the name. For example: - - tridge = "Andrew Tridgell" - - would map the windows username "Andrew Tridgell" to the - unix username "tridge". - - The following example would map mary and fred to the - unix user sys, and map the rest to guest. Note the use of the - '!' to tell Samba to stop processing if it gets a match on - that line. + + + This option allows you to specify a file containing + a mapping of usernames from the clients to the server. This can be + used for several purposes. The most common is to map usernames + that users use on DOS or Windows machines to those that the UNIX + box uses. The other is to map multiple users to a single username + so that they can more easily share files. + + The map file is parsed line by line. Each line should + contain a single UNIX username on the left then a '=' followed + by a list of usernames on the right. The list of usernames on the + right may contain names of the form @group in which case they + will match any UNIX username in that group. The special client + name '*' is a wildcard and matches any name. Each line of the + map file may be up to 1023 characters long. + + The file is processed on each line by taking the + supplied username and comparing it with each username on the right + hand side of the '=' signs. If the supplied name matches any of + the names on the right hand side then it is replaced with the name + on the left. Processing then continues with the next line. + + If any line begins with a '#' or a ';' then it is ignored + + If any line begins with an '!' then the processing + will stop after that line if a mapping was done by the line. + Otherwise mapping continues with every line being processed. + Using '!' is most useful when you have a wildcard mapping line + later in the file. + + For example to map from the name admin + or administrator to the UNIX name + root you would use: + + root = admin administrator + + Or to map anyone in the UNIX group system + to the UNIX name sys you would use: + + sys = @system + + You can have as many mappings as you like in a username map file. + + + If your system supports the NIS NETGROUP option then + the netgroup database is checked before the /etc/group + database for matching groups. + + You can map Windows usernames that have spaces in them + by using double quotes around the name. For example: + + tridge = "Andrew Tridgell" + + would map the windows username "Andrew Tridgell" to the + unix username "tridge". + + The following example would map mary and fred to the + unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on + that line. !sys = mary fred guest = * - Note that the remapping is applied to all occurrences - of usernames. Thus if you connect to \\server\fred and - fred is remapped to mary then you - will actually be connecting to \\server\mary and will need to - supply a password suitable for mary not - fred. The only exception to this is the - username passed to the - password server (if you have one). The password - server will receive whatever username the client supplies without - modification. - - Also note that no reverse mapping is done. The main effect - this has is with printing. Users who have been mapped may have - trouble deleting print jobs as PrintManager under WfWg will think - they don't own the print job. - - Default: no username map - Example: username map = /usr/local/samba/lib/users.map - - - + Note that the remapping is applied to all occurrences + of usernames. Thus if you connect to \\server\fred and + fred is remapped to mary then you + will actually be connecting to \\server\mary and will need to + supply a password suitable for mary not + fred. The only exception to this is the + username passed to the + password server (if you have one). The password + server will receive whatever username the client supplies without + modification. + + Also note that no reverse mapping is done. The main effect + this has is with printing. Users who have been mapped may have + trouble deleting print jobs as PrintManager under WfWg will think + they don't own the print job. + + Default: no username map + + Example: username map = /usr/local/samba/lib/users.map + + diff --git a/docs/docbook/smbdotconf/security/users.xml b/docs/docbook/smbdotconf/security/users.xml index e78d259f62..fdb19da243 100644 --- a/docs/docbook/smbdotconf/security/users.xml +++ b/docs/docbook/smbdotconf/security/users.xml @@ -1,6 +1,9 @@ - - users (S) - Synonym for - username. - - + + + Synonym for + username. + + diff --git a/docs/docbook/smbdotconf/security/validusers.xml b/docs/docbook/smbdotconf/security/validusers.xml index 5155a5ef34..268e913cb5 100644 --- a/docs/docbook/smbdotconf/security/validusers.xml +++ b/docs/docbook/smbdotconf/security/validusers.xml @@ -1,23 +1,25 @@ - - valid users (S) - This is a list of users that should be allowed - to login to this service. Names starting with '@', '+' and '&' - are interpreted using the same rules as described in the - invalid users parameter. + + + This is a list of users that should be allowed + to login to this service. Names starting with '@', '+' and '&' + are interpreted using the same rules as described in the + invalid users parameter. - If this is empty (the default) then any user can login. - If a username is in both this list and the invalid - users list then access is denied for that user. + If this is empty (the default) then any user can login. + If a username is in both this list and the invalid + users list then access is denied for that user. - The current servicename is substituted for %S - . This is useful in the [homes] section. + The current servicename is substituted for %S + . This is useful in the [homes] section. - See also invalid users - + See also invalid users + - Default: No valid users list (anyone can login) - + Default: No valid users list (anyone can login) + - Example: valid users = greg, @pcusers - - + Example: valid users = greg, @pcusers + + diff --git a/docs/docbook/smbdotconf/security/writable.xml b/docs/docbook/smbdotconf/security/writable.xml index 66ba44cc44..9b32db8ebc 100644 --- a/docs/docbook/smbdotconf/security/writable.xml +++ b/docs/docbook/smbdotconf/security/writable.xml @@ -1,6 +1,8 @@ - - writable (S) - Synonym for - writeable for people who can't spell :-). - - + + + Synonym for + writeable for people who can't spell :-). + + diff --git a/docs/docbook/smbdotconf/security/writeable.xml b/docs/docbook/smbdotconf/security/writeable.xml index b963410374..63e7734986 100644 --- a/docs/docbook/smbdotconf/security/writeable.xml +++ b/docs/docbook/smbdotconf/security/writeable.xml @@ -1,6 +1,8 @@ - - writeable (S) - Inverted synonym for - read only. - - + + + Inverted synonym for + read only. + + diff --git a/docs/docbook/smbdotconf/security/writelist.xml b/docs/docbook/smbdotconf/security/writelist.xml index 76ee56c93a..4a0e046127 100644 --- a/docs/docbook/smbdotconf/security/writelist.xml +++ b/docs/docbook/smbdotconf/security/writelist.xml @@ -1,21 +1,22 @@ - - write list (S) - This is a list of users that are given read-write - access to a service. If the connecting user is in this list then - they will be given write access, no matter what the read only - option is set to. The list can include group names using the - @group syntax. + + + This is a list of users that are given read-write + access to a service. If the connecting user is in this list then + they will be given write access, no matter what the + read only + option is set to. The list can include group names using the + @group syntax. - Note that if a user is in both the read list and the - write list then they will be given write access. + Note that if a user is in both the read list and the + write list then they will be given write access. - See also the read list - option. + See also the read list + option. - Default: write list = <empty string> - + Default: write list = <empty string> - Example: write list = admin, root, @staff - - - + Example: write list = admin, root, @staff + + diff --git a/docs/docbook/smbdotconf/security/writeok.xml b/docs/docbook/smbdotconf/security/writeok.xml index 103c2be993..da68489012 100644 --- a/docs/docbook/smbdotconf/security/writeok.xml +++ b/docs/docbook/smbdotconf/security/writeok.xml @@ -1,6 +1,8 @@ - - write ok (S) - Inverted synonym for - read only. - - + + + Inverted synonym for + read only. + + -- cgit From 71a53d0e4d29d275c438cf8a43562d1082f1d805 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 6 Apr 2003 17:34:48 +0000 Subject: Use entities (This used to be commit d65bb6fade27c8e97697d4cb0e5741d0dfbe4dc8) --- docs/docbook/manpages/smbcacls.1.sgml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/manpages/smbcacls.1.sgml b/docs/docbook/manpages/smbcacls.1.sgml index 03fcbd6fd8..445566c5bd 100644 --- a/docs/docbook/manpages/smbcacls.1.sgml +++ b/docs/docbook/manpages/smbcacls.1.sgml @@ -1,4 +1,6 @@ - + %globalentities; +]> @@ -142,7 +144,7 @@ &stdarg.help; - &popt.common.samba.small; + &popt.common.samba; -- cgit From c29eb90444170953721b087f8d26b4a3b98b3fe8 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Sun, 6 Apr 2003 22:14:01 +0000 Subject: Convert more parameters to new smb.conf(5) style. Document found occurences of non-documented parameters in doc-status (This used to be commit 3a9784d8b2318af4d9b349edd1aba4065d25da23) --- docs/docbook/global.ent | 1 - .../smbdotconf/logging/debughirestimestamp.xml | 27 ++-- docs/docbook/smbdotconf/logging/debuglevel.xml | 15 ++- docs/docbook/smbdotconf/logging/debugpid.xml | 28 ++-- docs/docbook/smbdotconf/logging/debugtimestamp.xml | 22 ++-- docs/docbook/smbdotconf/logging/debuguid.xml | 26 ++-- docs/docbook/smbdotconf/logging/logfile.xml | 21 +-- docs/docbook/smbdotconf/logging/loglevel.xml | 29 +++-- docs/docbook/smbdotconf/logging/maxlogsize.xml | 26 ++-- docs/docbook/smbdotconf/logging/syslog.xml | 33 ++--- docs/docbook/smbdotconf/logging/syslogonly.xml | 19 +-- docs/docbook/smbdotconf/logging/timestamplogs.xml | 15 ++- .../smbdotconf/logon/setprimarygroupscript.xml | 8 +- .../docbook/smbdotconf/printing/disablespoolss.xml | 39 +++--- docs/docbook/smbdotconf/printing/loadprinters.xml | 20 +-- docs/docbook/smbdotconf/printing/lpqcommand.xml | 85 ++++++------ docs/docbook/smbdotconf/printing/lprmcommand.xml | 45 ++++--- docs/docbook/smbdotconf/printing/maxprintjobs.xml | 30 +++-- docs/docbook/smbdotconf/printing/printable.xml | 29 +++-- docs/docbook/smbdotconf/printing/printcap.xml | 15 ++- docs/docbook/smbdotconf/printing/printcapname.xml | 71 +++++----- docs/docbook/smbdotconf/printing/printcommand.xml | 137 ++++++++++---------- docs/docbook/smbdotconf/printing/printing.xml | 49 +++---- docs/docbook/smbdotconf/printing/printok.xml | 15 ++- .../docbook/smbdotconf/printing/totalprintjobs.xml | 38 +++--- docs/docbook/smbdotconf/protocol/announceas.xml | 37 +++--- .../smbdotconf/protocol/announceversion.xml | 23 ++-- .../docbook/smbdotconf/protocol/disablenetbios.xml | 28 ++-- .../docbook/smbdotconf/protocol/largereadwrite.xml | 31 +++-- docs/docbook/smbdotconf/protocol/maxmux.xml | 19 +-- docs/docbook/smbdotconf/protocol/maxprotocol.xml | 67 ++++++---- docs/docbook/smbdotconf/protocol/maxttl.xml | 24 ++-- docs/docbook/smbdotconf/protocol/maxwinsttl.xml | 29 +++-- docs/docbook/smbdotconf/protocol/maxxmit.xml | 26 ++-- docs/docbook/smbdotconf/protocol/minprotocol.xml | 39 +++--- docs/docbook/smbdotconf/protocol/minwinsttl.xml | 27 ++-- .../smbdotconf/protocol/nameresolveorder.xml | 105 ++++++++------- docs/docbook/smbdotconf/protocol/ntaclsupport.xml | 23 ++-- docs/docbook/smbdotconf/protocol/ntpipesupport.xml | 25 ++-- .../smbdotconf/protocol/ntstatussupport.xml | 27 ++-- docs/docbook/smbdotconf/protocol/protocol.xml | 14 +- docs/docbook/smbdotconf/protocol/readbmpx.xml | 23 ++-- docs/docbook/smbdotconf/protocol/readraw.xml | 37 +++--- docs/docbook/smbdotconf/protocol/smbports.xml | 18 +-- docs/docbook/smbdotconf/protocol/timeserver.xml | 19 +-- docs/docbook/smbdotconf/protocol/unicode.xml | 22 ++-- .../docbook/smbdotconf/protocol/unixextensions.xml | 25 ++-- docs/docbook/smbdotconf/protocol/usespnego.xml | 26 ++-- docs/docbook/smbdotconf/protocol/writeraw.xml | 19 +-- .../docbook/smbdotconf/security/serverschannel.xml | 2 +- docs/docbook/smbdotconf/tuning/blocksize.xml | 37 +++--- .../smbdotconf/tuning/changenotifytimeout.xml | 31 +++-- docs/docbook/smbdotconf/tuning/deadtime.xml | 40 +++--- docs/docbook/smbdotconf/tuning/getwdcache.xml | 23 ++-- docs/docbook/smbdotconf/tuning/hostnamelookups.xml | 26 ++-- docs/docbook/smbdotconf/tuning/keepalive.xml | 33 +++-- docs/docbook/smbdotconf/tuning/maxconnections.xml | 30 +++-- docs/docbook/smbdotconf/tuning/maxdisksize.xml | 44 ++++--- docs/docbook/smbdotconf/tuning/maxopenfiles.xml | 31 +++-- .../docbook/smbdotconf/tuning/maxsmbdprocesses.xml | 33 ++--- docs/docbook/smbdotconf/tuning/minprintspace.xml | 28 ++-- .../docbook/smbdotconf/tuning/namecachetimeout.xml | 23 ++-- .../smbdotconf/tuning/paranoidserversecurity.xml | 30 +++-- docs/docbook/smbdotconf/tuning/readsize.xml | 48 +++---- docs/docbook/smbdotconf/tuning/socketoptions.xml | 144 +++++++++++---------- docs/docbook/smbdotconf/tuning/statcachesize.xml | 19 +-- docs/docbook/smbdotconf/tuning/strictallocate.xml | 38 +++--- docs/docbook/smbdotconf/tuning/strictsync.xml | 44 ++++--- docs/docbook/smbdotconf/tuning/syncalways.xml | 36 +++--- docs/docbook/smbdotconf/tuning/usemmap.xml | 29 +++-- docs/docbook/smbdotconf/tuning/usesendfile.xml | 27 ++-- docs/docbook/smbdotconf/tuning/writecachesize.xml | 49 +++---- 72 files changed, 1331 insertions(+), 1090 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent index c71166b4d7..26c774820f 100644 --- a/docs/docbook/global.ent +++ b/docs/docbook/global.ent @@ -98,7 +98,6 @@ - diff --git a/docs/docbook/smbdotconf/logging/debughirestimestamp.xml b/docs/docbook/smbdotconf/logging/debughirestimestamp.xml index a5f40b73ca..4e49b89ddb 100644 --- a/docs/docbook/smbdotconf/logging/debughirestimestamp.xml +++ b/docs/docbook/smbdotconf/logging/debughirestimestamp.xml @@ -1,14 +1,17 @@ - - debug hires timestamp (G) - Sometimes the timestamps in the log messages - are needed with a resolution of higher that seconds, this - boolean parameter adds microsecond resolution to the timestamp - message header when turned on. + + + Sometimes the timestamps in the log messages + are needed with a resolution of higher that seconds, this + boolean parameter adds microsecond resolution to the timestamp + message header when turned on. - Note that the parameter - debug timestamp must be on for this to have an - effect. + Note that the parameter + debug timestamp must be on for this to have an + effect. - Default: debug hires timestamp = no - - + Default: debug hires timestamp = no + + diff --git a/docs/docbook/smbdotconf/logging/debuglevel.xml b/docs/docbook/smbdotconf/logging/debuglevel.xml index 99153fa853..8bd4b4e0b5 100644 --- a/docs/docbook/smbdotconf/logging/debuglevel.xml +++ b/docs/docbook/smbdotconf/logging/debuglevel.xml @@ -1,6 +1,9 @@ - - debuglevel (G) - Synonym for - log level. - - + + + Synonym for + log level. + + diff --git a/docs/docbook/smbdotconf/logging/debugpid.xml b/docs/docbook/smbdotconf/logging/debugpid.xml index 829e168412..ff393f5159 100644 --- a/docs/docbook/smbdotconf/logging/debugpid.xml +++ b/docs/docbook/smbdotconf/logging/debugpid.xml @@ -1,13 +1,19 @@ - - debug pid (G) - When using only one log file for more then one - forked smbd-process there may be hard to follow which process - outputs which message. This boolean parameter is adds the process-id - to the timestamp message headers in the logfile when turned on. + + + When using only one log file for more then one forked + smbd + 8-process there may be hard to + follow which process outputs which message. This boolean parameter + is adds the process-id to the timestamp message headers in the + logfile when turned on. - Note that the parameter - debug timestamp must be on for this to have an - effect. + Note that the parameter + debug timestamp must be on for this to have an + effect. - Default: debug pid = no - + Default: debug pid = no + + diff --git a/docs/docbook/smbdotconf/logging/debugtimestamp.xml b/docs/docbook/smbdotconf/logging/debugtimestamp.xml index 1265c1d21b..e337b5b8f2 100644 --- a/docs/docbook/smbdotconf/logging/debugtimestamp.xml +++ b/docs/docbook/smbdotconf/logging/debugtimestamp.xml @@ -1,10 +1,14 @@ - - debug timestamp (G) - Samba debug log messages are timestamped - by default. If you are running at a high - debug level these timestamps - can be distracting. This boolean parameter allows timestamping - to be turned off. + + + Samba debug log messages are timestamped + by default. If you are running at a high + debug level these timestamps + can be distracting. This boolean parameter allows timestamping + to be turned off. - Default: debug timestamp = yes - + Default: debug timestamp = yes + + diff --git a/docs/docbook/smbdotconf/logging/debuguid.xml b/docs/docbook/smbdotconf/logging/debuguid.xml index 9b0786d6b3..bcacdf32c0 100644 --- a/docs/docbook/smbdotconf/logging/debuguid.xml +++ b/docs/docbook/smbdotconf/logging/debuguid.xml @@ -1,13 +1,17 @@ - - debug uid (G) - Samba is sometimes run as root and sometime - run as the connected user, this boolean parameter inserts the - current euid, egid, uid and gid to the timestamp message headers - in the log file if turned on. + + + Samba is sometimes run as root and sometime + run as the connected user, this boolean parameter inserts the + current euid, egid, uid and gid to the timestamp message headers + in the log file if turned on. - Note that the parameter - debug timestamp must be on for this to have an - effect. + Note that the parameter + debug timestamp must be on for this to have an + effect. - Default: debug uid = no - + Default: debug uid = no + + diff --git a/docs/docbook/smbdotconf/logging/logfile.xml b/docs/docbook/smbdotconf/logging/logfile.xml index 6f176ef02b..8d3761a841 100644 --- a/docs/docbook/smbdotconf/logging/logfile.xml +++ b/docs/docbook/smbdotconf/logging/logfile.xml @@ -1,11 +1,14 @@ - - log file (G) - This option allows you to override the name - of the Samba log file (also known as the debug file). + + + This option allows you to override the name + of the Samba log file (also known as the debug file). - This option takes the standard substitutions, allowing - you to have separate log files for each user or machine. + This option takes the standard substitutions, allowing + you to have separate log files for each user or machine. - Example: log file = /usr/local/samba/var/log.%m - - + Example: log file = /usr/local/samba/var/log.