Chapter 2. Quick Cross Subnet Browsing / Cross Workgroup Browsing guide

This document should be read in conjunction with Browsing and may -be taken as the fast track guide to implementing browsing across subnets -and / or across workgroups (or domains). WINS is the best tool for resolution -of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling -except by way of name to address mapping.

2.1. Discussion

Firstly, all MS Windows networking is based on SMB (Server Message -Block) based messaging. SMB messaging is implemented using NetBIOS. Samba -implements NetBIOS by encapsulating it over TCP/IP. MS Windows products can -do likewise. NetBIOS based networking uses broadcast messaging to affect -browse list management. When running NetBIOS over TCP/IP this uses UDP -based messaging. UDP messages can be broadcast or unicast.

Normally, only unicast UDP messaging can be forwarded by routers. The -"remote announce" parameter to smb.conf helps to project browse announcements -to remote network segments via unicast UDP. Similarly, the "remote browse sync" -parameter of smb.conf implements browse list collation using unicast UDP.

Secondly, in those networks where Samba is the only SMB server technology -wherever possible nmbd should be configured on one (1) machine as the WINS -server. This makes it easy to manage the browsing environment. If each network -segment is configured with it's own Samba WINS server, then the only way to -get cross segment browsing to work is by using the "remote announce" and -the "remote browse sync" parameters to your smb.conf file.

If only one WINS server is used then the use of the "remote announce" and the -"remote browse sync" parameters should NOT be necessary.

Samba WINS does not support MS-WINS replication. This means that when setting up -Samba as a WINS server there must only be one nmbd configured as a WINS server -on the network. Some sites have used multiple Samba WINS servers for redundancy -(one server per subnet) and then used "remote browse sync" and "remote announce" -to affect browse list collation across all segments. Note that this means -clients will only resolve local names, and must be configured to use DNS to -resolve names on other subnets in order to resolve the IP addresses of the -servers they can see on other subnets. This setup is not recommended, but is -mentioned as a practical consideration (ie: an 'if all else fails' scenario).

Lastly, take note that browse lists are a collection of unreliable broadcast -messages that are repeated at intervals of not more than 15 minutes. This means -that it will take time to establish a browse list and it can take up to 45 -minutes to stabilise, particularly across network segments.

2.2. Use of the "Remote Announce" parameter

The "remote announce" parameter of smb.conf can be used to forcibly ensure that all the NetBIOS names on a network get announced to a remote network. @@ -2225,9 +1821,9 @@ CLASS="SECT1" >

2.3. Use of the "Remote Browse Sync" parameter

The "remote browse sync" parameter of smb.conf is used to announce to another LMB that it must synchronise it's NetBIOS name list with our @@ -2248,9 +1844,9 @@ CLASS="SECT1" >

2.4. Use of WINS

Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly recommended. Every NetBIOS machine registers it's name together with a @@ -2302,22 +1898,23 @@ CLASS="emphasis" CLASS="EMPHASIS" >DO NOT EVER use both "wins support = yes" together with "wins server = a.b.c.d" -particularly not using it's own IP address.

use both "wins support = yes" together +with "wins server = a.b.c.d" particularly not using it's own IP address. +Specifying both will cause nmbd to refuse to start!

2.5. Do NOT use more than one (1) protocol on MS Windows machines

A very common cause of browsing problems results from installing more than one protocol on an MS Windows machine.

Every NetBIOS machine take part in a process of electing the LMB (and DMB) +>Every NetBIOS machine takes part in a process of electing the LMB (and DMB) every 15 minutes. A set of election criteria is used to determine the order of precidence for winning this election process. A machine running Samba or Windows NT will be biased so that the most suitable machine will predictably @@ -2333,6 +1930,19 @@ interface over the IPX protocol. Samba will then lose the LMB role as Windows as an LMB and thus browse list operation on all TCP/IP only machines will fail.