%m + + diff --git a/docs/docbook/smbdotconf/logging/loglevel.xml b/docs/docbook/smbdotconf/logging/loglevel.xml index 610dc96812..6f03fe80e9 100644 --- a/docs/docbook/smbdotconf/logging/loglevel.xml +++ b/docs/docbook/smbdotconf/logging/loglevel.xml @@ -1,15 +1,18 @@ - - log level (G) - The value of the parameter (a astring) allows - the debug level (logging level) to be specified in the - smb.conf file. This parameter has been - extended since the 2.2.x series, now it allow to specify the debug - level for multiple debug classes. This is to give greater - flexibility in the configuration of the system. + + + The value of the parameter (a astring) allows + the debug level (logging level) to be specified in the + smb.conf file. This parameter has been + extended since the 2.2.x series, now it allow to specify the debug + level for multiple debug classes. This is to give greater + flexibility in the configuration of the system. - The default will be the log level specified on - the command line or level zero if none was specified. + The default will be the log level specified on + the command line or level zero if none was specified. - Example: log level = 3 passdb:5 auth:10 winbind:2 - - + Example: log level = 3 passdb:5 auth:10 winbind:2 + + diff --git a/docs/docbook/smbdotconf/logging/maxlogsize.xml b/docs/docbook/smbdotconf/logging/maxlogsize.xml index 117410b18c..6e0ec6735a 100644 --- a/docs/docbook/smbdotconf/logging/maxlogsize.xml +++ b/docs/docbook/smbdotconf/logging/maxlogsize.xml @@ -1,13 +1,17 @@ - - max log size (G) - This option (an integer in kilobytes) specifies - the max size the log file should grow to. Samba periodically checks - the size and if it is exceeded it will rename the file, adding - a .old extension. + + + This option (an integer in kilobytes) specifies + the max size the log file should grow to. Samba periodically checks + the size and if it is exceeded it will rename the file, adding + a .old extension. - A size of 0 means no limit. + A size of 0 means no limit. - Default: max log size = 5000 - Example: max log size = 1000 - - + Default: max log size = 5000 + + Example: max log size = 1000 + + diff --git a/docs/docbook/smbdotconf/logging/syslog.xml b/docs/docbook/smbdotconf/logging/syslog.xml index ac098e690a..0fdf070045 100644 --- a/docs/docbook/smbdotconf/logging/syslog.xml +++ b/docs/docbook/smbdotconf/logging/syslog.xml @@ -1,17 +1,20 @@ - - syslog (G) - This parameter maps how Samba debug messages - are logged onto the system syslog logging levels. Samba debug - level zero maps onto syslog LOG_ERR, debug - level one maps onto LOG_WARNING, debug level - two maps onto LOG_NOTICE, debug level three - maps onto LOG_INFO. All higher levels are mapped to - LOG_DEBUG. + + + This parameter maps how Samba debug messages + are logged onto the system syslog logging levels. Samba debug + level zero maps onto syslog LOG_ERR, debug + level one maps onto LOG_WARNING, debug level + two maps onto LOG_NOTICE, debug level three + maps onto LOG_INFO. All higher levels are mapped to + LOG_DEBUG. - This parameter sets the threshold for sending messages - to syslog. Only messages with debug level less than this value - will be sent to syslog. + This parameter sets the threshold for sending messages + to syslog. Only messages with debug level less than this value + will be sent to syslog. - Default: syslog = 1 - - + Default: syslog = 1 + + diff --git a/docs/docbook/smbdotconf/logging/syslogonly.xml b/docs/docbook/smbdotconf/logging/syslogonly.xml index a955306fe0..2b584d8d6d 100644 --- a/docs/docbook/smbdotconf/logging/syslogonly.xml +++ b/docs/docbook/smbdotconf/logging/syslogonly.xml @@ -1,9 +1,12 @@ - - syslog only (G) - If this parameter is set then Samba debug - messages are logged into the system syslog only, and not to - the debug log files. + + + If this parameter is set then Samba debug + messages are logged into the system syslog only, and not to + the debug log files. - Default: syslog only = no - - + Default: syslog only = no + + diff --git a/docs/docbook/smbdotconf/logging/timestamplogs.xml b/docs/docbook/smbdotconf/logging/timestamplogs.xml index 5f5f42d738..e744ce54c6 100644 --- a/docs/docbook/smbdotconf/logging/timestamplogs.xml +++ b/docs/docbook/smbdotconf/logging/timestamplogs.xml @@ -1,6 +1,9 @@ - - timestamp logs (G) - Synonym for - debug timestamp. - - + + + Synonym for + debug timestamp. + + diff --git a/docs/docbook/smbdotconf/logon/setprimarygroupscript.xml b/docs/docbook/smbdotconf/logon/setprimarygroupscript.xml index c4b2aa1d92..45380ce4a8 100644 --- a/docs/docbook/smbdotconf/logon/setprimarygroupscript.xml +++ b/docs/docbook/smbdotconf/logon/setprimarygroupscript.xml @@ -1,5 +1,7 @@ -set primary group script (G) - Thanks to the Posix subsystem in NT a + +set primary group script (G) + + Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups. This script sets the primary group in the unix userdatase when an administrator sets the @@ -8,7 +10,7 @@ vampire. %u will be replaced with the user whose primary group is to be set. %g will be replaced with - the group to set. + the group to set. Default: No default value diff --git a/docs/docbook/smbdotconf/printing/disablespoolss.xml b/docs/docbook/smbdotconf/printing/disablespoolss.xml index dff1e63fab..366092fce1 100644 --- a/docs/docbook/smbdotconf/printing/disablespoolss.xml +++ b/docs/docbook/smbdotconf/printing/disablespoolss.xml @@ -1,20 +1,23 @@ - - disable spoolss (G) - Enabling this parameter will disable Samba's support - for the SPOOLSS set of MS-RPC's and will yield identical behavior - as Samba 2.0.x. Windows NT/2000 clients will downgrade to using - Lanman style printing commands. Windows 9x/ME will be uneffected by - the parameter. However, this will also disable the ability to upload - printer drivers to a Samba server via the Windows NT Add Printer - Wizard or by using the NT printer properties dialog window. It will - also disable the capability of Windows NT/2000 clients to download - print drivers from the Samba host upon demand. - Be very careful about enabling this parameter. - + + + Enabling this parameter will disable Samba's support + for the SPOOLSS set of MS-RPC's and will yield identical behavior + as Samba 2.0.x. Windows NT/2000 clients will downgrade to using + Lanman style printing commands. Windows 9x/ME will be uneffected by + the parameter. However, this will also disable the ability to upload + printer drivers to a Samba server via the Windows NT Add Printer + Wizard or by using the NT printer properties dialog window. It will + also disable the capability of Windows NT/2000 clients to download + print drivers from the Samba host upon demand. + Be very careful about enabling this parameter. + - See also use client driver - + See also use client driver + - Default : disable spoolss = no - - + Default : disable spoolss = no + + diff --git a/docs/docbook/smbdotconf/printing/loadprinters.xml b/docs/docbook/smbdotconf/printing/loadprinters.xml index adaa8afca9..efc2658ba8 100644 --- a/docs/docbook/smbdotconf/printing/loadprinters.xml +++ b/docs/docbook/smbdotconf/printing/loadprinters.xml @@ -1,9 +1,13 @@ - - load printers (G) - A boolean variable that controls whether all - printers in the printcap will be loaded for browsing by default. - See the printers section for - more details. + + + A boolean variable that controls whether all + printers in the printcap will be loaded for browsing by default. + See the printers section for + more details. - Default: load printers = yes - + Default: load printers = yes + + diff --git a/docs/docbook/smbdotconf/printing/lpqcommand.xml b/docs/docbook/smbdotconf/printing/lpqcommand.xml index ddcdf1ef49..f1b62af627 100644 --- a/docs/docbook/smbdotconf/printing/lpqcommand.xml +++ b/docs/docbook/smbdotconf/printing/lpqcommand.xml @@ -1,41 +1,44 @@ - - lpq command (S) - This parameter specifies the command to be - executed on the server host in order to obtain lpq - -style printer status information. - - This command should be a program or script which - takes a printer name as its only parameter and outputs printer - status information. - - Currently nine styles of printer status information - are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. - This covers most UNIX systems. You control which type is expected - using the printing = option. - - Some clients (notably Windows for Workgroups) may not - correctly send the connection number for the printer they are - requesting status information about. To get around this, the - server reports on the first printer service connected to by the - client. This only happens if the connection number sent is invalid. - - If a %p is given then the printer name - is put in its place. Otherwise it is placed at the end of the - command. - - Note that it is good practice to include the absolute path - in the lpq command as the $PATH - may not be available to the server. When compiled with - the CUPS libraries, no lpq command is - needed because smbd will make a library call to obtain the - print queue listing. - - See also the printing - parameter. - - Default: depends on the setting of - printing - - Example: lpq command = /usr/bin/lpq -P%p - - + + + This parameter specifies the command to be + executed on the server host in order to obtain lpq + -style printer status information. + + This command should be a program or script which + takes a printer name as its only parameter and outputs printer + status information. + + Currently nine styles of printer status information + are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. + This covers most UNIX systems. You control which type is expected + using the printing = option. + + Some clients (notably Windows for Workgroups) may not + correctly send the connection number for the printer they are + requesting status information about. To get around this, the + server reports on the first printer service connected to by the + client. This only happens if the connection number sent is invalid. + + If a %p is given then the printer name + is put in its place. Otherwise it is placed at the end of the + command. + + Note that it is good practice to include the absolute path + in the lpq command as the $PATH + may not be available to the server. When compiled with + the CUPS libraries, no lpq command is + needed because smbd will make a library call to obtain the + print queue listing. + + See also the printing + parameter. + + Default: depends on the setting of + printing + + Example: lpq command = /usr/bin/lpq -P%p + + diff --git a/docs/docbook/smbdotconf/printing/lprmcommand.xml b/docs/docbook/smbdotconf/printing/lprmcommand.xml index 7f59d6c5a0..567602c4f9 100644 --- a/docs/docbook/smbdotconf/printing/lprmcommand.xml +++ b/docs/docbook/smbdotconf/printing/lprmcommand.xml @@ -1,27 +1,30 @@ - - lprm command (S) - This parameter specifies the command to be - executed on the server host in order to delete a print job. + + + This parameter specifies the command to be + executed on the server host in order to delete a print job. - This command should be a program or script which takes - a printer name and job number, and deletes the print job. + This command should be a program or script which takes + a printer name and job number, and deletes the print job. - If a %p is given then the printer name - is put in its place. A %j is replaced with - the job number (an integer). + If a %p is given then the printer name + is put in its place. A %j is replaced with + the job number (an integer). - Note that it is good practice to include the absolute - path in the lprm command as the PATH may not be - available to the server. + Note that it is good practice to include the absolute + path in the lprm command as the PATH may not be + available to the server. - See also the printing - parameter. + See also the printing + parameter. - Default: depends on the setting of printing - + Default: depends on the setting of printing + - Example 1: lprm command = /usr/bin/lprm -P%p %j - - Example 2: lprm command = /usr/bin/cancel %p-%j - - + Example 1: lprm command = /usr/bin/lprm -P%p %j + + Example 2: lprm command = /usr/bin/cancel %p-%j + + diff --git a/docs/docbook/smbdotconf/printing/maxprintjobs.xml b/docs/docbook/smbdotconf/printing/maxprintjobs.xml index f0c7d83d3f..a631b6b8c4 100644 --- a/docs/docbook/smbdotconf/printing/maxprintjobs.xml +++ b/docs/docbook/smbdotconf/printing/maxprintjobs.xml @@ -1,14 +1,18 @@ - - max print jobs (S) - This parameter limits the maximum number of - jobs allowable in a Samba printer queue at any given moment. - If this number is exceeded, smbd - 8 will remote "Out of Space" to the client. - See all total - print jobs. - + + + This parameter limits the maximum number of + jobs allowable in a Samba printer queue at any given moment. + If this number is exceeded, smbd + 8 will remote "Out of Space" to the client. + See all total + print jobs. + - Default: max print jobs = 1000 - Example: max print jobs = 5000 - - + Default: max print jobs = 1000 + + Example: max print jobs = 5000 + + diff --git a/docs/docbook/smbdotconf/printing/printable.xml b/docs/docbook/smbdotconf/printing/printable.xml index 22d4d73b01..946e8b4b96 100644 --- a/docs/docbook/smbdotconf/printing/printable.xml +++ b/docs/docbook/smbdotconf/printing/printable.xml @@ -1,15 +1,18 @@ - - printable (S) - If this parameter is yes, then - clients may open, write to and submit spool files on the directory - specified for the service. + + + If this parameter is yes, then + clients may open, write to and submit spool files on the directory + specified for the service. - Note that a printable service will ALWAYS allow writing - to the service path (user privileges permitting) via the spooling - of print data. The read only - parameter controls only non-printing access to - the resource. + Note that a printable service will ALWAYS allow writing + to the service path (user privileges permitting) via the spooling + of print data. The read only + parameter controls only non-printing access to + the resource. - Default: printable = no - - + Default: printable = no + + diff --git a/docs/docbook/smbdotconf/printing/printcap.xml b/docs/docbook/smbdotconf/printing/printcap.xml index 2f5e4af580..0ee08a263f 100644 --- a/docs/docbook/smbdotconf/printing/printcap.xml +++ b/docs/docbook/smbdotconf/printing/printcap.xml @@ -1,6 +1,9 @@ - - printcap (G) - Synonym for - printcap name. - - + + + Synonym for + printcap name. + + diff --git a/docs/docbook/smbdotconf/printing/printcapname.xml b/docs/docbook/smbdotconf/printing/printcapname.xml index 0025624d25..5f5b5c86a9 100644 --- a/docs/docbook/smbdotconf/printing/printcapname.xml +++ b/docs/docbook/smbdotconf/printing/printcapname.xml @@ -1,28 +1,32 @@ - - printcap name (G) - This parameter may be used to override the - compiled-in default printcap name used by the server (usually - /etc/printcap). See the discussion of the [printers] section above for reasons - why you might want to do this. + + + This parameter may be used to override the + compiled-in default printcap name used by the server (usually + /etc/printcap). See the discussion of the [printers] section above for reasons + why you might want to do this. - To use the CUPS printing interface set printcap name = cups - . This should be supplemented by an addtional setting - printing = cups in the [global] - section. printcap name = cups will use the - "dummy" printcap created by CUPS, as specified in your CUPS - configuration file. - + To use the CUPS printing interface set printcap name = cups + . This should be supplemented by an addtional setting + printing = cups in the [global] + section. printcap name = cups will use the + "dummy" printcap created by CUPS, as specified in your CUPS + configuration file. + - On System V systems that use lpstat to - list available printers you can use printcap name = lpstat - to automatically obtain lists of available printers. This - is the default for systems that define SYSV at configure time in - Samba (this includes most System V based systems). If - printcap name is set to lpstat on - these systems then Samba will launch lpstat -v and - attempt to parse the output to obtain a printer list. + On System V systems that use lpstat to + list available printers you can use printcap name = lpstat + to automatically obtain lists of available printers. This + is the default for systems that define SYSV at configure time in + Samba (this includes most System V based systems). If + printcap name is set to lpstat on + these systems then Samba will launch lpstat -v and + attempt to parse the output to obtain a printer list. - A minimal printcap file would look something like this: + A minimal printcap file would look something like this: print1|My Printer 1 @@ -32,16 +36,17 @@ print4|My Printer 4 print5|My Printer 5 - where the '|' separates aliases of a printer. The fact - that the second alias has a space in it gives a hint to Samba - that it's a comment. + where the '|' separates aliases of a printer. The fact + that the second alias has a space in it gives a hint to Samba + that it's a comment. - Under AIX the default printcap - name is /etc/qconfig. Samba will assume the - file is in AIX qconfig format if the string - qconfig appears in the printcap filename. + Under AIX the default printcap + name is /etc/qconfig. Samba will assume the + file is in AIX qconfig format if the string + qconfig appears in the printcap filename. - Default: printcap name = /etc/printcap - Example: printcap name = /etc/myprintcap - - + Default: printcap name = /etc/printcap + + Example: printcap name = /etc/myprintcap + + diff --git a/docs/docbook/smbdotconf/printing/printcommand.xml b/docs/docbook/smbdotconf/printing/printcommand.xml index c996ed6c2e..5444309053 100644 --- a/docs/docbook/smbdotconf/printing/printcommand.xml +++ b/docs/docbook/smbdotconf/printing/printcommand.xml @@ -1,86 +1,89 @@ - - print command (S) - After a print job has finished spooling to - a service, this command will be used via a system() - call to process the spool file. Typically the command specified will - submit the spool file to the host's printing subsystem, but there - is no requirement that this be the case. The server will not remove - the spool file, so whatever command you specify should remove the - spool file when it has been processed, otherwise you will need to - manually remove old spool files. + + + After a print job has finished spooling to + a service, this command will be used via a system() + call to process the spool file. Typically the command specified will + submit the spool file to the host's printing subsystem, but there + is no requirement that this be the case. The server will not remove + the spool file, so whatever command you specify should remove the + spool file when it has been processed, otherwise you will need to + manually remove old spool files. - The print command is simply a text string. It will be used - verbatim after macro substitutions have been made: + The print command is simply a text string. It will be used + verbatim after macro substitutions have been made: - s, %p - the path to the spool - file name + %s, %p - the path to the spool + file name - %p - the appropriate printer - name + %p - the appropriate printer + name - %J - the job - name as transmitted by the client. + %J - the job + name as transmitted by the client. - %c - The number of printed pages - of the spooled job (if known). + %c - The number of printed pages + of the spooled job (if known). - %z - the size of the spooled - print job (in bytes) + %z - the size of the spooled + print job (in bytes) - The print command MUST contain at least - one occurrence of %s or %f - - the %p is optional. At the time - a job is submitted, if no printer name is supplied the %p - will be silently removed from the printer command. + The print command MUST contain at least + one occurrence of %s or %f + - the %p is optional. At the time + a job is submitted, if no printer name is supplied the %p + will be silently removed from the printer command. - If specified in the [global] section, the print command given - will be used for any printable service that does not have its own - print command specified. + If specified in the [global] section, the print command given + will be used for any printable service that does not have its own + print command specified. - If there is neither a specified print command for a - printable service nor a global print command, spool files will - be created but not processed and (most importantly) not removed. + If there is neither a specified print command for a + printable service nor a global print command, spool files will + be created but not processed and (most importantly) not removed. - Note that printing may fail on some UNIXes from the - nobody account. If this happens then create - an alternative guest account that can print and set the guest account - in the [global] section. + Note that printing may fail on some UNIXes from the + nobody account. If this happens then create + an alternative guest account that can print and set the + guest account + in the [global] section. - You can form quite complex print commands by realizing - that they are just passed to a shell. For example the following - will log a print job, print the file, then remove it. Note that - ';' is the usual separator for command in shell scripts. + You can form quite complex print commands by realizing + that they are just passed to a shell. For example the following + will log a print job, print the file, then remove it. Note that + ';' is the usual separator for command in shell scripts. - print command = echo Printing %s >> - /tmp/print.log; lpr -P %p %s; rm %s + print command = echo Printing %s >> + /tmp/print.log; lpr -P %p %s; rm %s - You may have to vary this command considerably depending - on how you normally print files on your system. The default for - the parameter varies depending on the setting of the - printing parameter. + You may have to vary this command considerably depending + on how you normally print files on your system. The default for + the parameter varies depending on the setting of the + printing parameter. - Default: For printing = BSD, AIX, QNX, LPRNG - or PLP : - print command = lpr -r -P%p %s + Default: For printing = BSD, AIX, QNX, LPRNG + or PLP : + print command = lpr -r -P%p %s - For printing = SYSV or HPUX : - print command = lp -c -d%p %s; rm %s + For printing = SYSV or HPUX : + print command = lp -c -d%p %s; rm %s - For printing = SOFTQ : - print command = lp -d%p -s %s; rm %s + For printing = SOFTQ : + print command = lp -d%p -s %s; rm %s - For printing = CUPS : If SAMBA is compiled against - libcups, then printcap = cups - uses the CUPS API to - submit jobs, etc. Otherwise it maps to the System V - commands with the -oraw option for printing, i.e. it - uses lp -c -d%p -oraw; rm %s. - With printing = cups, - and if SAMBA is compiled against libcups, any manually - set print command will be ignored. + For printing = CUPS : If SAMBA is compiled against + libcups, then printcap = cups + uses the CUPS API to + submit jobs, etc. Otherwise it maps to the System V + commands with the -oraw option for printing, i.e. it + uses lp -c -d%p -oraw; rm %s. + With printing = cups, + and if SAMBA is compiled against libcups, any manually + set print command will be ignored. - Example: print command = /usr/local/samba/bin/myprintscript - %p %s - - + Example: print command = /usr/local/samba/bin/myprintscript %p %s + + diff --git a/docs/docbook/smbdotconf/printing/printing.xml b/docs/docbook/smbdotconf/printing/printing.xml index d49c0e2471..4e9caa9b54 100644 --- a/docs/docbook/smbdotconf/printing/printing.xml +++ b/docs/docbook/smbdotconf/printing/printing.xml @@ -1,26 +1,31 @@ - - printing (S) - This parameters controls how printer status - information is interpreted on your system. It also affects the - default values for the print command, - lpq command, lppause command - , lpresume command, and - lprm command if specified in the - [global] section. + + + This parameters controls how printer status information is + interpreted on your system. It also affects the default values for + the print command, parameter + moreinfo="none">lpq command, lppause command , lpresume command, and lprm command if specified in the + [global] section. - Currently nine printing styles are supported. They are - BSD, AIX, - LPRNG, PLP, - SYSV, HPUX, - QNX, SOFTQ, - and CUPS. + Currently nine printing styles are supported. They are + BSD, AIX, + LPRNG, PLP, + SYSV, HPUX, + QNX, SOFTQ, + and CUPS. - To see what the defaults are for the other print - commands when using the various options use the testparm(1) program. + To see what the defaults are for the other print + commands when using the various options use the testparm + 1 program. - This option can be set on a per printer basis + This option can be set on a per printer basis - See also the discussion in the - [printers] section. - - + See also the discussion in the + [printers] section. + + diff --git a/docs/docbook/smbdotconf/printing/printok.xml b/docs/docbook/smbdotconf/printing/printok.xml index 7900e91bbb..0a0e6605f1 100644 --- a/docs/docbook/smbdotconf/printing/printok.xml +++ b/docs/docbook/smbdotconf/printing/printok.xml @@ -1,6 +1,9 @@ - - print ok (S) - Synonym for - printable. - - + + + Synonym for + printable. + + diff --git a/docs/docbook/smbdotconf/printing/totalprintjobs.xml b/docs/docbook/smbdotconf/printing/totalprintjobs.xml index 25784a3c29..ccdb137a69 100644 --- a/docs/docbook/smbdotconf/printing/totalprintjobs.xml +++ b/docs/docbook/smbdotconf/printing/totalprintjobs.xml @@ -1,18 +1,22 @@ - - total print jobs (G) - This parameter accepts an integer value which defines - a limit on the maximum number of print jobs that will be accepted - system wide at any given time. If a print job is submitted - by a client which will exceed this number, then smbd - 8 will return an - error indicating that no space is available on the server. The - default value of 0 means that no such limit exists. This parameter - can be used to prevent a server from exceeding its capacity and is - designed as a printing throttle. See also - max print jobs. - + + + This parameter accepts an integer value which defines + a limit on the maximum number of print jobs that will be accepted + system wide at any given time. If a print job is submitted + by a client which will exceed this number, then smbd + 8 will return an + error indicating that no space is available on the server. The + default value of 0 means that no such limit exists. This parameter + can be used to prevent a server from exceeding its capacity and is + designed as a printing throttle. See also + max print jobs. + - Default: total print jobs = 0 - Example: total print jobs = 5000 - - + Default: total print jobs = 0 + + Example: total print jobs = 5000 + + diff --git a/docs/docbook/smbdotconf/protocol/announceas.xml b/docs/docbook/smbdotconf/protocol/announceas.xml index 1f3169609c..b063fcc1b7 100644 --- a/docs/docbook/smbdotconf/protocol/announceas.xml +++ b/docs/docbook/smbdotconf/protocol/announceas.xml @@ -1,18 +1,21 @@ - - announce as (G) - This specifies what type of server nmbd - 8 will announce itself as, to a network neighborhood browse - list. By default this is set to Windows NT. The valid options - are : "NT Server" (which can also be written as "NT"), - "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, - Windows NT Workstation, Windows 95 and Windows for Workgroups - respectively. Do not change this parameter unless you have a - specific need to stop Samba appearing as an NT server as this - may prevent Samba servers from participating as browser servers - correctly. + + + This specifies what type of server nmbd + 8 will announce itself as, to a network neighborhood browse + list. By default this is set to Windows NT. The valid options + are : "NT Server" (which can also be written as "NT"), + "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, + Windows NT Workstation, Windows 95 and Windows for Workgroups + respectively. Do not change this parameter unless you have a + specific need to stop Samba appearing as an NT server as this + may prevent Samba servers from participating as browser servers + correctly. - Default: announce as = NT Server - - Example: announce as = Win95 - - + Default: announce as = NT Server + + Example: announce as = Win95 + + diff --git a/docs/docbook/smbdotconf/protocol/announceversion.xml b/docs/docbook/smbdotconf/protocol/announceversion.xml index 03ad429dbd..217004b5fc 100644 --- a/docs/docbook/smbdotconf/protocol/announceversion.xml +++ b/docs/docbook/smbdotconf/protocol/announceversion.xml @@ -1,12 +1,15 @@ - - announce version (G) - This specifies the major and minor version numbers - that nmbd will use when announcing itself as a server. The default - is 4.9. Do not change this parameter unless you have a specific - need to set a Samba server to be a downlevel server. + + + This specifies the major and minor version numbers + that nmbd will use when announcing itself as a server. The default + is 4.9. Do not change this parameter unless you have a specific + need to set a Samba server to be a downlevel server. - Default: announce version = 4.9 + Default: announce version = 4.9 - Example: announce version = 2.0 - - + Example: announce version = 2.0 + + diff --git a/docs/docbook/smbdotconf/protocol/disablenetbios.xml b/docs/docbook/smbdotconf/protocol/disablenetbios.xml index ac97cdf7c3..2fe92d00b7 100644 --- a/docs/docbook/smbdotconf/protocol/disablenetbios.xml +++ b/docs/docbook/smbdotconf/protocol/disablenetbios.xml @@ -1,14 +1,18 @@ - - disable netbios (G) - Enabling this parameter will disable netbios support - in Samba. Netbios is the only available form of browsing in - all windows versions except for 2000 and XP. + + + Enabling this parameter will disable netbios support + in Samba. Netbios is the only available form of browsing in + all windows versions except for 2000 and XP. - Note that clients that only support netbios won't be able to - see your samba server when netbios support is disabled. - + Note that clients that only support netbios won't be able to + see your samba server when netbios support is disabled. + - Default: disable netbios = no - Example: disable netbios = yes - - + Default: disable netbios = no + + Example: disable netbios = yes + + diff --git a/docs/docbook/smbdotconf/protocol/largereadwrite.xml b/docs/docbook/smbdotconf/protocol/largereadwrite.xml index 9aa28593e6..25c58899c4 100644 --- a/docs/docbook/smbdotconf/protocol/largereadwrite.xml +++ b/docs/docbook/smbdotconf/protocol/largereadwrite.xml @@ -1,15 +1,18 @@ - - large readwrite (G) - This parameter determines whether or not smbd - 8 supports the new 64k streaming - read and write varient SMB requests introduced - with Windows 2000. Note that due to Windows 2000 client redirector bugs - this requires Samba to be running on a 64-bit capable operating system such - as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with - Windows 2000 clients. Defaults to on. Not as tested as some other Samba - code paths. - + + + This parameter determines whether or not + smbd + 8 supports the new 64k + streaming read and write varient SMB requests introduced with + Windows 2000. Note that due to Windows 2000 client redirector bugs + this requires Samba to be running on a 64-bit capable operating + system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve + performance by 10% with Windows 2000 clients. Defaults to on. Not as + tested as some other Samba code paths. - Default : large readwrite = yes - - + Default: large readwrite = yes + + diff --git a/docs/docbook/smbdotconf/protocol/maxmux.xml b/docs/docbook/smbdotconf/protocol/maxmux.xml index 51296e0747..c05487fdca 100644 --- a/docs/docbook/smbdotconf/protocol/maxmux.xml +++ b/docs/docbook/smbdotconf/protocol/maxmux.xml @@ -1,9 +1,12 @@ - - max mux (G) - This option controls the maximum number of - outstanding simultaneous SMB operations that Samba tells the client - it will allow. You should never need to set this parameter. + + + This option controls the maximum number of + outstanding simultaneous SMB operations that Samba tells the client + it will allow. You should never need to set this parameter. - Default: max mux = 50 - - + Default: max mux = 50 + + diff --git a/docs/docbook/smbdotconf/protocol/maxprotocol.xml b/docs/docbook/smbdotconf/protocol/maxprotocol.xml index be859f8ee3..3f4e917828 100644 --- a/docs/docbook/smbdotconf/protocol/maxprotocol.xml +++ b/docs/docbook/smbdotconf/protocol/maxprotocol.xml @@ -1,35 +1,48 @@ - - max protocol (G) - The value of the parameter (a string) is the highest - protocol level that will be supported by the server. + + + The value of the parameter (a string) is the highest + protocol level that will be supported by the server. - Possible values are : - - CORE: Earliest version. No - concept of user names. + Possible values are : + + + CORE: Earliest version. No + concept of user names. + - COREPLUS: Slight improvements on - CORE for efficiency. + + COREPLUS: Slight improvements on + CORE for efficiency. + - LANMAN1: First - modern version of the protocol. Long filename - support. + + LANMAN1: First + modern version of the protocol. Long filename + support. + - LANMAN2: Updates to Lanman1 protocol. - + + LANMAN2: Updates to Lanman1 protocol. + - NT1: Current up to date version of - the protocol. Used by Windows NT. Known as CIFS. - + + NT1: Current up to date version of the protocol. + Used by Windows NT. Known as CIFS. + + - Normally this option should not be set as the automatic - negotiation phase in the SMB protocol takes care of choosing - the appropriate protocol. + Normally this option should not be set as the automatic + negotiation phase in the SMB protocol takes care of choosing + the appropriate protocol. - See also min - protocol + See also min + protocol - Default: max protocol = NT1 - Example: max protocol = LANMAN1 - - + Default: max protocol = NT1 + + Example: max protocol = LANMAN1 + + diff --git a/docs/docbook/smbdotconf/protocol/maxttl.xml b/docs/docbook/smbdotconf/protocol/maxttl.xml index 04c6771308..63c2b57ad7 100644 --- a/docs/docbook/smbdotconf/protocol/maxttl.xml +++ b/docs/docbook/smbdotconf/protocol/maxttl.xml @@ -1,12 +1,14 @@ - - max ttl (G) - This option tells nmbd - 8 - what the default 'time to live' of NetBIOS names should be (in seconds) - when nmbd is requesting a name using either a - broadcast packet or from a WINS server. You should never need to - change this parameter. The default is 3 days. + + + This option tells nmbd + 8 what the default 'time to live' + of NetBIOS names should be (in seconds) when nmbd is + requesting a name using either a broadcast packet or from a WINS server. You should + never need to change this parameter. The default is 3 days. - Default: max ttl = 259200 - - + Default: max ttl = 259200 + + diff --git a/docs/docbook/smbdotconf/protocol/maxwinsttl.xml b/docs/docbook/smbdotconf/protocol/maxwinsttl.xml index c8e2d9df8d..eafacc28fa 100644 --- a/docs/docbook/smbdotconf/protocol/maxwinsttl.xml +++ b/docs/docbook/smbdotconf/protocol/maxwinsttl.xml @@ -1,15 +1,18 @@ - - max wins ttl (G) - This option tells smbd - 8 when acting as a WINS server ( - wins support = yes) what the maximum - 'time to live' of NetBIOS names that nmbd - will grant will be (in seconds). You should never need to change this - parameter. The default is 6 days (518400 seconds). + + + This option tells smbd + 8 when acting as a WINS server ( + wins support = yes) what the maximum + 'time to live' of NetBIOS names that nmbd + will grant will be (in seconds). You should never need to change this + parameter. The default is 6 days (518400 seconds). - See also the min - wins ttl parameter. + See also the min + wins ttl parameter. - Default: max wins ttl = 518400 - - + Default: max wins ttl = 518400 + + diff --git a/docs/docbook/smbdotconf/protocol/maxxmit.xml b/docs/docbook/smbdotconf/protocol/maxxmit.xml index c16cf47655..3125b8d3b9 100644 --- a/docs/docbook/smbdotconf/protocol/maxxmit.xml +++ b/docs/docbook/smbdotconf/protocol/maxxmit.xml @@ -1,12 +1,16 @@ - - max xmit (G) - This option controls the maximum packet size - that will be negotiated by Samba. The default is 65535, which - is the maximum. In some cases you may find you get better performance - with a smaller value. A value below 2048 is likely to cause problems. - + + + This option controls the maximum packet size + that will be negotiated by Samba. The default is 65535, which + is the maximum. In some cases you may find you get better performance + with a smaller value. A value below 2048 is likely to cause problems. + - Default: max xmit = 65535 - Example: max xmit = 8192 - - + Default: max xmit = 65535 + + Example: max xmit = 8192 + + diff --git a/docs/docbook/smbdotconf/protocol/minprotocol.xml b/docs/docbook/smbdotconf/protocol/minprotocol.xml index 6b1d420a4b..f382701948 100644 --- a/docs/docbook/smbdotconf/protocol/minprotocol.xml +++ b/docs/docbook/smbdotconf/protocol/minprotocol.xml @@ -1,20 +1,23 @@ - - min protocol (G) - The value of the parameter (a string) is the - lowest SMB protocol dialect than Samba will support. Please refer - to the max protocol - parameter for a list of valid protocol names and a brief description - of each. You may also wish to refer to the C source code in - source/smbd/negprot.c for a listing of known protocol - dialects supported by clients. + + + The value of the parameter (a string) is the + lowest SMB protocol dialect than Samba will support. Please refer + to the max protocol + parameter for a list of valid protocol names and a brief description + of each. You may also wish to refer to the C source code in + source/smbd/negprot.c for a listing of known protocol + dialects supported by clients. - If you are viewing this parameter as a security measure, you should - also refer to the lanman - auth parameter. Otherwise, you should never need - to change this parameter. + If you are viewing this parameter as a security measure, you should + also refer to the lanman + auth parameter. Otherwise, you should never need + to change this parameter. - Default : min protocol = CORE - Example : min protocol = NT1 # disable DOS - clients - - + Default : min protocol = CORE + + Example : min protocol = NT1 # disable DOS clients + + diff --git a/docs/docbook/smbdotconf/protocol/minwinsttl.xml b/docs/docbook/smbdotconf/protocol/minwinsttl.xml index e67c253f2e..8ad1a5600f 100644 --- a/docs/docbook/smbdotconf/protocol/minwinsttl.xml +++ b/docs/docbook/smbdotconf/protocol/minwinsttl.xml @@ -1,13 +1,16 @@ - - min wins ttl (G) - This option tells nmbd - 8 - when acting as a WINS server ( - wins support = yes) what the minimum 'time to live' - of NetBIOS names that nmbd will grant will be (in - seconds). You should never need to change this parameter. The default - is 6 hours (21600 seconds). + + + This option tells nmbd + 8 + when acting as a WINS server ( + wins support = yes) what the minimum 'time to live' + of NetBIOS names that nmbd will grant will be (in + seconds). You should never need to change this parameter. The default + is 6 hours (21600 seconds). - Default: min wins ttl = 21600 - - + Default: min wins ttl = 21600 + + diff --git a/docs/docbook/smbdotconf/protocol/nameresolveorder.xml b/docs/docbook/smbdotconf/protocol/nameresolveorder.xml index a5dd893902..897d04ad1c 100644 --- a/docs/docbook/smbdotconf/protocol/nameresolveorder.xml +++ b/docs/docbook/smbdotconf/protocol/nameresolveorder.xml @@ -1,47 +1,58 @@ - - name resolve order (G) - This option is used by the programs in the Samba - suite to determine what naming services to use and in what order - to resolve host names to IP addresses. The option takes a space - separated string of name resolution options. - - The options are :"lmhosts", "host", "wins" and "bcast". They - cause names to be resolved as follows : - - - lmhosts : Lookup an IP - address in the Samba lmhosts file. If the line in lmhosts has - no name type attached to the NetBIOS name (see the lmhosts(5) for details) then - any name type matches for lookup. - - host : Do a standard host - name to IP address resolution, using the system /etc/hosts - , NIS, or DNS lookups. This method of name resolution - is operating system depended for instance on IRIX or Solaris this - may be controlled by the /etc/nsswitch.conf - file. Note that this method is only used if the NetBIOS name - type being queried is the 0x20 (server) name type, otherwise - it is ignored. - - wins : Query a name with - the IP address listed in the - wins server parameter. If no WINS server has - been specified this method will be ignored. - - bcast : Do a broadcast on - each of the known local interfaces listed in the interfaces - parameter. This is the least reliable of the name resolution - methods as it depends on the target host being on a locally - connected subnet. - - - Default: name resolve order = lmhosts host wins bcast - - Example: name resolve order = lmhosts bcast host - - - This will cause the local lmhosts file to be examined - first, followed by a broadcast attempt, followed by a normal - system hostname lookup. - - + + + This option is used by the programs in the Samba + suite to determine what naming services to use and in what order + to resolve host names to IP addresses. The option takes a space + separated string of name resolution options. + + The options are: "lmhosts", "host", + "wins" and "bcast". They cause names to be + resolved as follows: + + + + lmhosts : Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the lmhosts(5) for details) then + any name type matches for lookup. + + + + host : Do a standard host + name to IP address resolution, using the system /etc/hosts + , NIS, or DNS lookups. This method of name resolution + is operating system depended for instance on IRIX or Solaris this + may be controlled by the /etc/nsswitch.conf + file. Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored. + + + + wins : Query a name with + the IP address listed in the + wins server parameter. If no WINS server has + been specified this method will be ignored. + + + + bcast : Do a broadcast on + each of the known local interfaces listed in the interfaces + parameter. This is the least reliable of the name resolution + methods as it depends on the target host being on a locally + connected subnet. + + + + Default: name resolve order = lmhosts host wins bcast + + Example: name resolve order = lmhosts bcast host + + This will cause the local lmhosts file to be examined + first, followed by a broadcast attempt, followed by a normal + system hostname lookup. + + diff --git a/docs/docbook/smbdotconf/protocol/ntaclsupport.xml b/docs/docbook/smbdotconf/protocol/ntaclsupport.xml index df0d8dc068..64276d51c3 100644 --- a/docs/docbook/smbdotconf/protocol/ntaclsupport.xml +++ b/docs/docbook/smbdotconf/protocol/ntaclsupport.xml @@ -1,11 +1,14 @@ - - nt acl support (S) - This boolean parameter controls whether - smbd(8) will attempt to map - UNIX permissions into Windows NT access control lists. - This parameter was formally a global parameter in releases - prior to 2.2.2. + + + This boolean parameter controls whether smbd + 8 will attempt to map + UNIX permissions into Windows NT access control lists. + This parameter was formally a global parameter in releases + prior to 2.2.2. - Default: nt acl support = yes - - + Default: nt acl support = yes + + diff --git a/docs/docbook/smbdotconf/protocol/ntpipesupport.xml b/docs/docbook/smbdotconf/protocol/ntpipesupport.xml index cab2032847..e5c42a7696 100644 --- a/docs/docbook/smbdotconf/protocol/ntpipesupport.xml +++ b/docs/docbook/smbdotconf/protocol/ntpipesupport.xml @@ -1,12 +1,15 @@ - - nt pipe support (G) - This boolean parameter controls whether - smbd - 8 will allow Windows NT - clients to connect to the NT SMB specific IPC$ - pipes. This is a developer debugging option and can be left - alone. + + + This boolean parameter controls whether + smbd + 8 will allow Windows NT + clients to connect to the NT SMB specific IPC$ + pipes. This is a developer debugging option and can be left + alone. - Default: nt pipe support = yes - - + Default: nt pipe support = yes + + diff --git a/docs/docbook/smbdotconf/protocol/ntstatussupport.xml b/docs/docbook/smbdotconf/protocol/ntstatussupport.xml index 17dafa47c5..ecb19128ee 100644 --- a/docs/docbook/smbdotconf/protocol/ntstatussupport.xml +++ b/docs/docbook/smbdotconf/protocol/ntstatussupport.xml @@ -1,14 +1,17 @@ - - nt status support (G) - This boolean parameter controls whether smbd(8) will negotiate NT specific status - support with Windows NT/2k/XP clients. This is a developer - debugging option and should be left alone. - If this option is set to no then Samba offers - exactly the same DOS error codes that versions prior to Samba 2.2.3 - reported. + + + This boolean parameter controls whether smbd + 8 will negotiate NT specific status + support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. + If this option is set to no then Samba offers + exactly the same DOS error codes that versions prior to Samba 2.2.3 + reported. - You should not need to ever disable this parameter. + You should not need to ever disable this parameter. - Default: nt status support = yes - - + Default: nt status support = yes + + diff --git a/docs/docbook/smbdotconf/protocol/protocol.xml b/docs/docbook/smbdotconf/protocol/protocol.xml index 5161806cfc..19926649c0 100644 --- a/docs/docbook/smbdotconf/protocol/protocol.xml +++ b/docs/docbook/smbdotconf/protocol/protocol.xml @@ -1,5 +1,9 @@ - - protocol (G) - Synonym for - max protocol. - + + + Synonym for + max protocol. + + diff --git a/docs/docbook/smbdotconf/protocol/readbmpx.xml b/docs/docbook/smbdotconf/protocol/readbmpx.xml index 0bc8f1d10b..0298407cef 100644 --- a/docs/docbook/smbdotconf/protocol/readbmpx.xml +++ b/docs/docbook/smbdotconf/protocol/readbmpx.xml @@ -1,10 +1,15 @@ - - read bmpx (G) - This boolean parameter controls whether smbd(8) will support the "Read - Block Multiplex" SMB. This is now rarely used and defaults to - no. You should never need to set this - parameter. + + + This boolean parameter controls whether + smbd + 8 will support the "Read + Block Multiplex" SMB. This is now rarely used and defaults to + no. You should never need to set this + parameter. - Default: read bmpx = no - - + Default: read bmpx = no + + diff --git a/docs/docbook/smbdotconf/protocol/readraw.xml b/docs/docbook/smbdotconf/protocol/readraw.xml index b867816e84..6b24f39d68 100644 --- a/docs/docbook/smbdotconf/protocol/readraw.xml +++ b/docs/docbook/smbdotconf/protocol/readraw.xml @@ -1,21 +1,24 @@ - - read raw (G) - This parameter controls whether or not the server - will support the raw read SMB requests when transferring data - to clients. + + + This parameter controls whether or not the server + will support the raw read SMB requests when transferring data + to clients. - If enabled, raw reads allow reads of 65535 bytes in - one packet. This typically provides a major performance benefit. - + If enabled, raw reads allow reads of 65535 bytes in + one packet. This typically provides a major performance benefit. + - However, some clients either negotiate the allowable - block size incorrectly or are incapable of supporting larger block - sizes, and for these clients you may need to disable raw reads. + However, some clients either negotiate the allowable + block size incorrectly or are incapable of supporting larger block + sizes, and for these clients you may need to disable raw reads. - In general this parameter should be viewed as a system tuning - tool and left severely alone. See also - write raw. + In general this parameter should be viewed as a system tuning + tool and left severely alone. See also + write raw. - Default: read raw = yes - - + Default: read raw = yes + + diff --git a/docs/docbook/smbdotconf/protocol/smbports.xml b/docs/docbook/smbdotconf/protocol/smbports.xml index ed088ab9d2..9d06c37964 100644 --- a/docs/docbook/smbdotconf/protocol/smbports.xml +++ b/docs/docbook/smbdotconf/protocol/smbports.xml @@ -1,10 +1,10 @@ - - smb ports (G) - Specifies which ports the server should listen on - for SMB traffic. - + + + Specifies which ports the server should listen on for SMB traffic. - Default: smb ports = 445 139 - - - + Default: smb ports = 445 139 + + diff --git a/docs/docbook/smbdotconf/protocol/timeserver.xml b/docs/docbook/smbdotconf/protocol/timeserver.xml index eb1a720a8d..d78f9a456d 100644 --- a/docs/docbook/smbdotconf/protocol/timeserver.xml +++ b/docs/docbook/smbdotconf/protocol/timeserver.xml @@ -1,9 +1,12 @@ - - time server (G) - This parameter determines if nmbd - 8 advertises itself as a time server to Windows - clients. + + + This parameter determines if nmbd + 8 advertises itself as a time server to Windows + clients. - Default: time server = no - - + Default: time server = no + + diff --git a/docs/docbook/smbdotconf/protocol/unicode.xml b/docs/docbook/smbdotconf/protocol/unicode.xml index 866dad28a0..be93cb61e2 100644 --- a/docs/docbook/smbdotconf/protocol/unicode.xml +++ b/docs/docbook/smbdotconf/protocol/unicode.xml @@ -1,11 +1,13 @@ - - unicode (G) - Specifies whether Samba should try - to use unicode on the wire by default. Note: This does NOT - mean that samba will assume that the unix machine uses unicode! - + + + Specifies whether Samba should try + to use unicode on the wire by default. Note: This does NOT + mean that samba will assume that the unix machine uses unicode! + - Default: unicode = yes - - - + Default: unicode = yes + + diff --git a/docs/docbook/smbdotconf/protocol/unixextensions.xml b/docs/docbook/smbdotconf/protocol/unixextensions.xml index d0adde9d27..2f68b9605e 100644 --- a/docs/docbook/smbdotconf/protocol/unixextensions.xml +++ b/docs/docbook/smbdotconf/protocol/unixextensions.xml @@ -1,12 +1,15 @@ - - unix extensions(G) - This boolean parameter controls whether Samba - implments the CIFS UNIX extensions, as defined by HP. - These extensions enable Samba to better serve UNIX CIFS clients - by supporting features such as symbolic links, hard links, etc... - These extensions require a similarly enabled client, and are of - no current use to Windows clients. + + + This boolean parameter controls whether Samba + implments the CIFS UNIX extensions, as defined by HP. + These extensions enable Samba to better serve UNIX CIFS clients + by supporting features such as symbolic links, hard links, etc... + These extensions require a similarly enabled client, and are of + no current use to Windows clients. - Default: unix extensions = no - - + Default: unix extensions = no + + diff --git a/docs/docbook/smbdotconf/protocol/usespnego.xml b/docs/docbook/smbdotconf/protocol/usespnego.xml index 9e3c873a4b..88c9f1df7a 100644 --- a/docs/docbook/smbdotconf/protocol/usespnego.xml +++ b/docs/docbook/smbdotconf/protocol/usespnego.xml @@ -1,11 +1,15 @@ - - use spnego (G) - This variable controls controls whether samba will try - to use Simple and Protected NEGOciation (as specified by rfc2478) with - WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism. - Unless further issues are discovered with our SPNEGO - implementation, there is no reason this should ever be - disabled. - Default: use spnego = yes - - + + + This variable controls controls whether samba will try + to use Simple and Protected NEGOciation (as specified by rfc2478) with + WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism. + Unless further issues are discovered with our SPNEGO + implementation, there is no reason this should ever be + disabled. + + Default: use spnego = yes + + diff --git a/docs/docbook/smbdotconf/protocol/writeraw.xml b/docs/docbook/smbdotconf/protocol/writeraw.xml index dbaad0130e..e71c54cabd 100644 --- a/docs/docbook/smbdotconf/protocol/writeraw.xml +++ b/docs/docbook/smbdotconf/protocol/writeraw.xml @@ -1,9 +1,12 @@ - - write raw (G) - This parameter controls whether or not the server - will support raw write SMB's when transferring data from clients. - You should never need to change this parameter. + + + This parameter controls whether or not the server + will support raw write SMB's when transferring data from clients. + You should never need to change this parameter. - Default: write raw = yes - - + Default: write raw = yes + + diff --git a/docs/docbook/smbdotconf/security/serverschannel.xml b/docs/docbook/smbdotconf/security/serverschannel.xml index afbc458068..1747fbea66 100644 --- a/docs/docbook/smbdotconf/security/serverschannel.xml +++ b/docs/docbook/smbdotconf/security/serverschannel.xml @@ -17,7 +17,7 @@ Please note that with this set to no you will have to apply the WindowsXP requireSignOrSeal-Registry patch found in - the docs/Registry subdirectory. Default: server schannel = auto Example: server schannel = yes diff --git a/docs/docbook/smbdotconf/tuning/blocksize.xml b/docs/docbook/smbdotconf/tuning/blocksize.xml index da42ca9ece..eecf1925e8 100644 --- a/docs/docbook/smbdotconf/tuning/blocksize.xml +++ b/docs/docbook/smbdotconf/tuning/blocksize.xml @@ -1,19 +1,22 @@ - - block size (S) - This parameter controls the behavior of smbd - 8 when reporting disk free - sizes. By default, this reports a disk block size of 1024 bytes. - + + + This parameter controls the behavior of smbd + 8 when reporting disk free + sizes. By default, this reports a disk block size of 1024 bytes. + - Changing this parameter may have some effect on the - efficiency of client writes, this is not yet confirmed. This - parameter was added to allow advanced administrators to change - it (usually to a higher value) and test the effect it has on - client write performance without re-compiling the code. As this - is an experimental option it may be removed in a future release. - + Changing this parameter may have some effect on the + efficiency of client writes, this is not yet confirmed. This + parameter was added to allow advanced administrators to change + it (usually to a higher value) and test the effect it has on + client write performance without re-compiling the code. As this + is an experimental option it may be removed in a future release. + - Changing this option does not change the disk free reporting - size, just the block size unit reported to the client. - - + Changing this option does not change the disk free reporting + size, just the block size unit reported to the client. + + + diff --git a/docs/docbook/smbdotconf/tuning/changenotifytimeout.xml b/docs/docbook/smbdotconf/tuning/changenotifytimeout.xml index 18c8b9a176..471798c269 100644 --- a/docs/docbook/smbdotconf/tuning/changenotifytimeout.xml +++ b/docs/docbook/smbdotconf/tuning/changenotifytimeout.xml @@ -1,15 +1,20 @@ - - change notify timeout (G) - This SMB allows a client to tell a server to - "watch" a particular directory for any changes and only reply to - the SMB request when a change has occurred. Such constant scanning of - a directory is expensive under UNIX, hence an smbd - 8 daemon only performs such a scan - on each requested directory once every change notify - timeout seconds. + + + This SMB allows a client to tell a server to + "watch" a particular directory for any changes and only reply to + the SMB request when a change has occurred. Such constant scanning of + a directory is expensive under UNIX, hence an smbd + 8 daemon only performs such a scan + on each requested directory once every change notify + timeout seconds. - Default: change notify timeout = 60 - Example: change notify timeout = 300 + Default: change notify timeout = 60 - Would change the scan time to every 5 minutes. - + Example: change notify timeout = 300 + + Would change the scan time to every 5 minutes. + + diff --git a/docs/docbook/smbdotconf/tuning/deadtime.xml b/docs/docbook/smbdotconf/tuning/deadtime.xml index dbad06f25b..cbbf751862 100644 --- a/docs/docbook/smbdotconf/tuning/deadtime.xml +++ b/docs/docbook/smbdotconf/tuning/deadtime.xml @@ -1,23 +1,27 @@ - - deadtime (G) - The value of the parameter (a decimal integer) - represents the number of minutes of inactivity before a connection - is considered dead, and it is disconnected. The deadtime only takes - effect if the number of open files is zero. + + + The value of the parameter (a decimal integer) + represents the number of minutes of inactivity before a connection + is considered dead, and it is disconnected. The deadtime only takes + effect if the number of open files is zero. - This is useful to stop a server's resources being - exhausted by a large number of inactive connections. + This is useful to stop a server's resources being + exhausted by a large number of inactive connections. - Most clients have an auto-reconnect feature when a - connection is broken so in most cases this parameter should be - transparent to users. + Most clients have an auto-reconnect feature when a + connection is broken so in most cases this parameter should be + transparent to users. - Using this parameter with a timeout of a few minutes - is recommended for most systems. + Using this parameter with a timeout of a few minutes + is recommended for most systems. - A deadtime of zero indicates that no auto-disconnection - should be performed. + A deadtime of zero indicates that no auto-disconnection + should be performed. - Default: deadtime = 0 - Example: deadtime = 15 - + Default: deadtime = 0 + Example: deadtime = 15 + + diff --git a/docs/docbook/smbdotconf/tuning/getwdcache.xml b/docs/docbook/smbdotconf/tuning/getwdcache.xml index c797bad414..8c22be9fb5 100644 --- a/docs/docbook/smbdotconf/tuning/getwdcache.xml +++ b/docs/docbook/smbdotconf/tuning/getwdcache.xml @@ -1,11 +1,14 @@ - - getwd cache (G) - This is a tuning option. When this is enabled a - caching algorithm will be used to reduce the time taken for getwd() - calls. This can have a significant impact on performance, especially - when the wide links - parameter is set to no. + + + This is a tuning option. When this is enabled a + caching algorithm will be used to reduce the time taken for getwd() + calls. This can have a significant impact on performance, especially + when the wide links + parameter is set to no. - Default: getwd cache = yes - - + Default: getwd cache = yes + + diff --git a/docs/docbook/smbdotconf/tuning/hostnamelookups.xml b/docs/docbook/smbdotconf/tuning/hostnamelookups.xml index daad09da8b..613fabe42f 100644 --- a/docs/docbook/smbdotconf/tuning/hostnamelookups.xml +++ b/docs/docbook/smbdotconf/tuning/hostnamelookups.xml @@ -1,14 +1,16 @@ - - hostname lookups (G) - Specifies whether samba should use (expensive) - hostname lookups or use the ip addresses instead. An example place - where hostname lookups are currently used is when checking - the hosts deny and hosts allow. - + + + Specifies whether samba should use (expensive) + hostname lookups or use the ip addresses instead. An example place + where hostname lookups are currently used is when checking + the hosts deny and hosts allow. + - Default: hostname lookups = yes + Default: hostname lookups = yes - Example: hostname lookups = no - - - + Example: hostname lookups = no + + diff --git a/docs/docbook/smbdotconf/tuning/keepalive.xml b/docs/docbook/smbdotconf/tuning/keepalive.xml index 746cda929e..1320dfab61 100644 --- a/docs/docbook/smbdotconf/tuning/keepalive.xml +++ b/docs/docbook/smbdotconf/tuning/keepalive.xml @@ -1,16 +1,21 @@ - - keepalive (G) - The value of the parameter (an integer) represents - the number of seconds between keepalive - packets. If this parameter is zero, no keepalive packets will be - sent. Keepalive packets, if sent, allow the server to tell whether - a client is still present and responding. + + + The value of the parameter (an integer) represents + the number of seconds between keepalive + packets. If this parameter is zero, no keepalive packets will be + sent. Keepalive packets, if sent, allow the server to tell whether + a client is still present and responding. - Keepalives should, in general, not be needed if the socket - being used has the SO_KEEPALIVE attribute set on it (see socket options). - Basically you should only use this option if you strike difficulties. + Keepalives should, in general, not be needed if the socket + being used has the SO_KEEPALIVE attribute set on it (see + socket options). + Basically you should only use this option if you strike difficulties. - Default: keepalive = 300 - Example: keepalive = 600 - - + Default: keepalive = 300 + + Example: keepalive = 600 + + diff --git a/docs/docbook/smbdotconf/tuning/maxconnections.xml b/docs/docbook/smbdotconf/tuning/maxconnections.xml index 24af886b60..5127df06f4 100644 --- a/docs/docbook/smbdotconf/tuning/maxconnections.xml +++ b/docs/docbook/smbdotconf/tuning/maxconnections.xml @@ -1,16 +1,18 @@ - - max connections (S) - This option allows the number of simultaneous - connections to a service to be limited. If max connections - is greater than 0 then connections will be refused if - this number of connections to the service are already open. A value - of zero mean an unlimited number of connections may be made. + + + This option allows the number of simultaneous connections to a service to be limited. + If max connections is greater than 0 then connections + will be refused if this number of connections to the service are already open. A value + of zero mean an unlimited number of connections may be made. - Record lock files are used to implement this feature. The - lock files will be stored in the directory specified by the lock directory - option. + Record lock files are used to implement this feature. The lock files will be stored in + the directory specified by the + lock directory option. - Default: max connections = 0 - Example: max connections = 10 - - + Default: max connections = 0 + + Example: max connections = 10 + + diff --git a/docs/docbook/smbdotconf/tuning/maxdisksize.xml b/docs/docbook/smbdotconf/tuning/maxdisksize.xml index 8aebe91902..7d99b31e03 100644 --- a/docs/docbook/smbdotconf/tuning/maxdisksize.xml +++ b/docs/docbook/smbdotconf/tuning/maxdisksize.xml @@ -1,24 +1,28 @@ - - max disk size (G) - This option allows you to put an upper limit - on the apparent size of disks. If you set this option to 100 - then all shares will appear to be not larger than 100 MB in - size. + + + This option allows you to put an upper limit + on the apparent size of disks. If you set this option to 100 + then all shares will appear to be not larger than 100 MB in + size. - Note that this option does not limit the amount of - data you can put on the disk. In the above case you could still - store much more than 100 MB on the disk, but if a client ever asks - for the amount of free disk space or the total disk size then the - result will be bounded by the amount specified in max - disk size. + Note that this option does not limit the amount of + data you can put on the disk. In the above case you could still + store much more than 100 MB on the disk, but if a client ever asks + for the amount of free disk space or the total disk size then the + result will be bounded by the amount specified in max + disk size. - This option is primarily useful to work around bugs - in some pieces of software that can't handle very large disks, - particularly disks over 1GB in size. + This option is primarily useful to work around bugs + in some pieces of software that can't handle very large disks, + particularly disks over 1GB in size. - A max disk size of 0 means no limit. + A max disk size of 0 means no limit. - Default: max disk size = 0 - Example: max disk size = 1000 - - + Default: max disk size = 0 + + Example: max disk size = 1000 + + diff --git a/docs/docbook/smbdotconf/tuning/maxopenfiles.xml b/docs/docbook/smbdotconf/tuning/maxopenfiles.xml index 85b76a3378..9505b2aaa5 100644 --- a/docs/docbook/smbdotconf/tuning/maxopenfiles.xml +++ b/docs/docbook/smbdotconf/tuning/maxopenfiles.xml @@ -1,16 +1,19 @@ - - max open files (G) - This parameter limits the maximum number of - open files that one smbd - 8 file - serving process may have open for a client at any one time. The - default for this parameter is set very high (10,000) as Samba uses - only one bit per unopened file. + + + This parameter limits the maximum number of + open files that one smbd + 8 file + serving process may have open for a client at any one time. The + default for this parameter is set very high (10,000) as Samba uses + only one bit per unopened file. - The limit of the number of open files is usually set - by the UNIX per-process file descriptor limit rather than - this parameter so you should never need to touch this parameter. + The limit of the number of open files is usually set + by the UNIX per-process file descriptor limit rather than + this parameter so you should never need to touch this parameter. - Default: max open files = 10000 - - + Default: max open files = 10000 + + diff --git a/docs/docbook/smbdotconf/tuning/maxsmbdprocesses.xml b/docs/docbook/smbdotconf/tuning/maxsmbdprocesses.xml index e46f0185ce..453818ab7d 100644 --- a/docs/docbook/smbdotconf/tuning/maxsmbdprocesses.xml +++ b/docs/docbook/smbdotconf/tuning/maxsmbdprocesses.xml @@ -1,17 +1,18 @@ - - max smbd processes (G) - This parameter limits the maximum number of - smbd(8) - processes concurrently running on a system and is intended - as a stopgap to prevent degrading service to clients in the event - that the server has insufficient resources to handle more than this - number of connections. Remember that under normal operating - conditions, each user will have an smbd - 8 associated with him or her - to handle connections to all shares from a given host. - + + + This parameter limits the maximum number of smbd + 8 processes concurrently running on a system and is intended + as a stopgap to prevent degrading service to clients in the event that the server has insufficient + resources to handle more than this number of connections. Remember that under normal operating + conditions, each user will have an smbd + 8 associated with him or her to handle connections to all + shares from a given host. - Default: max smbd processes = 0 ## no limit - Example: max smbd processes = 1000 - - + Default: max smbd processes = 0 ## no limit + + Example: max smbd processes = 1000 + + diff --git a/docs/docbook/smbdotconf/tuning/minprintspace.xml b/docs/docbook/smbdotconf/tuning/minprintspace.xml index acbb65fa41..0df75af0ab 100644 --- a/docs/docbook/smbdotconf/tuning/minprintspace.xml +++ b/docs/docbook/smbdotconf/tuning/minprintspace.xml @@ -1,14 +1,18 @@ - - min print space (S) - This sets the minimum amount of free disk - space that must be available before a user will be able to spool - a print job. It is specified in kilobytes. The default is 0, which - means a user can always spool a print job. + + + This sets the minimum amount of free disk + space that must be available before a user will be able to spool + a print job. It is specified in kilobytes. The default is 0, which + means a user can always spool a print job. - See also the printing - parameter. + See also the printing + parameter. - Default: min print space = 0 - Example: min print space = 2000 - - + Default: min print space = 0 + + Example: min print space = 2000 + + diff --git a/docs/docbook/smbdotconf/tuning/namecachetimeout.xml b/docs/docbook/smbdotconf/tuning/namecachetimeout.xml index 0500a75c8d..6330760915 100644 --- a/docs/docbook/smbdotconf/tuning/namecachetimeout.xml +++ b/docs/docbook/smbdotconf/tuning/namecachetimeout.xml @@ -1,12 +1,15 @@ - - name cache timeout (G) - Specifies the number of seconds it takes before - entries in samba's hostname resolve cache time out. If - the timeout is set to 0. the caching is disabled. - + + + Specifies the number of seconds it takes before + entries in samba's hostname resolve cache time out. If + the timeout is set to 0. the caching is disabled. + + Default: name cache timeout = 660 - Default: name cache timeout = 660 - Example: name cache timeout = 0 - - + Example: name cache timeout = 0 + + diff --git a/docs/docbook/smbdotconf/tuning/paranoidserversecurity.xml b/docs/docbook/smbdotconf/tuning/paranoidserversecurity.xml index d60f179176..3fababf01b 100644 --- a/docs/docbook/smbdotconf/tuning/paranoidserversecurity.xml +++ b/docs/docbook/smbdotconf/tuning/paranoidserversecurity.xml @@ -1,16 +1,18 @@ - - paranoid server security (G) - Some version of NT 4.x allow non-guest - users with a bad passowrd. When this option is enabled, samba will not - use a broken NT 4.x server as password server, but instead complain - to the logs and exit. - + + + Some version of NT 4.x allow non-guest + users with a bad passowrd. When this option is enabled, samba will not + use a broken NT 4.x server as password server, but instead complain + to the logs and exit. + - Disabling this option prevents Samba from making - this check, which involves deliberatly attempting a - bad logon to the remote server. + Disabling this option prevents Samba from making + this check, which involves deliberatly attempting a + bad logon to the remote server. - Default: paranoid server security = yes - - - + Default: paranoid server security = yes + + diff --git a/docs/docbook/smbdotconf/tuning/readsize.xml b/docs/docbook/smbdotconf/tuning/readsize.xml index 59c6848c76..c76b810225 100644 --- a/docs/docbook/smbdotconf/tuning/readsize.xml +++ b/docs/docbook/smbdotconf/tuning/readsize.xml @@ -1,25 +1,29 @@ - - read size (G) - The option read size - affects the overlap of disk reads/writes with network reads/writes. - If the amount of data being transferred in several of the SMB - commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger - than this value then the server begins writing the data before it - has received the whole packet from the network, or in the case of - SMBreadbraw, it begins writing to the network before all the data - has been read from disk. + + + The option read size + affects the overlap of disk reads/writes with network reads/writes. + If the amount of data being transferred in several of the SMB + commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger + than this value then the server begins writing the data before it + has received the whole packet from the network, or in the case of + SMBreadbraw, it begins writing to the network before all the data + has been read from disk. - This overlapping works best when the speeds of disk and - network access are similar, having very little effect when the - speed of one is much greater than the other. + This overlapping works best when the speeds of disk and + network access are similar, having very little effect when the + speed of one is much greater than the other. - The default value is 16384, but very little experimentation - has been done yet to determine the optimal value, and it is likely - that the best value will vary greatly between systems anyway. - A value over 65536 is pointless and will cause you to allocate - memory unnecessarily. + The default value is 16384, but very little experimentation + has been done yet to determine the optimal value, and it is likely + that the best value will vary greatly between systems anyway. + A value over 65536 is pointless and will cause you to allocate + memory unnecessarily. - Default: read size = 16384 - Example: read size = 8192 - - + Default: read size = 16384 + + Example: read size = 8192 + + diff --git a/docs/docbook/smbdotconf/tuning/socketoptions.xml b/docs/docbook/smbdotconf/tuning/socketoptions.xml index 3acc259083..5684ac5bca 100644 --- a/docs/docbook/smbdotconf/tuning/socketoptions.xml +++ b/docs/docbook/smbdotconf/tuning/socketoptions.xml @@ -1,69 +1,75 @@ - - socket options (G) - This option allows you to set socket options - to be used when talking with the client. - - Socket options are controls on the networking layer - of the operating systems which allow the connection to be - tuned. - - This option will typically be used to tune your Samba - server for optimal performance for your local network. There is - no way that Samba can know what the optimal parameters are for - your net, so you must experiment and choose them yourself. We - strongly suggest you read the appropriate documentation for your - operating system first (perhaps man setsockopt - will help). - - You may find that on some systems Samba will say - "Unknown socket option" when you supply an option. This means you - either incorrectly typed it or you need to add an include file - to includes.h for your OS. If the latter is the case please - send the patch to - samba@samba.org. - - Any of the supported socket options may be combined - in any way you like, as long as your OS allows it. - - This is the list of socket options currently settable - using this option: - - - SO_KEEPALIVE - SO_REUSEADDR - SO_BROADCAST - TCP_NODELAY - IPTOS_LOWDELAY - IPTOS_THROUGHPUT - SO_SNDBUF * - SO_RCVBUF * - SO_SNDLOWAT * - SO_RCVLOWAT * - - - Those marked with a '*' take an integer - argument. The others can optionally take a 1 or 0 argument to enable - or disable the option, by default they will be enabled if you - don't specify 1 or 0. - - To specify an argument use the syntax SOME_OPTION = VALUE - for example SO_SNDBUF = 8192. Note that you must - not have any spaces before or after the = sign. - - If you are on a local network then a sensible option - might be - socket options = IPTOS_LOWDELAY - - If you have a local network then you could try: - socket options = IPTOS_LOWDELAY TCP_NODELAY - - If you are on a wide area network then perhaps try - setting IPTOS_THROUGHPUT. - - Note that several of the options may cause your Samba - server to fail completely. Use these options with caution! - - Default: socket options = TCP_NODELAY - Example: socket options = IPTOS_LOWDELAY - - + + + This option allows you to set socket options + to be used when talking with the client. + + Socket options are controls on the networking layer + of the operating systems which allow the connection to be + tuned. + + This option will typically be used to tune your Samba server + for optimal performance for your local network. There is no way + that Samba can know what the optimal parameters are for your net, + so you must experiment and choose them yourself. We strongly + suggest you read the appropriate documentation for your operating + system first (perhaps man + setsockopt will help). + + You may find that on some systems Samba will say + "Unknown socket option" when you supply an option. This means you + either incorrectly typed it or you need to add an include file + to includes.h for your OS. If the latter is the case please + send the patch to + samba-technical@samba.org. + + Any of the supported socket options may be combined + in any way you like, as long as your OS allows it. + + This is the list of socket options currently settable + using this option: + + + SO_KEEPALIVE + SO_REUSEADDR + SO_BROADCAST + TCP_NODELAY + IPTOS_LOWDELAY + IPTOS_THROUGHPUT + SO_SNDBUF * + SO_RCVBUF * + SO_SNDLOWAT * + SO_RCVLOWAT * + + + Those marked with a '*' take an integer + argument. The others can optionally take a 1 or 0 argument to enable + or disable the option, by default they will be enabled if you + don't specify 1 or 0. + + To specify an argument use the syntax SOME_OPTION = VALUE + for example SO_SNDBUF = 8192. Note that you must + not have any spaces before or after the = sign. + + If you are on a local network then a sensible option + might be: + + socket options = IPTOS_LOWDELAY + + If you have a local network then you could try: + + socket options = IPTOS_LOWDELAY TCP_NODELAY + + If you are on a wide area network then perhaps try + setting IPTOS_THROUGHPUT. + + Note that several of the options may cause your Samba + server to fail completely. Use these options with caution! + + Default: socket options = TCP_NODELAY + + Example: socket options = IPTOS_LOWDELAY + + diff --git a/docs/docbook/smbdotconf/tuning/statcachesize.xml b/docs/docbook/smbdotconf/tuning/statcachesize.xml index fe7d3a7be2..0c8d4e0c72 100644 --- a/docs/docbook/smbdotconf/tuning/statcachesize.xml +++ b/docs/docbook/smbdotconf/tuning/statcachesize.xml @@ -1,9 +1,12 @@ - - stat cache size (G) - This parameter determines the number of - entries in the stat cache. You should - never need to change this parameter. + + + This parameter determines the number of + entries in the stat cache. You should + never need to change this parameter. - Default: stat cache size = 50 - - + Default: stat cache size = 50 + + diff --git a/docs/docbook/smbdotconf/tuning/strictallocate.xml b/docs/docbook/smbdotconf/tuning/strictallocate.xml index 7b33ef3fc3..0d11519b04 100644 --- a/docs/docbook/smbdotconf/tuning/strictallocate.xml +++ b/docs/docbook/smbdotconf/tuning/strictallocate.xml @@ -1,21 +1,23 @@ - - strict allocate (S) - This is a boolean that controls the handling of - disk space allocation in the server. When this is set to yes - the server will change from UNIX behaviour of not committing real - disk storage blocks when a file is extended to the Windows behaviour - of actually forcing the disk system to allocate real storage blocks - when a file is created or extended to be a given size. In UNIX - terminology this means that Samba will stop creating sparse files. - This can be slow on some systems. + + + This is a boolean that controls the handling of + disk space allocation in the server. When this is set to yes + the server will change from UNIX behaviour of not committing real + disk storage blocks when a file is extended to the Windows behaviour + of actually forcing the disk system to allocate real storage blocks + when a file is created or extended to be a given size. In UNIX + terminology this means that Samba will stop creating sparse files. + This can be slow on some systems. - When strict allocate is no the server does sparse - disk block allocation when a file is extended. + When strict allocate is no the server does sparse + disk block allocation when a file is extended. - Setting this to yes can help Samba return - out of quota messages on systems that are restricting the disk quota - of users. + Setting this to yes can help Samba return + out of quota messages on systems that are restricting the disk quota + of users. - Default: strict allocate = no - - + Default: strict allocate = no + + diff --git a/docs/docbook/smbdotconf/tuning/strictsync.xml b/docs/docbook/smbdotconf/tuning/strictsync.xml index b228f7cfcb..693806a503 100644 --- a/docs/docbook/smbdotconf/tuning/strictsync.xml +++ b/docs/docbook/smbdotconf/tuning/strictsync.xml @@ -1,23 +1,25 @@ - - strict sync (S) - Many Windows applications (including the Windows - 98 explorer shell) seem to confuse flushing buffer contents to - disk with doing a sync to disk. Under UNIX, a sync call forces - the process to be suspended until the kernel has ensured that - all outstanding data in kernel disk buffers has been safely stored - onto stable storage. This is very slow and should only be done - rarely. Setting this parameter to no (the - default) means that smbd - 8 ignores the Windows applications requests for - a sync call. There is only a possibility of losing data if the - operating system itself that Samba is running on crashes, so there is - little danger in this default setting. In addition, this fixes many - performance problems that people have reported with the new Windows98 - explorer shell file copies. + + + Many Windows applications (including the Windows 98 explorer + shell) seem to confuse flushing buffer contents to disk with doing + a sync to disk. Under UNIX, a sync call forces the process to be + suspended until the kernel has ensured that all outstanding data in + kernel disk buffers has been safely stored onto stable storage. + This is very slow and should only be done rarely. Setting this + parameter to no (the default) means that + smbd + 8 ignores the Windows + applications requests for a sync call. There is only a possibility + of losing data if the operating system itself that Samba is running + on crashes, so there is little danger in this default setting. In + addition, this fixes many performance problems that people have + reported with the new Windows98 explorer shell file copies. - See also the sync - always> parameter. + See also the sync + always> parameter. - Default: strict sync = no - - + Default: strict sync = no + + diff --git a/docs/docbook/smbdotconf/tuning/syncalways.xml b/docs/docbook/smbdotconf/tuning/syncalways.xml index c5c32343a7..dca33eb802 100644 --- a/docs/docbook/smbdotconf/tuning/syncalways.xml +++ b/docs/docbook/smbdotconf/tuning/syncalways.xml @@ -1,19 +1,21 @@ - - sync always (S) - This is a boolean parameter that controls - whether writes will always be written to stable storage before - the write call returns. If this is no then the server will be - guided by the client's request in each write call (clients can - set a bit indicating that a particular write should be synchronous). - If this is yes then every write will be followed by a fsync() - call to ensure the data is written to disk. Note that - the strict sync parameter must be set to - yes in order for this parameter to have - any affect. + + + This is a boolean parameter that controls + whether writes will always be written to stable storage before + the write call returns. If this is no then the server will be + guided by the client's request in each write call (clients can + set a bit indicating that a particular write should be synchronous). + If this is yes then every write will be followed by a fsync() + call to ensure the data is written to disk. Note that + the strict sync parameter must be set to + yes in order for this parameter to have + any affect. - See also the strict - sync parameter. + See also the strict + sync parameter. - Default: sync always = no - - + Default: sync always = no + + diff --git a/docs/docbook/smbdotconf/tuning/usemmap.xml b/docs/docbook/smbdotconf/tuning/usemmap.xml index 46fa4600de..1e79e07ef3 100644 --- a/docs/docbook/smbdotconf/tuning/usemmap.xml +++ b/docs/docbook/smbdotconf/tuning/usemmap.xml @@ -1,14 +1,17 @@ - - use mmap (G) - This global parameter determines if the tdb internals of Samba can - depend on mmap working correctly on the running system. Samba requires a coherent - mmap/read-write system memory cache. Currently only HPUX does not have such a - coherent cache, and so this parameter is set to no by - default on HPUX. On all other systems this parameter should be left alone. This - parameter is provided to help the Samba developers track down problems with - the tdb internal code. - + + + This global parameter determines if the tdb internals of Samba can + depend on mmap working correctly on the running system. Samba requires a coherent + mmap/read-write system memory cache. Currently only HPUX does not have such a + coherent cache, and so this parameter is set to no by + default on HPUX. On all other systems this parameter should be left alone. This + parameter is provided to help the Samba developers track down problems with + the tdb internal code. + - Default: use mmap = yes - - + Default: use mmap = yes + + diff --git a/docs/docbook/smbdotconf/tuning/usesendfile.xml b/docs/docbook/smbdotconf/tuning/usesendfile.xml index 5f2dcb72a9..6bbd651549 100644 --- a/docs/docbook/smbdotconf/tuning/usesendfile.xml +++ b/docs/docbook/smbdotconf/tuning/usesendfile.xml @@ -1,14 +1,15 @@ - - use sendfile (S) - If this parameter is yes, and Samba - was built with the --with-sendfile-support option, and the underlying operating - system supports sendfile system call, then some SMB read calls (mainly ReadAndX - and ReadRaw) will use the more efficient sendfile system call for files that - are exclusively oplocked. This may make more efficient use of the system CPU's - and cause Samba to be faster. This is off by default as it's effects are unknown - as yet. - + + + If this parameter is yes, and Samba + was built with the --with-sendfile-support option, and the underlying operating + system supports sendfile system call, then some SMB read calls (mainly ReadAndX + and ReadRaw) will use the more efficient sendfile system call for files that + are exclusively oplocked. This may make more efficient use of the system CPU's + and cause Samba to be faster. This is off by default as it's effects are unknown + as yet. - Default: use sendfile = no - - + Default: use sendfile = no + + diff --git a/docs/docbook/smbdotconf/tuning/writecachesize.xml b/docs/docbook/smbdotconf/tuning/writecachesize.xml index b54a0e4fd6..8b5fbe66bd 100644 --- a/docs/docbook/smbdotconf/tuning/writecachesize.xml +++ b/docs/docbook/smbdotconf/tuning/writecachesize.xml @@ -1,27 +1,30 @@ - - write cache size (S) - If this integer parameter is set to non-zero value, - Samba will create an in-memory cache for each oplocked file - (it does not do this for - non-oplocked files). All writes that the client does not request - to be flushed directly to disk will be stored in this cache if possible. - The cache is flushed onto disk when a write comes in whose offset - would not fit into the cache or when the file is closed by the client. - Reads for the file are also served from this cache if the data is stored - within it. + + + If this integer parameter is set to non-zero value, + Samba will create an in-memory cache for each oplocked file + (it does not do this for + non-oplocked files). All writes that the client does not request + to be flushed directly to disk will be stored in this cache if possible. + The cache is flushed onto disk when a write comes in whose offset + would not fit into the cache or when the file is closed by the client. + Reads for the file are also served from this cache if the data is stored + within it. - This cache allows Samba to batch client writes into a more - efficient write size for RAID disks (i.e. writes may be tuned to - be the RAID stripe size) and can improve performance on systems - where the disk subsystem is a bottleneck but there is free - memory for userspace