Windows 95, 98, 98se, Me are referred to generically as Windows 9x. +The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly +referred to as the WinNT family, but it should be recognised that 2000 and +XP/2003 introduce new protocol extensions that cause them to behave +differently from MS Windows NT4. Generally, where a server does NOT support +the newer or extended protocol, these will fall back to the NT4 protocols.

The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!

2.6. Name Resolution Order

Resolution of NetBIOS names to IP addresses can take place using a number of methods. The only ones that can provide NetBIOS name_type information @@ -2431,9 +2041,9 @@ CLASS="SECT1" >

3.1. Introduction

Old windows clients send plain text passwords over the wire. Samba can check these passwords by crypting them and comparing them @@ -2472,9 +2082,9 @@ CLASS="SECT1" >

3.2. Important Notes About Security

The unix and SMB password encryption techniques seem similar on the surface. This similarity is, however, only skin deep. The unix @@ -2580,9 +2190,9 @@ CLASS="SECT2" >

3.2.1. Advantages of SMB Encryption

3.2.2. Advantages of non-encrypted passwords

3.3. The smbpasswd Command

The smbpasswd utility is a utility similar to the

To run smbpasswd as a normal user just type :

$ $ smbpasswdsmbpasswd

Old SMB password: Old SMB password: <type old value here - - or hit return if there was no old password><type old value here - + or hit return if there was no old password>

New SMB Password: New SMB Password: <type new value> -<type new value> +

Repeat New SMB Password: Repeat New SMB Password: <re-type new value -<re-type new value +

If the old value does not match the current value stored for @@ -2762,9 +2364,9 @@ CLASS="SECT1" >