programs. + This cache allows Samba to batch client writes into a more + efficient write size for RAID disks (i.e. writes may be tuned to + be the RAID stripe size) and can improve performance on systems + where the disk subsystem is a bottleneck but there is free + memory for userspace programs. - The integer parameter specifies the size of this cache - (per oplocked file) in bytes. + The integer parameter specifies the size of this cache + (per oplocked file) in bytes. - Default: write cache size = 0 - Example: write cache size = 262144 + Default: write cache size = 0 - for a 256k cache size per file. - - + Example: write cache size = 262144 + + for a 256k cache size per file. + + -- cgit From 06adce2adc52bd91ba8f74bd2ac1d0e75656b436 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 7 Apr 2003 00:22:03 +0000 Subject: Addinf InterdomainTrusts.sgml (This used to be commit 5214eb7d6a6098c7b06819224bc3325a3df0e309) --- docs/docbook/projdoc/samba-doc.sgml | 2 ++ 1 file changed, 2 insertions(+) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index 9c3861b8c3..dc339db4aa 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -32,6 +32,7 @@ + ]> @@ -117,6 +118,7 @@ part each cover one specific feature. &AdvancedNetworkAdmin; &PolicyMgmt; &ProfileMgmt; +&Trusts; &Samba-PAM; &VFS; &MS-Dfs-Setup; -- cgit From 094df785ea671eeec0a28e595da8debcf9970555 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 7 Apr 2003 00:22:38 +0000 Subject: Adding Rafal's docs on InterdomainTrusts. (This used to be commit 5af34d90c314ef840a42b87f2d8b6c89bc2471aa) --- docs/docbook/projdoc/InterdomainTrusts.sgml | 218 ++++++++++++++++++++++++++++ 1 file changed, 218 insertions(+) create mode 100644 docs/docbook/projdoc/InterdomainTrusts.sgml (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/InterdomainTrusts.sgml b/docs/docbook/projdoc/InterdomainTrusts.sgml new file mode 100644 index 0000000000..20422f9b45 --- /dev/null +++ b/docs/docbook/projdoc/InterdomainTrusts.sgml @@ -0,0 +1,218 @@ + + + &author.jht; + &author.mimir; + April 3, 2003 + + +Interdomain Trust Relationships + + +Samba-3 supports NT4 style domain trust relationships. This is feature that many sites +will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to +adopt Active Directory or an LDAP based authentication back end. This section explains +some background information regarding trust relationships and how to create them. It is now +possible for Samba3 to NT4 trust (and vica versa), as well as Samba3 to Samba3 trusts. + + + +Trust Relationship Background + + +MS Windows NT3.x/4.0 type security domains employ a non-hierchical security structure. +The limitations of this architecture as it affects the scalability of MS Windows networking +in large organisations is well known. Additionally, the flat-name space that results from +this design significantly impacts the delegation of administrative responsibilities in +large and diverse organisations. + + + +Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means +of circumventing the limitations of the older technologies. Not every organisation is ready +or willing to embrace ADS. For small companies the older NT4 style domain security paradigm +is quite adequate, there thus remains an entrenched user base for whom there is no direct +desire to go through a disruptive change to adopt ADS. + + + +Microsoft introduced with MS Windows NT the ability to allow differing security domains +to affect a mechanism so that users from one domain may be given access rights and privilidges +in another domain. The language that describes this capability is couched in terms of +Trusts. Specifically, one domain will trust the users +from another domain. The domain from which users are available to another security domain is +said to be a trusted domain. The domain in which those users have assigned rights and privilidges +is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only, +thus if users in both domains are to have privilidges and rights in each others' domain, then it is +necessary to establish two (2) relationships, one in each direction. + + + +In an NT4 style MS security domain, all trusts are non-transitive. This means that if there +are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust +relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no +implied trust between the RED and BLUE domains. ie: Relationships are explicit and not +transitive. + + + +New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way +by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE +domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is +an inherent feature of ADS domains. + + + + + +MS Windows NT4 Trust Configuration + + +There are two steps to creating an inter-domain trust relationship. + + +NT4 as the Trusting Domain + + +For MS Windows NT4, all domain trust relationships are configured using the Domain User Manager. +To affect a two way trust relationship it is necessary for each domain administrator to make +available (for use by an external domain) it's security resources. This is done from the Domain +User Manager Policies entry on the menu bar. From the Policy menu, select Trust Relationships, then +next to the lower box that is labelled "Permitted to Trust this Domain" are two buttons, "Add" and +"Remove". The "Add" button will open a panel in which needs to be entered the remote domain that +will be able to assign user rights to your domain. In addition it is necessary to enter a password +that is specific to this trust relationship. The password is added twice. + + + + + +NT4 as the Trusted Domain + + +A trust relationship will work only when the other (trusting) domain makes the appropriate connections +with the trusted domain. To consumate the trust relationship the administrator will launch the +Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the +"Add" button that is next to the box that is labelled "Trusted Domains". A panel will open in +which must be entered the name of the remote domain as well as the password assigned to that trust. + + + + + + +Configuring Samba Domain Trusts + + +This descitpion is meant to be a fairly short introduction about how to set up a Samba server so +that it could participate in interdomain trust relationships. Trust relationship support in Samba +is in its early stage, so lot of things don't work yet. Paricularly, the contents of this document +applies to NT4-style trusts. + + + +Each of the procedures described below is treated as they were performed with Windows NT4 Server on +one end. The other end could just as well be another Samba3 domain. It can be clearly seen, after +reading this document, that combining Samba-specific parts of what's written below leads to trust +between domains in purely Samba environment. + + + +Samba3 as the Trusting Domain + + +In order to set Samba PDC to be trusted party of the relationship first you need +to create special account for domain that will be the trusting party. To do that, +you can use 'smbpasswd' utility. Creating the trusted domain account is very +similiar to creating the connection to the trusting machine's account. Suppose, +your domain is called SAMBA, and the remote domain is called RUMBA. Your first +step will be to issue this command from your favourite shell: + + + + + deity# smbpasswd -a -i rumba + New SMB password: XXXXXXXX + Retype SMB password: XXXXXXXX + Added user rumba$ + + where: + -a means to add a new account into the passdb database + -i means create this account with the Inter-Domain trust flag + + The account name will be 'rumba$' (the name ofthe remote domain) + + + + +fter issuing this command you'll be asked for typing account's +password. You can use any password you want, but be aware that Windows NT will +not change this password until 7 days have passed since account creating. +After command returns successfully, you can look at your new account's entry +(in the way depending on your configuration) and see that account's name is +really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm +the trust by establishing it from Windows NT Server. + + + +Open 'User Manager for Domains' and from menu 'Policies' select 'Trust Relationships...'. +Right beside 'Trusted domains' list press 'Add...' button. You'll be prompted for +trusted domain name and the relationship's password. Type in SAMBA, as this is +your domain name and the password you've just used during account creation. +Press OK and if everything went fine, you will see 'Trusted domain relationship +successfully established' message. Well done. + + + + +Samba3 as the Trusted Domain + + +This time activities are somewhat reversed. Again, we'll assume that your domain +controlled by Samba PDC is called SAMBA and NT-controlled domain is called RUMBA. + + + +The very first thing is to add account for SAMBA domain on RUMBA's PDC. + + + +Launch the Domain User Manager, then from the menu select 'Policies', 'Trust Relationships'. +Now, next to 'Trusted Domains' box press the 'Add' button, and type in the name of the trusted +domein (SAMBA) and password securing the relationship. + + + +Password can be arbitrarily chosen the more, because it's easy to change it +from Samba server whenever you want. After confirming password your account is +ready and waiting. Now it's Samba's turn. + + + +Using your favourite shell while being logged on as root, issue this command: + + + + + deity# net rpc trustdom establish rumba + + + + +You'll be prompted for password you've just typed on your Windows NT4 Server box. +Don't worry if you will see the error message with returned code of +NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT. It means the +password you gave is correct and the NT4 Server says the account is ready for trusting your domain +and not for ordinary connection. After that, be patient it can take a while (especially +in large networks), you should see 'Success' message. Contgratulations! Your trust +relationship has just been established. + + + +Note that you have to run this command as root, since you need write access to +your secrets.tdb file. + + + + + + -- cgit From 7ba4758b41ddd6cd17f85b32aa7de6dfd77147ca Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 7 Apr 2003 05:59:46 +0000 Subject: Added description for lookupdomain SAMR function. (This used to be commit 6d19788352ca16fe771961ead7bb9da074eff13e) --- docs/docbook/manpages/rpcclient.1.sgml | 1 + 1 file changed, 1 insertion(+) (limited to 'docs/docbook') diff --git a/docs/docbook/manpages/rpcclient.1.sgml b/docs/docbook/manpages/rpcclient.1.sgml index 39a1e512c0..789ed6b5cf 100644 --- a/docs/docbook/manpages/rpcclient.1.sgml +++ b/docs/docbook/manpages/rpcclient.1.sgml @@ -201,6 +201,7 @@ deletedomuserDelete domain user samquerysecobjQuery SAMR security object getdompwinfoRetrieve domain password info + lookupdomainLook up domain -- cgit From dfbe7836353f75c2e52059f8a54672e38ad2173f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 7 Apr 2003 12:30:58 +0000 Subject: tallocdump has been removed (This used to be commit af07c2642d1ddd04e169772985801d8a5c559d83) --- docs/docbook/manpages/smbcontrol.1.sgml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/docbook') diff --git a/docs/docbook/manpages/smbcontrol.1.sgml b/docs/docbook/manpages/smbcontrol.1.sgml index e19aabedc7..c118a7b194 100644 --- a/docs/docbook/manpages/smbcontrol.1.sgml +++ b/docs/docbook/manpages/smbcontrol.1.sgml @@ -238,7 +238,7 @@ - tallocdump and pool-usage + pool-usage Print a human-readable description of all talloc(pool) memory usage by the specified daemon/process. Available for both smbd and nmbd. -- cgit From c6ffda4f7627c9596288cd7d4272f2d6a2cef593 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 7 Apr 2003 13:46:13 +0000 Subject: Add note about patch from sun that improves performance on Solaris. (Thanks Joe Meslovich). (This used to be commit 1db51176f4a6c676d041abd47db6c4026ded30f1) --- docs/docbook/projdoc/Portability.sgml | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/Portability.sgml b/docs/docbook/projdoc/Portability.sgml index 61a694e130..39ed37585f 100644 --- a/docs/docbook/projdoc/Portability.sgml +++ b/docs/docbook/projdoc/Portability.sgml @@ -180,9 +180,42 @@ Corrective Action: Delete the entry after the word loopback Sequential Read Ahead -Disabling Sequential Read Ahead using "vmtune -r 0" improves +Disabling Sequential Read Ahead using vmtune -r 0 improves samba performance significally. + + +Solaris + +Some people have been experiencing problems with F_SETLKW64/fcntl +when running samba on solaris. The built in file locking mechanism was +not scalable. Performance would degrade to the point where processes would +get into loops of trying to lock a file. It woul try a lock, then fail, +then try again. The lock attempt was failing before the grant was +occurring. So the visible manifestation of this would be a handful of +processes stealing all of the CPU, and when they were trussed they would +be stuck if F_SETLKW64 loops. + + + +Sun released patches for Solaris 2.6, 8, and 9. The patch for Solaris 7 +has not been released yet. + + + +The patch revision for 2.6 is 105181-34 +for 8 is 108528-19 +and for 9 is 112233-04 + + + +After the install of these patches it is recommended to reconfigure +and rebuild samba. + + +Thanks to Joe Meslovich for reporting + + -- cgit From 705db2effac38df9aaefa9cc6baa9614207b26af Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 7 Apr 2003 13:51:11 +0000 Subject: - Add &author.mimir; entity - Several smaller layout and typo fixes (This used to be commit 96aa93ea4f56ef069c3127547296581f8e0ce3bd) --- docs/docbook/global.ent | 20 +++ docs/docbook/projdoc/ADS-HOWTO.sgml | 10 +- docs/docbook/projdoc/Browsing-Quickguide.sgml | 15 +- docs/docbook/projdoc/Browsing.sgml | 38 ++--- docs/docbook/projdoc/Bugs.sgml | 8 +- docs/docbook/projdoc/CUPS-printing.sgml | 22 +-- docs/docbook/projdoc/Compiling.sgml | 12 +- docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 6 +- docs/docbook/projdoc/Diagnosis.sgml | 158 ++++++++++----------- docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml | 6 +- docs/docbook/projdoc/Integrating-with-Windows.sgml | 4 +- docs/docbook/projdoc/NT_Security.sgml | 3 +- docs/docbook/projdoc/ProfileMgmt.sgml | 26 ++-- docs/docbook/projdoc/UNIX_INSTALL.sgml | 53 ++++--- docs/docbook/projdoc/samba-doc.sgml | 9 +- docs/docbook/projdoc/securing-samba.sgml | 6 +- docs/docbook/projdoc/security_level.sgml | 8 +- docs/docbook/projdoc/unicode.sgml | 2 - docs/docbook/projdoc/upgrading-to-3.0.sgml | 2 +- 19 files changed, 209 insertions(+), 199 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent index 26c774820f..cfcd44e50a 100644 --- a/docs/docbook/global.ent +++ b/docs/docbook/global.ent @@ -74,6 +74,14 @@ '> + + RafalSzczesniak + + Samba Team +
mimir@samba.org
+ +'> @@ -358,3 +366,15 @@ an Active Directory environment. &stdarg.authfile; &stdarg.username; '> + + +smbd'> +nmbd'> +testparm'> +smb.conf'> +smbclient'> +winbindd'> +smbgroupedit'> + + + diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index 8146df0781..d08833b7fd 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -74,12 +74,12 @@ its netbios name. If you don't get this right then you will get a -If all you want is kerberos support in smbclient then you can skip -straight to Test with smbclient now. +If all you want is kerberos support in &smbclient; then you can skip +straight to Test with &smbclient; now. Creating a computer account and testing your servers is only needed if you want kerberos -support for smbd and winbindd. +support for &smbd; and &winbindd;. @@ -120,11 +120,11 @@ server? Does it have an encoding type of DES-CBC-MD5 ? -Testing with smbclient +Testing with &smbclient; On your Samba server try to login to a Win2000 server or your Samba -server using smbclient and kerberos. Use smbclient as usual, but +server using &smbclient; and kerberos. Use &smbclient; as usual, but specify the -k option to choose kerberos authentication. diff --git a/docs/docbook/projdoc/Browsing-Quickguide.sgml b/docs/docbook/projdoc/Browsing-Quickguide.sgml index a2b67983f8..ed5b9a61af 100644 --- a/docs/docbook/projdoc/Browsing-Quickguide.sgml +++ b/docs/docbook/projdoc/Browsing-Quickguide.sgml @@ -44,7 +44,7 @@ implements browse list collation using unicast UDP. Secondly, in those networks where Samba is the only SMB server technology -wherever possible nmbd should be configured on one (1) machine as the WINS +wherever possible &nmbd; should be configured on one (1) machine as the WINS server. This makes it easy to manage the browsing environment. If each network segment is configured with it's own Samba WINS server, then the only way to get cross segment browsing to work is by using the @@ -65,7 +65,7 @@ been committed, but it still needs maturation. Right now samba WINS does not support MS-WINS replication. This means that -when setting up Samba as a WINS server there must only be one nmbd configured +when setting up Samba as a WINS server there must only be one &nmbd; configured as a WINS server on the network. Some sites have used multiple Samba WINS servers for redundancy (one server per subnet) and then used remote browse sync and remote announce @@ -294,11 +294,12 @@ To configure Samba to register with a WINS server just add "wins server = a.b.c.d" to your smb.conf file [globals] section. - -DO NOT EVER use both "wins support = yes" together -with "wins server = a.b.c.d" particularly not using it's own IP address. -Specifying both will cause nmbd to refuse to start! - + +Never use both wins support = yes together +with wins server = a.b.c.d +particularly not using it's own IP address. +Specifying both will cause &nmbd; to refuse to start! + diff --git a/docs/docbook/projdoc/Browsing.sgml b/docs/docbook/projdoc/Browsing.sgml index 43cc498618..ca2f6dc57b 100644 --- a/docs/docbook/projdoc/Browsing.sgml +++ b/docs/docbook/projdoc/Browsing.sgml @@ -46,8 +46,8 @@ that can NOT be provided by any other means of name resolution. Browsing support in samba -Samba facilitates browsing. The browsing is supported by nmbd -and is also controlled by options in the smb.conf file (see smb.conf(5)). +Samba facilitates browsing. The browsing is supported by &nmbd; +and is also controlled by options in the &smb.conf; file. Samba can act as a local browse master for a workgroup and the ability for samba to support domain logons and scripts is now available. @@ -80,7 +80,7 @@ recommended that you use one and only one Samba server as your WINS server. To get browsing to work you need to run nmbd as usual, but will need -to use the workgroup option in smb.conf +to use the workgroup option in &smb.conf; to control what workgroup Samba becomes a part of. @@ -89,7 +89,7 @@ Samba also has a useful option for a Samba server to offer itself for browsing on another subnet. It is recommended that this option is only used for 'unusual' purposes: announcements over the internet, for example. See remote announce in the -smb.conf man page. +&smb.conf; man page. @@ -128,7 +128,7 @@ server resources. The other big problem people have is that their broadcast address, netmask or IP address is wrong (specified with the "interfaces" option -in smb.conf) +in &smb.conf;) @@ -160,7 +160,7 @@ Remember, for browsing across subnets to work correctly, all machines, be they Windows 95, Windows NT, or Samba servers must have the IP address of a WINS server given to them by a DHCP server, or by manual configuration (for Win95 and WinNT, this is in the TCP/IP Properties, under Network -settings) for Samba this is in the smb.conf file. +settings) for Samba this is in the &smb.conf; file. @@ -412,7 +412,7 @@ If either router R1 or R2 fails the following will occur: Either a Samba machine or a Windows NT Server machine may be set up as a WINS server. To set a Samba machine to be a WINS server you must -add the following option to the smb.conf file on the selected machine : +add the following option to the &smb.conf; file on the selected machine : in the [globals] section add the line @@ -459,7 +459,7 @@ the Samba machine IP address in the "Primary WINS Server" field of the "Control Panel->Network->Protocols->TCP->WINS Server" dialogs in Windows 95 or Windows NT. To tell a Samba server the IP address of the WINS server add the following line to the [global] section of -all smb.conf files : +all &smb.conf; files : @@ -472,7 +472,7 @@ machine or its IP address. -Note that this line MUST NOT BE SET in the smb.conf file of the Samba +Note that this line MUST NOT BE SET in the &smb.conf; file of the Samba server acting as the WINS server itself. If you set both the wins support = yes option and the wins server = <name> option then @@ -510,7 +510,7 @@ cross subnet browsing possible for a workgroup. In an WORKGROUP environment the domain master browser must be a Samba server, and there must only be one domain master browser per workgroup name. To set up a Samba server as a domain master browser, -set the following option in the [global] section of the smb.conf file : +set the following option in the [global] section of the &smb.conf; file : @@ -520,7 +520,7 @@ set the following option in the [global] section of the smb.conf file : The domain master browser should also preferrably be the local master browser for its own subnet. In order to achieve this set the following -options in the [global] section of the smb.conf file : +options in the [global] section of the &smb.conf; file : @@ -545,7 +545,7 @@ able to do this, as will Windows 9x machines (although these tend to get rebooted more often, so it's not such a good idea to use these). To make a Samba server a local master browser set the following options in the [global] section of the -smb.conf file : +&smb.conf; file : @@ -575,7 +575,7 @@ If you have an NT machine on the subnet that you wish to be the local master browser then you can disable Samba from becoming a local master browser by setting the following options in the [global] section of the -smb.conf file : +&smb.conf; file : @@ -607,7 +607,7 @@ For subnets other than the one containing the Windows NT PDC you may set up Samba servers as local master browsers as described. To make a Samba server a local master browser set the following options in the [global] section -of the smb.conf file : +of the &smb.conf; file : @@ -634,7 +634,7 @@ If you have Windows NT machines that are members of the domain on all subnets, and you are sure they will always be running then you can disable Samba from taking part in browser elections and ever becoming a local master browser by setting following options -in the [global] section of the smb.conf +in the [global] section of the &smb.conf; file : @@ -662,7 +662,7 @@ elections to just about anyone else. If you want Samba to win elections then just set the os level global -option in smb.conf to a higher number. It defaults to 0. Using 34 +option in &smb.conf; to a higher number. It defaults to 0. Using 34 would make it win all elections over every other system (except other samba systems!) @@ -676,7 +676,7 @@ NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32. If you want samba to force an election on startup, then set the -preferred master global option in smb.conf to "yes". Samba will +preferred master global option in &smb.conf; to "yes". Samba will then have a slight advantage over other potential master browsers that are not preferred master browsers. Use this parameter with care, as if you have two hosts (whether they are windows 95 or NT or @@ -712,7 +712,7 @@ the current domain master browser fail. The domain master is responsible for collating the browse lists of multiple subnets so that browsing can occur between subnets. You can make samba act as the domain master by setting domain master = yes -in smb.conf. By default it will not be a domain master. +in &smb.conf;. By default it will not be a domain master. @@ -801,7 +801,7 @@ that browsing and name lookups won't work. Samba now supports machines with multiple network interfaces. If you have multiple interfaces then you will need to use the interfaces -option in smb.conf to configure them. See smb.conf(5) for details. +option in &smb.conf; to configure them. diff --git a/docs/docbook/projdoc/Bugs.sgml b/docs/docbook/projdoc/Bugs.sgml index 9c6be75c8d..d3525f5f95 100644 --- a/docs/docbook/projdoc/Bugs.sgml +++ b/docs/docbook/projdoc/Bugs.sgml @@ -87,7 +87,7 @@ detail, but may use too much disk space. To set the debug level use log level = in your -smb.conf. You may also find it useful to set the log +&smb.conf;. You may also find it useful to set the log level higher for just one machine and keep separate logs for each machine. To do this use: @@ -102,17 +102,17 @@ include = /usr/local/samba/lib/smb.conf.%m then create a file /usr/local/samba/lib/smb.conf.machine where machine is the name of the client you wish to debug. In that file -put any smb.conf commands you want, for example +put any &smb.conf; commands you want, for example log level= may be useful. This also allows you to experiment with different security systems, protocol levels etc on just one machine. -The smb.conf entry log level = +The &smb.conf; entry log level = is synonymous with the entry debuglevel = that has been used in older versions of Samba and is being retained for backwards -compatibility of smb.conf files. +compatibility of &smb.conf; files. diff --git a/docs/docbook/projdoc/CUPS-printing.sgml b/docs/docbook/projdoc/CUPS-printing.sgml index eb59695b04..fd954cc1c5 100644 --- a/docs/docbook/projdoc/CUPS-printing.sgml +++ b/docs/docbook/projdoc/CUPS-printing.sgml @@ -50,10 +50,10 @@ new features, which make it different from other, more traditional printing syst -Configuring <filename>smb.conf</filename> for CUPS +Configuring &smb.conf; for CUPS -Printing with CUPS in the most basic smb.conf +Printing with CUPS in the most basic &smb.conf; setup in Samba-3 only needs two settings: printing = cups and printcap = cups. While CUPS itself doesn't need a printcap anymore, the cupsd.conf configuration file knows two directives @@ -87,7 +87,7 @@ present on other OS platforms, or its function may be embodied by a different co The line "libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000)" shows there is CUPS support compiled into this version of Samba. If this is the case, and printing = cups is set, then any -otherwise manually set print command in smb.conf is ignored. +otherwise manually set print command in &smb.conf; is ignored. @@ -122,7 +122,7 @@ operation. Firstly, to enable CUPS based printing from Samba the following options must be -enabled in your smb.conf file [globals] section: +enabled in your &smb.conf; file [globals] section: printing = CUPS @@ -130,7 +130,7 @@ enabled in your smb.conf file [globals] section: printcap = CUPS -When these parameters are specified the print directives in smb.conf (as well as in +When these parameters are specified the print directives in &smb.conf; (as well as in samba itself) will be ignored because samba will directly interface with CUPS through it's application program interface (API) - so long as Samba has been compiled with CUPS library (libcups) support. If samba has NOT been compiled with CUPS support then @@ -402,7 +402,7 @@ promising... The cupsadsmb utility (shipped with all current CUPS versions) makes the sharing of any (or all) installed CUPS printers very -easy. Prior to using it, you need the following settings in smb.conf: +easy. Prior to using it, you need the following settings in &smb.conf;: [global] @@ -1661,8 +1661,8 @@ on the avarage and peak printing load the server should be able to handle. Samba print files pass thru two "spool" directories. One the incoming directory -managed by Samba, (set eg: in the "path = /var/spool/samba" directive in the [printers] -section of "smb.conf"). Second is the spool directory of your UNIX print subsystem. +managed by Samba, (set eg: in the path = /var/spool/samba directive in the [printers] +section of &smb.conf;). Second is the spool directory of your UNIX print subsystem. For CUPS it is normally "/var/spool/cups/", as set by the cupsd.conf directive "RequestRoot /var/spool/cups". @@ -1724,15 +1724,15 @@ For everything to work as announced, you need to have three things: - a Samba-smbd which is compiled against "libcups" (Check on Linux by running "ldd `which smbd`") + a Samba-&smbd; which is compiled against "libcups" (Check on Linux by running ldd `which smbd`) - a Samba-smb.conf setting of "printing = cups" + a Samba-&smb.conf; setting of printing = cups - another Samba-smb.conf setting of "printcap = cups" + another Samba-&smb.conf; setting of printcap = cups diff --git a/docs/docbook/projdoc/Compiling.sgml b/docs/docbook/projdoc/Compiling.sgml index 1578522139..868ed52b74 100644 --- a/docs/docbook/projdoc/Compiling.sgml +++ b/docs/docbook/projdoc/Compiling.sgml @@ -325,18 +325,18 @@ on this system just substitute the correct package name varies between unixes. Look at the other entries in inetd.conf for a guide. - NOTE: Some unixes already have entries like netbios_ns + Some unixes already have entries like netbios_ns (note the underscore) in /etc/services. You must either edit /etc/services or - /etc/inetd.conf to make them consistent. + /etc/inetd.conf to make them consistent. - NOTE: On many systems you may need to use the - "interfaces" option in smb.conf to specify the IP address + On many systems you may need to use the + interfaces option in &smb.conf; to specify the IP address and netmask of your interfaces. Run ifconfig as root if you don't know what the broadcast is for your - net. nmbd tries to determine it at run + net. &nmbd; tries to determine it at run time, but fails on some unixes. - + Many unixes only accept around 5 parameters on the command line in inetd.conf. diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index 1a97e6f5a8..dc5b7d6e8c 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -20,12 +20,12 @@ with NetBIOS names DOMBDC1 and DOMBDC2 . - Firstly, you must edit your smb.conf(5) - file to tell Samba it should now use domain security. + Firstly, you must edit your &smb.conf; file to tell Samba it should + now use domain security. Change (or add) your security = line in the [global] section - of your smb.conf to read: + of your &smb.conf; to read: security = domain diff --git a/docs/docbook/projdoc/Diagnosis.sgml b/docs/docbook/projdoc/Diagnosis.sgml index 2a771c23d1..d175eb15ba 100644 --- a/docs/docbook/projdoc/Diagnosis.sgml +++ b/docs/docbook/projdoc/Diagnosis.sgml @@ -45,8 +45,9 @@ The procedure is similar for other types of clients. It is also assumed you know the name of an available share in your -smb.conf. I will assume this share is called "tmp". You can add a -"tmp" share like by adding the following to smb.conf: +&smb.conf;. I will assume this share is called tmp. +You can add a tmp share like by adding the +following to &smb.conf;: @@ -59,22 +60,21 @@ smb.conf. I will assume this share is called "tmp". You can add a - -THESE TESTS ASSUME VERSION 3.0.0 OR LATER OF THE SAMBA SUITE. SOME -COMMANDS SHOWN DID NOT EXIST IN EARLIER VERSIONS - + +These tests assume version 3.0 or later of the samba suite. Some commands shown did not exist in earlier versions. + Please pay attention to the error messages you receive. If any error message reports that your server is being unfriendly you should first check that you -IP name resolution is correctly set up. eg: Make sure your /etc/resolv.conf +IP name resolution is correctly set up. eg: Make sure your /etc/resolv.conf file points to name servers that really do exist. Also, if you do not have DNS server access for name resolution please check -that the settings for your smb.conf file results in "dns proxy = no". The -best way to check this is with "testparm smb.conf" +that the settings for your &smb.conf; file results in dns proxy = no. The +best way to check this is with testparm smb.conf. @@ -86,20 +86,21 @@ best way to check this is with "testparm smb.conf" -In the directory in which you store your smb.conf file, run the command -"testparm smb.conf". If it reports any errors then your smb.conf +In the directory in which you store your &smb.conf; file, run the command +testparm smb.conf. If it reports any errors then your &smb.conf; configuration file is faulty. - -Note: Your smb.conf file may be located in: /etc/samba - Or in: /usr/local/samba/lib - + +Your &smb.conf; file may be located in: /etc/samba +Or in: /usr/local/samba/lib + -Run the command "ping BIGSERVER" from the PC and "ping ACLIENT" from +Run the command ping BIGSERVER from the PC and +ping ACLIENT from the unix box. If you don't get a valid response then your TCP/IP software is not correctly installed. @@ -111,7 +112,8 @@ run ping. If you get a message saying "host not found" or similar then your DNS -software or /etc/hosts file is not correctly setup. It is possible to +software or /etc/hosts file is not correctly setup. +It is possible to run samba without DNS entries for the server and client, but I assume you do have correct entries for the remainder of these tests. @@ -120,23 +122,23 @@ you do have correct entries for the remainder of these tests. Another reason why ping might fail is if your host is running firewall software. You will need to relax the rules to let in the workstation in question, perhaps by allowing access from another subnet (on Linux -this is done via the ipfwadm program.) +this is done via the ipfwadm program.) -Run the command "smbclient -L BIGSERVER" on the unix box. You +Run the command smbclient -L BIGSERVER on the unix box. You should get a list of available shares back. If you get a error message containing the string "Bad password" then -you probably have either an incorrect "hosts allow", "hosts deny" or -"valid users" line in your smb.conf, or your guest account is not -valid. Check what your guest account is using "testparm" and -temporarily remove any "hosts allow", "hosts deny", "valid users" or -"invalid users" lines. +you probably have either an incorrect hosts allow, +hosts deny or valid users line in your +&smb.conf;, or your guest account is not +valid. Check what your guest account is using &testparm; and +temporarily remove any hosts allow, hosts deny, valid users or invalid users lines. @@ -144,15 +146,15 @@ If you get a "connection refused" response then the smbd server may not be running. If you installed it in inetd.conf then you probably edited that file incorrectly. If you installed it as a daemon then check that it is running, and check that the netbios-ssn port is in a LISTEN -state using "netstat -a". +state using netstat -a. If you get a "session request failed" then the server refused the connection. If it says "Your server software is being unfriendly" then -its probably because you have invalid command line parameters to smbd, -or a similar fatal problem with the initial startup of smbd. Also -check your config file (smb.conf) for syntax errors with "testparm" +its probably because you have invalid command line parameters to &smbd;, +or a similar fatal problem with the initial startup of &smbd;. Also +check your config file (&smb.conf;) for syntax errors with &testparm; and that the various directories where samba keeps its log and lock files exist. @@ -160,7 +162,7 @@ files exist. There are a number of reasons for which smbd may refuse or decline a session request. The most common of these involve one or more of -the following smb.conf file entries: +the following &smb.conf; file entries: @@ -181,26 +183,27 @@ To solve this problem change these lines to: -Do NOT use the "bind interfaces only" parameter where you may wish to -use the samba password change facility, or where smbclient may need to +Do NOT use the bind interfaces only parameter where you +may wish to +use the samba password change facility, or where &smbclient; may need to access local service for name resolution or for local resource -connections. (Note: the "bind interfaces only" parameter deficiency +connections. (Note: the bind interfaces only parameter deficiency where it will not allow connections to the loopback address will be fixed soon). Another common cause of these two errors is having something already running -on port 139, such as Samba (ie: smbd is running from inetd already) or -something like Digital's Pathworks. Check your inetd.conf file before trying -to start smbd as a daemon, it can avoid a lot of frustration! +on port 139, such as Samba (ie: smbd is running from inetd already) or +something like Digital's Pathworks. Check your inetd.conf file before trying +to start &smbd; as a daemon, it can avoid a lot of frustration! -And yet another possible cause for failure of TEST 3 is when the subnet mask +And yet another possible cause for failure of this test is when the subnet mask and / or broadcast address settings are incorrect. Please check that the network interface IP Address / Broadcast Address / Subnet Mask settings are -correct and that Samba has correctly noted these in the log.nmb file. +correct and that Samba has correctly noted these in the log.nmb file. @@ -208,12 +211,12 @@ correct and that Samba has correctly noted these in the log.nmb file. -Run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the +Run the command nmblookup -B BIGSERVER __SAMBA__. You should get the IP address of your Samba server back. -If you don't then nmbd is incorrectly installed. Check your inetd.conf +If you don't then nmbd is incorrectly installed. Check your inetd.conf if you run it from there, or that the daemon is running and listening to udp port 137. @@ -229,7 +232,7 @@ inetd. -run the command nmblookup -B ACLIENT '*' +run the command nmblookup -B ACLIENT '*' You should get the PCs IP address back. If you don't then the client @@ -247,7 +250,7 @@ client in the above test. -Run the command nmblookup -d 2 '*' +Run the command nmblookup -d 2 '*' @@ -263,13 +266,13 @@ hosts. If this doesn't give a similar result to the previous test then nmblookup isn't correctly getting your broadcast address through its automatic mechanism. In this case you should experiment use the -"interfaces" option in smb.conf to manually configure your IP +interfaces option in &smb.conf; to manually configure your IP address, broadcast and netmask. If your PC and server aren't on the same subnet then you will need to -use the -B option to set the broadcast address to the that of the PCs +use the -B option to set the broadcast address to the that of the PCs subnet. @@ -283,24 +286,24 @@ not correct. (Refer to TEST 3 notes above). -Run the command smbclient //BIGSERVER/TMP. You should +Run the command smbclient //BIGSERVER/TMP. You should then be prompted for a password. You should use the password of the account you are logged into the unix box with. If you want to test with -another account then add the -U >accountname< option to the end of +another account then add the -U accountname option to the end of the command line. eg: -smbclient //bigserver/tmp -Ujohndoe +smbclient //bigserver/tmp -Ujohndoe - -Note: It is possible to specify the password along with the username + +It is possible to specify the password along with the username as follows: -smbclient //bigserver/tmp -Ujohndoe%secret - +smbclient //bigserver/tmp -Ujohndoe%secret + -Once you enter the password you should get the "smb>" prompt. If you +Once you enter the password you should get the smb> prompt. If you don't then look at the error message. If it says "invalid network -name" then the service "tmp" is not correctly setup in your smb.conf. +name" then the service "tmp" is not correctly setup in your &smb.conf;. @@ -311,26 +314,26 @@ If it says "bad password" then the likely causes are: you have shadow passords (or some other password system) but didn't - compile in support for them in smbd + compile in support for them in &smbd; - your "valid users" configuration is incorrect + your valid users configuration is incorrect - you have a mixed case password and you haven't enabled the "password - level" option at a high enough level + you have a mixed case password and you haven't enabled the password + level option at a high enough level - the "path =" line in smb.conf is incorrect. Check it with testparm + the path = line in &smb.conf; is incorrect. Check it with &testparm; @@ -345,7 +348,7 @@ If it says "bad password" then the likely causes are: Once connected you should be able to use the commands dir get put etc. -Type help >command< for instructions. You should +Type help command for instructions. You should especially check that the amount of free disk space shown is correct when you type dir. @@ -355,7 +358,7 @@ when you type dir. -On the PC type the command net view \\BIGSERVER. You will +On the PC type the command net view \\BIGSERVER. You will need to do this from within a "dos prompt" window. You should get back a list of available shares on the server. @@ -369,11 +372,11 @@ to choose one of them): - fixup the nmbd installation + fixup the &nmbd; installation - add the IP address of BIGSERVER to the "wins server" box in the + add the IP address of BIGSERVER to the wins server box in the advanced tcp/ip setup on the PC. @@ -389,8 +392,8 @@ to choose one of them): If you get a "invalid network name" or "bad password error" then the -same fixes apply as they did for the "smbclient -L" test above. In -particular, make sure your "hosts allow" line is correct (see the man +same fixes apply as they did for the smbclient -L test above. In +particular, make sure your hosts allow line is correct (see the man pages) @@ -406,7 +409,7 @@ name and password. If you get "specified computer is not receiving requests" or similar it probably means that the host is not contactable via tcp services. Check to see if the host is running tcp wrappers, and if so add an entry in -the hosts.allow file for your client (or subnet, etc.) +the hosts.allow file for your