3.4. Plain text

3.4. Plain text
Older versions of samba retrieved user information from the unix user database and eventually some other fields from the file
3.5. TDB
3.5. TDBSamba can also store the user data in a "TDB" (Trivial Database). Using this backend doesn't require any additional configuration. This backend is recommended for new installations who @@ -2795,17 +2397,17 @@ CLASS="SECT1" > 3.6. LDAP 3.6. LDAP
3.6.1. Introduction 3.6.1. IntroductionThis document describes how to use an LDAP directory for storing Samba user account information traditionally stored in the smbpasswd(5) file. It is @@ -2871,9 +2473,9 @@ CLASS="SECT2" > 3.6.2. Introduction 3.6.2. Introduction
Traditionally, when configuring --with-ldapsam--with-ldapsam or ---with-tdbsam--with-tdbsam) requires compile time support.
When compiling Samba to include the When compiling Samba to include the --with-ldapsam--with-ldapsam autoconf option, smbd (and associated tools) will store and lookup user accounts in an LDAP directory. In reality, this is very easy to understand. If you are comfortable with using an smbpasswd file, simply replace "smbpasswd" with "LDAP directory" in all the documentation.
There are a few points to stress about what the There are a few points to stress about what the --with-ldapsam--with-ldapsam does not provide. The LDAP support referred to in the this documentation does not include:
3.6.3. Supported LDAP Servers
3.6.3. Supported LDAP Servers
The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP 2.0 server and client libraries. The same code should be able to work with @@ -3013,9 +2607,9 @@ CLASS="SECT2" >
3.6.4. Schema and Relationship to the RFC 2307 posixAccount
3.6.4. Schema and Relationship to the RFC 2307 posixAccount
Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in /etc/passwd entry, so is the sambaAccount object meant to supplement the UNIX user account information. A sambaAccount is a -STRUCTURALSTRUCTURAL objectclass so it can be stored individually in the directory. However, there are several fields (e.g. uid) which overlap with the posixAccount objectclass outlined in RFC2307. This is by design.
3.6.5. Configuring Samba with LDAP
3.6.5. Configuring Samba with LDAP
3.6.5.1. OpenLDAP configuration
3.6.5.1. OpenLDAP configuration
To include support for the sambaAccount object in an OpenLDAP directory server, first copy the samba.schema file to slapd's configuration directory.
root# root# cp samba.schema /etc/openldap/schema/
3.6.5.2. Configuring Samba
3.6.5.2. Configuring Samba
The following parameters are available in smb.conf only with The following parameters are available in smb.conf only with --with-ldapsam--with-ldapsam was included with compiling Samba.
secretpwsecretpw' to store the # passphrase in the secrets.tdb file. If the "ldap admin dn" values # changes, this password will need to be reset. @@ -3271,7 +2861,7 @@ CLASS="REPLACEABLE" ldap suffix = "ou=people,dc=samba,dc=org" # generally the default ldap search filter is ok - # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"
3.6.6. Accounts and Groups management
3.6.6. Accounts and Groups management
As users accounts are managed thru the sambaAccount objectclass, you should modify you existing administration tools to deal with sambaAccount attributes.
3.6.7. Security and sambaAccount
3.6.7. Security and sambaAccount
There are two important points to remember when discussing the security of sambaAccount entries in the directory.
3.6.8. LDAP specials attributes for sambaAccounts
3.6.8. LDAP specials attributes for sambaAccounts
The sambaAccount objectclass is composed of the following attributes:
lmPasswordlmPassword: the LANMAN password 16-byte hash stored as a character representation of a hexidecimal string.
ntPasswordntPassword: the NT password hash 16-byte stored as a character representation of a hexidecimal string.
pwdLastSetpwdLastSet: The integer time in seconds since 1970 when the - lmPassword and lmPassword and ntPasswordntPassword attributes were last set.
acctFlagsacctFlags: string of 11 characters surrounded by square brackets [] representing account flags such as U (user), W(workstation), X(no password expiration), and D(disabled).
logonTimelogonTime: Integer value currently unused
logoffTimelogoffTime: Integer value currently unused
kickoffTimekickoffTime: Integer value currently unused
pwdCanChangepwdCanChange: Integer value currently unused
pwdMustChangepwdMustChange: Integer value currently unused
homeDrivehomeDrive: specifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the form "X:" where X is the letter of the drive to map. Refer to the "logon drive" parameter in the @@ -3479,9 +3069,9 @@ CLASS="CONSTANT" >