client (or subnet, etc.) @@ -414,24 +417,25 @@ the hosts.allow file for your client (or subnet, etc.) -Run the command net use x: \\BIGSERVER\TMP. You should +Run the command net use x: \\BIGSERVER\TMP. You should be prompted for a password then you should get a "command completed successfully" message. If not then your PC software is incorrectly -installed or your smb.conf is incorrect. make sure your "hosts allow" -and other config lines in smb.conf are correct. +installed or your smb.conf is incorrect. make sure your hosts allow +and other config lines in &smb.conf; are correct. It's also possible that the server can't work out what user name to -connect you as. To see if this is the problem add the line "user = -USERNAME" to the [tmp] section of smb.conf where "USERNAME" is the +connect you as. To see if this is the problem add the line user = +username to the [tmp] section of +&smb.conf; where username is the username corresponding to the password you typed. If you find this fixes things you may need the username mapping option. It might also be the case that your client only sends encrypted passwords -and you have encrypt passwords = no in smb.conf. +and you have encrypt passwords = no in &smb.conf; Turn it back on to fix. @@ -440,8 +444,8 @@ Turn it back on to fix. -Run the command nmblookup -M TESTGROUP where -TESTGROUP is the name of the workgroup that your Samba server and +Run the command nmblookup -M testgroup where +testgroup is the name of the workgroup that your Samba server and Windows PCs belong to. You should get back the IP address of the master browser for that workgroup. @@ -449,7 +453,7 @@ master browser for that workgroup. If you don't then the election process has failed. Wait a minute to see if it is just being slow then try again. If it still fails after -that then look at the browsing options you have set in smb.conf. Make +that then look at the browsing options you have set in &smb.conf;. Make sure you have preferred master = yes to ensure that an election is held at startup. @@ -468,8 +472,8 @@ is refusing to browse a server that has no encrypted password capability and is in user level security mode. In this case either set security = server AND password server = Windows_NT_Machine in your -smb.conf file, or enable encrypted passwords AFTER compiling in support -for encrypted passwords (refer to the Makefile). +&smb.conf; file, or make sure encrypted passwords is +set to "yes". @@ -488,10 +492,6 @@ out the samba web page at http://samba.org/samba/ - -Also look at the other docs in the Samba package! - - diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml index 8aea87fe24..e037da4aeb 100644 --- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml +++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml @@ -11,12 +11,12 @@ Starting with Samba 3.0 alpha 2, a new group mapping function is available. The current method (likely to change) to manage the groups is a new command called -smbgroupedit. +&smbgroupedit;. The first immediate reason to use the group mapping on a PDC, is that -the domain admin group of smb.conf is +the domain admin group of &smb.conf; is now gone. This parameter was used to give the listed users local admin rights on their workstations. It was some magic stuff that simply worked but didn't scale very well for complex setups. @@ -71,7 +71,7 @@ give access to a certain directory to some users who are member of a group on your samba PDC. Flag that group as a domain group by running: -smbgroupedit -a unixgroup -td +smbgroupedit -a unixgroup -td You can list the various groups in the mapping database like this smbgroupedit -v diff --git a/docs/docbook/projdoc/Integrating-with-Windows.sgml b/docs/docbook/projdoc/Integrating-with-Windows.sgml index b48fc3b305..f6ac0be5a4 100644 --- a/docs/docbook/projdoc/Integrating-with-Windows.sgml +++ b/docs/docbook/projdoc/Integrating-with-Windows.sgml @@ -517,7 +517,7 @@ if the TCP/IP setup has been given at least one WINS Server IP Address. To configure Samba to be a WINS server the following parameter needs -to be added to the smb.conf file: +to be added to the &smb.conf; file: @@ -526,7 +526,7 @@ to be added to the smb.conf file: To configure Samba to use a WINS server the following parameters are -needed in the smb.conf file: +needed in the &smb.conf; file: diff --git a/docs/docbook/projdoc/NT_Security.sgml b/docs/docbook/projdoc/NT_Security.sgml index 65072ef4ff..9bff25337c 100644 --- a/docs/docbook/projdoc/NT_Security.sgml +++ b/docs/docbook/projdoc/NT_Security.sgml @@ -297,8 +297,7 @@ If you want to set up a share that allows users full control in modifying the permission bits on their files and directories and doesn't force any particular bits to be set 'on', then set the following - parameters in the smb.conf(5) - file in that share specific section : + parameters in the &smb.conf; file in that share specific section : security mask = 0777 force security mode = 0 diff --git a/docs/docbook/projdoc/ProfileMgmt.sgml b/docs/docbook/projdoc/ProfileMgmt.sgml index 94bc60b464..13ec698384 100644 --- a/docs/docbook/projdoc/ProfileMgmt.sgml +++ b/docs/docbook/projdoc/ProfileMgmt.sgml @@ -11,8 +11,7 @@ -NOTE! Roaming profiles support is different for Win9x / Me -and Windows NT4/200x. +Roaming profiles support is different for Win9x / Me and Windows NT4/200x. @@ -52,15 +51,14 @@ following (for example): logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath + This is typically implemented like: + logon path = \\%L\Profiles\%u - - where: - %L translates to the name of the Samba server - %u translates to the user name +where %L translates to the name of the Samba server and %u translates to the user name @@ -74,7 +72,7 @@ symantics of %L and %N, as well as %U and %u. MS Windows NT/2K clients at times do not disconnect a connection to a server -between logons. It is recommended to NOT use the homes +between logons. It is recommended to NOT use the homes meta-service name as part of the profile share path. @@ -85,14 +83,14 @@ meta-service name as part of the profile share path. To support Windows 9x / Me clients, you must use the "logon home" parameter. Samba has -now been fixed so that "net use /home" now works as well, and it, too, relies -on the "logon home" parameter. +now been fixed so that net use /home now works as well, and it, too, relies +on the logon home By using the logon home parameter, you are restricted to putting Win9x / Me profiles in the user's home directory. But wait! There is a trick you -can use. If you set the following in the [global] section of your smb.conf file: +can use. If you set the following in the [global] section of your &smb.conf; file: logon home = \\%L\%U\.profiles @@ -100,14 +98,14 @@ can use. If you set the following in the [global] section of your smb.conf file: then your Windows 9x / Me clients will dutifully put their clients in a subdirectory -of your home directory called .profiles (thus making them hidden). +of your home directory called .profiles (thus making them hidden). -Not only that, but 'net use/home' will also work, because of a feature in +Not only that, but net use/home will also work, because of a feature in Windows 9x / Me. It removes any directory stuff off the end of the home directory area and only uses the server and share portion. That is, it looks like you -specified \\%L\%U for "logon home". +specified \\%L\%U for logon home. @@ -116,7 +114,7 @@ specified \\%L\%U for "logon home". You can support profiles for both Win9X and WinNT clients by setting both the -"logon home" and "logon path" parameters. For example: +logon home and logon path parameters. For example: diff --git a/docs/docbook/projdoc/UNIX_INSTALL.sgml b/docs/docbook/projdoc/UNIX_INSTALL.sgml index df038510af..6deb0c915e 100644 --- a/docs/docbook/projdoc/UNIX_INSTALL.sgml +++ b/docs/docbook/projdoc/UNIX_INSTALL.sgml @@ -14,11 +14,11 @@ Binary packages of samba are included in almost any Linux or Unix distribution. There are also some packages available at - the samba homepage + the samba homepage. If you need to compile samba from source, check the - appropriate appendix chapter. + appropriate appendix chapter. @@ -32,7 +32,7 @@ is included with samba. - Editing the smb.conf file + Editing the <filename>smb.conf</filename> file There are sample configuration files in the examples subdirectory in the distribution. I suggest you read them @@ -43,36 +43,33 @@ something like this: - [global] - workgroup = MYGROUP +[global] + workgroup = MYGROUP - [homes] - guest ok = no - read only = no +[homes] + guest ok = no + read only = no which would allow connections by anyone with an account on the server, using either their login name or - "homes" as the service name. (Note that I also set the + "homes" as the service name. (Note that I also set the workgroup that Samba is part of. See BROWSING.txt for details) - Note that make install will not install - a smb.conf file. You need to create it - yourself. - - Make sure you put the smb.conf file in the same place + Make sure you put the smb.conf file in the same place you specified in theMakefile (the default is to look for it in /usr/local/samba/lib/). For more information about security settings for the - [homes] share please refer to the document UNIX_SECURITY.txt. + [homes] share please refer to the chapter + Securing Samba. Test your config file with <command>testparm</command> It's important that you test the validity of your - smb.conf file using the testparm program. + smb.conf file using the testparm program. If testparm runs OK then it will list the loaded services. If not it will give an error message. @@ -133,16 +130,17 @@ //yourhostname/aservice Typically the yourhostname - would be the name of the host where you installed - smbd. The aservice is - any service you have defined in the smb.conf - file. Try your user name if you just have a [homes] section - in smb.conf. + would be the name of the host where you installed &smbd;. + The aservice is + any service you have defined in the &smb.conf; + file. Try your user name if you just have a [homes] + section + in &smb.conf;. - For example if your unix host is bambi and your login - name is fred you would type: + For example if your unix host is bambi + and your login name is fred you would type: - $ smbclient //bambi/fred + $ smbclient //bambi/fred @@ -157,21 +155,18 @@ Try printing. eg: - - C:\WINDOWS\> net use lpt1: \\servername\spoolservice C:\WINDOWS\> print filename - - Celebrate, or send me a bug report! What If Things Don't Work? - Then you might read the file HOWTO chapter Diagnosis and the + Then you might read the file chapter + Diagnosis and the FAQ. If you are still stuck then try the mailing list or newsgroup (look in the README for details). Samba has been successfully installed at thousands of sites worldwide, so maybe diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index dc339db4aa..6ed6e1a717 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -47,13 +47,13 @@ &person.jelmer; &person.jerry; - Friday 4 April + Sunday 6 April This book is a collection of HOWTOs added to Samba documentation over the years. -I try to ensure that all are current, but sometimes the is a larger job -than one person can maintain. The most recent version of this document +Samba is always under development, and so is it's documentation. +The most recent version of this document can be found at http://www.samba.org/ on the "Documentation" page. Please send updates to jerry@samba.org or @@ -107,8 +107,7 @@ for various environments. Advanced Configuration Introduction -Samba has several features that you might want or might not want to use. The chapters in this -part each cover one specific feature. +Samba has several features that you might want or might not want to use. The chapters in this part each cover one specific feature. &NT-Security; &GROUP-MAPPING-HOWTO; diff --git a/docs/docbook/projdoc/securing-samba.sgml b/docs/docbook/projdoc/securing-samba.sgml index 03d0c3d9e7..88e216ac58 100644 --- a/docs/docbook/projdoc/securing-samba.sgml +++ b/docs/docbook/projdoc/securing-samba.sgml @@ -29,8 +29,8 @@ especially vulnerable. -One of the simplest fixes in this case is to use the 'hosts allow' and -'hosts deny' options in the Samba smb.conf configuration file to only +One of the simplest fixes in this case is to use the hosts allow and +hosts deny options in the Samba &smb.conf; configuration file to only allow access to your server from a specific range of hosts. An example might be: @@ -167,7 +167,7 @@ methods listed above for some reason. Upgrading Samba -Please check regularly on http://www.samba.org/ for updates and +Please check regularly on http://www.samba.org/ for updates and important announcements. Occasionally security releases are made and it is highly recommended to upgrade Samba when a security vulnerability is discovered. diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml index 1c4c3f61ca..99f21aec5d 100644 --- a/docs/docbook/projdoc/security_level.sgml +++ b/docs/docbook/projdoc/security_level.sgml @@ -83,7 +83,7 @@ level security. They normally send a valid username but no password. Samba records this username in a list of "possible usernames". When the client then does a "tree connection" it also adds to this list the name of the share they try to connect to (useful for -home directories) and any users listed in the "user =" smb.conf +home directories) and any users listed in the user = &smb.conf; line. The password is then checked in turn against these "possible usernames". If a match is found then the client is authenticated as that user. @@ -221,7 +221,7 @@ for support of encrypted passwords: Use MS Windows NT as an authentication server -This method involves the additions of the following parameters in the smb.conf file: +This method involves the additions of the following parameters in the &smb.conf; file: @@ -270,7 +270,7 @@ all authentication requests to be passed through to the domain controllers. Samba as a member of an MS Windows NT security domain -This method involves additon of the following paramters in the smb.conf file: +This method involves additon of the following paramters in the &smb.conf; file: @@ -281,7 +281,7 @@ This method involves additon of the following paramters in the smb.conf file: -The use of the "*" argument to "password server" will cause samba to locate the +The use of the "*" argument to password server will cause samba to locate the domain controller in a way analogous to the way this is done within MS Windows NT. This is the default behaviour. diff --git a/docs/docbook/projdoc/unicode.sgml b/docs/docbook/projdoc/unicode.sgml index 705a389e41..4d1fac0150 100644 --- a/docs/docbook/projdoc/unicode.sgml +++ b/docs/docbook/projdoc/unicode.sgml @@ -81,7 +81,5 @@ samba knows of three kinds of character sets: - - diff --git a/docs/docbook/projdoc/upgrading-to-3.0.sgml b/docs/docbook/projdoc/upgrading-to-3.0.sgml index ec4b29386a..3dc4816664 100644 --- a/docs/docbook/projdoc/upgrading-to-3.0.sgml +++ b/docs/docbook/projdoc/upgrading-to-3.0.sgml @@ -12,7 +12,7 @@ You might experience problems with special characters when communicating with old DOS clients. Codepage support has changed in samba 3.0. Read the chapter -Unicode support for details. +Unicode support for details. -- cgit From bb36db4505a6f5b0a3e951e55fa92fe0a0c12ad9 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 7 Apr 2003 14:08:35 +0000 Subject: Regenerate docs (This used to be commit c61de5bbac37fa130a939fb9da4cf114855cab02) --- docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 7 +++++-- docs/docbook/projdoc/passdb.sgml | 31 +++++++++++++++---------------- docs/docbook/projdoc/unicode.sgml | 2 +- 3 files changed, 21 insertions(+), 19 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index 451ab02762..a0927ec888 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -315,7 +315,7 @@ for this including: file allows the creation of arbitrary user and machine accounts without requiring that account to be added to the system (/etc/passwd) file. It too requires the specification of the "non unix account range" option - in the [globals] section of the smb.conf file. + in the [globals] section of the &smb.conf; file. @@ -329,6 +329,9 @@ for this including: +Read the chapter about the User Database +for details. + A Samba PDC, however, stores each machine trust account in two parts, as follows: @@ -418,7 +421,7 @@ as shown here: -root# smbpasswd -a -m machine_name +root# smbpasswd -a -m machine_name diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml index 362cf97064..d7b54a38e8 100644 --- a/docs/docbook/projdoc/passdb.sgml +++ b/docs/docbook/projdoc/passdb.sgml @@ -114,23 +114,22 @@ Windows 200x Server/Advanced Server Windows XP Professional - - Note :All current release of - Microsoft SMB/CIFS clients support authentication via the - SMB Challenge/Response mechanism described here. Enabling - clear text authentication does not disable the ability - of the client to participate in encrypted authentication. - - - MS Windows clients will cache the encrypted password alone. - Even when plain text passwords are re-enabled, through the appropriate - registry change, the plain text password is NEVER cached. This means that - in the event that a network connections should become disconnected (broken) - only the cached (encrypted) password will be sent to the resource server - to affect a auto-reconnect. If the resource server does not support encrypted - passwords the auto-reconnect will fail. USE OF ENCRYPTED PASSWORDS - IS STRONGLY ADVISED. + + All current release of + Microsoft SMB/CIFS clients support authentication via the + SMB Challenge/Response mechanism described here. Enabling + clear text authentication does not disable the ability + of the client to participate in encrypted authentication. + + MS Windows clients will cache the encrypted password alone. + Even when plain text passwords are re-enabled, through the appropriate + registry change, the plain text password is NEVER cached. This means that + in the event that a network connections should become disconnected (broken) + only the cached (encrypted) password will be sent to the resource server + to affect a auto-reconnect. If the resource server does not support encrypted + passwords the auto-reconnect will fail. USE OF ENCRYPTED PASSWORDS + IS STRONGLY ADVISED. Advantages of SMB Encryption diff --git a/docs/docbook/projdoc/unicode.sgml b/docs/docbook/projdoc/unicode.sgml index 4d1fac0150..d44e8ea291 100644 --- a/docs/docbook/projdoc/unicode.sgml +++ b/docs/docbook/projdoc/unicode.sgml @@ -58,7 +58,7 @@ samba knows of three kinds of character sets: unix charset This is the charset used internally by your operating system. - The default is ASCII, which is fine for most + The default is ASCII, which is fine for most systems. -- cgit From f157e663f131bc26f351475226cce38b957cd0bd Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 7 Apr 2003 15:02:51 +0000 Subject: Some layout fixes + typo (This used to be commit c4a02bf35bc399c1926aee158c5215c180f393ae) --- docs/docbook/projdoc/InterdomainTrusts.sgml | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/InterdomainTrusts.sgml b/docs/docbook/projdoc/InterdomainTrusts.sgml index 20422f9b45..0fc634c544 100644 --- a/docs/docbook/projdoc/InterdomainTrusts.sgml +++ b/docs/docbook/projdoc/InterdomainTrusts.sgml @@ -129,18 +129,18 @@ step will be to issue this command from your favourite shell: - - deity# smbpasswd -a -i rumba + +deity# smbpasswd -a -i rumba New SMB password: XXXXXXXX Retype SMB password: XXXXXXXX Added user rumba$ + - where: - -a means to add a new account into the passdb database - -i means create this account with the Inter-Domain trust flag +where -a means to add a new account into the passdb database and -i means create this account with the Inter-Domain trust flag. + - The account name will be 'rumba$' (the name ofthe remote domain) - + +The account name will be 'rumba$' (the name of the remote domain) @@ -192,15 +192,13 @@ Using your favourite shell while being logged on as root, issue this command: - - deity# net rpc trustdom establish rumba - +deity# net rpc trustdom establish rumba You'll be prompted for password you've just typed on your Windows NT4 Server box. Don't worry if you will see the error message with returned code of -NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT. It means the +NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT. It means the password you gave is correct and the NT4 Server says the account is ready for trusting your domain and not for ordinary connection. After that, be patient it can take a while (especially in large networks), you should see 'Success' message. Contgratulations! Your trust @@ -209,7 +207,7 @@ relationship has just been established. Note that you have to run this command as root, since you need write access to -your secrets.tdb file. +your secrets.tdb file. -- cgit