scriptPathscriptPath: The scriptPath property specifies the path of the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path is relative to the netlogon share. Refer to the "logon script" parameter in the @@ -3489,18 +3079,18 @@ CLASS="CONSTANT" >
profilePathprofilePath: specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path. Refer to the "logon path" parameter in the smb.conf(5) man page for more information.
smbHomesmbHome: The homeDirectory property specifies the path of the home directory for the user. The string can be null. If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network @@ -3510,25 +3100,25 @@ CLASS="CONSTANT" >
userWorkstationuserWorkstation: character string value currently unused.
ridrid: the integer representation of the user's relative identifier (RID).
primaryGroupIDprimaryGroupID: the relative identifier (RID) of the primary group of the user.
smb.conf file. When a user named "becky" logons to the domain, -the logon homelogon home string is expanded to \\TASHTEGO\becky. If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org", this value is used. However, if this attribute does not exist, then the value -of the logon homelogon home parameter is used in its place. Samba will only write the attribute value to the directory entry is the value is something other than the default (e.g. \\MOBY\becky).
3.6.9. Example LDIF Entries for a sambaAccount
3.6.9. Example LDIF Entries for a sambaAccount
The following is a working LDIF with the inclusion of the posixAccount objectclass:
3.7. MySQL
3.7. MySQL
3.7.1. Building
3.7.1. Building
To build the plugin, run
3.7.2. Creating the database
3.7.2. Creating the database
You either can set up your own table and specify the field names to pdb_mysql (see below for the column names) or use the default table. The file mysql -umysql -uusername -husername -hhostname -phostname -ppassword password databasenamedatabasename < /path/to/samba/examples/pdb/mysql/mysql.dump
3.7.3. Configuring
3.7.3. ConfiguringThis plugin lacks some good documentation, but here is some short info: 3.7.4. Using plaintext passwords or encrypted password 3.7.4. Using plaintext passwords or encrypted passwordI strongly discourage the use of plaintext passwords, however, you can use them: 3.7.5. Getting non-column data from the table 3.7.5. Getting non-column data from the tableIt is possible to have not all data in the database and making some 'constant'. 3.8. Passdb XML plugin 3.8. Passdb XML plugin3.8.1. Building 3.8.1. BuildingThis module requires libxml2 to be installed. 3.8.2. Usage 3.8.2. UsageThe usage of pdb_xml is pretty straightforward. To export data, use: @@ -3944,7 +3522,7 @@ CLASS="TITLE" > Introduction 5.1. Prerequisite Reading 5.2. Background 5.3. Configuring the Samba Domain Controller 5.4. Creating Machine Trust Accounts and Joining Clients to the Domain 5.4.1. Manual Creation of Machine Trust Accounts 5.4.2. "On-the-Fly" Creation of Machine Trust Accounts 5.4.3. Joining the Client to the Domain 5.5. Common Problems and Errors 5.6. System Policies and Profiles 5.7. What other help can I get? 5.8. Domain Control for Windows 9x/ME 5.8.1. Configuration Instructions: Network Logons 5.8.2. Configuration Instructions: Setting up Roaming User Profiles 5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & SambaDOMAIN_CONTROL.txt : Windows NT Domain Control & Samba 6.1. Prerequisite Reading 6.2. Background 6.3. What qualifies a Domain Controller on the network? 6.3.1. How does a Workstation find its domain controller? 6.3.2. When is the PDC needed? 6.4. Can Samba be a Backup Domain Controller to an NT PDC? 6.5. How do I set up a Samba BDC? 6.5.1. How do I replicate the smbpasswd file? 6.5.2. Can I do this all with LDAP? 7.1. Installing the required packages for Debian 7.2. Installing the required packages for RedHat 7.3. Compile Samba 7.4. Setup your /etc/krb5.conf 7.5. Create the computer account 7.5.1. Possible errors 7.6. Test your server setup 7.7. Testing with smbclient 7.8. Notes 8.1. Joining an NT Domain with Samba 3.0 8.2. Samba and Windows 2000 Domains 8.3. Why is this better than security = server? 5.1. Prerequisite Reading 5.1. Prerequisite ReadingBefore you continue reading in this chapter, please make sure that you are comfortable with configuring basic files services @@ -4339,9 +3917,9 @@ CLASS="SECT1" > 5.2. Background 5.2. Background 5.3. Configuring the Samba Domain Controller 5.3. Configuring the Samba Domain ControllerThe first step in creating a working Samba PDC is to understand the parameters necessary in smb.conf. I will not @@ -4519,21 +4097,17 @@ CLASS="PROGRAMLISTING" HREF="smb.conf.5.html#NETBIOSNAME" TARGET="_top" >netbios name = = POGOPOGO workgroup = = NARNIANARNIA ; we should act as the domain and local master browser @@ -4623,11 +4197,9 @@ TARGET="_top" HREF="smb.conf.5.html#WRITELIST" TARGET="_top" >write list = = ntadminntadmin ; share for storing user profiles @@ -4703,10 +4275,10 @@ CLASS="SECT1" > 5.4. Creating Machine Trust Accounts and Joining Clients to the -Domain A machine trust account is a Samba account that is used to authenticate a client machine (rather than a user) to the Samba @@ -4777,9 +4349,9 @@ CLASS="SECT2" > 5.4.1. Manual Creation of Machine Trust Accounts 5.4.1. Manual Creation of Machine Trust AccountsThe first step in manually creating a machine trust account is to manually create the corresponding Unix account in @@ -4794,55 +4366,45 @@ CLASS="COMMAND" used to create new Unix accounts. The following is an example for a Linux based Samba server: root# root# /usr/sbin/useradd -g 100 -d /dev/null -c /usr/sbin/useradd -g 100 -d /dev/null -c "machine -nickname" -s /bin/false -s /bin/false machine_namemachine_name$ root# root# passwd -l passwd -l machine_namemachine_name$ On *BSD systems, this can be done using the 'chpass' utility: root# root# chpass -a "chpass -a "machine_name$:*:101:100::0:0:Workstation machine_name$:*:101:100::0:0:Workstation machine_namemachine_name:/dev/null:/sbin/nologin" doppy$:x:505:501:doppy$:x:505:501:machine_nicknamemachine_nickname:/dev/null:/bin/false Above, Above, machine_nicknamemachine_nickname can be any descriptive name for the client, i.e., BasementComputer. -machine_namemachine_name absolutely must be the NetBIOS name of the client to be joined to the domain. The "$" must be appended to the NetBIOS name of the client or Samba will not recognize @@ -4896,24 +4452,20 @@ CLASS="COMMAND" > command as shown here: root# root# smbpasswd -a -m smbpasswd -a -m machine_namemachine_name where where machine_namemachine_name is the machine's NetBIOS name. The RID of the new machine account is generated from the UID of the corresponding Unix account. 5.4.2. "On-the-Fly" Creation of Machine Trust Accounts 5.4.2. "On-the-Fly" Creation of Machine Trust AccountsThe second (and recommended) way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the client @@ -4995,7 +4547,7 @@ be created manually. [global] - # <...remainder of parameters...> + # <...remainder of parameters...> add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u 5.4.3. Joining the Client to the Domain 5.4.3. Joining the Client to the DomainThe procedure for joining a client to the domain varies with the version of Windows. 5.5. Common Problems and Errors 5.5. Common Problems and Errors C:\WINNT\>C:\WINNT\> net use * /d This problem is caused by the PDC not having a suitable machine trust account. - If you are using the add user scriptadd user script method to create accounts then this would indicate that it has not worked. Ensure the domain admin user system is working. @@ -5241,11 +4791,9 @@ CLASS="COMMAND" In order to work around this problem in 2.2.0, configure the - accountaccount control flag in 5.6. System Policies and Profiles 5.6. System Policies and ProfilesMuch of the information necessary to implement System Policies and Roving User Profiles in a Samba domain is the same as that for @@ -5459,9 +5007,9 @@ CLASS="SECT1" > 5.7. What other help can I get? 5.7. What other help can I get?There are many sources of information available in the form of mailing lists, RFC's and documentation. The docs that come @@ -5879,9 +5427,9 @@ CLASS="SECT1" > 5.8. Domain Control for Windows 9x/ME 5.8. Domain Control for Windows 9x/ME The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -6013,9 +5561,9 @@ CLASS="SECT2" > 5.8.1. Configuration Instructions: Network Logons 5.8.1. Configuration Instructions: Network LogonsThe main difference between a PDC and a Windows 9x logon server configuration is thatThere are a few comments to make in order to tie up some loose ends. There has been much debate over the issue of whether or not it is ok to configure Samba as a Domain Controller in security -modes other than USERUSER. The only security mode -which will not work due to technical reasons is SHARESHARE -mode security. DOMAIN and DOMAIN and SERVERSERVER mode security is really just a variation on SMB user level security. 5.8.2. Configuration Instructions: Setting up Roaming User Profiles 5.8.2. Configuration Instructions: Setting up Roaming User Profiles 5.8.2.1. Windows NT Configuration 5.8.2.1. Windows NT ConfigurationTo support WinNT clients, in the [global] section of smb.conf set the following (for example): 5.8.2.2. Windows 9X Configuration 5.8.2.2. Windows 9X ConfigurationTo support Win9X clients, you must use the "logon home" parameter. Samba has now been fixed so that "net use/home" now works as well, and it, too, relies @@ -6254,9 +5802,9 @@ CLASS="SECT3" > 5.8.2.3. Win9X and WinNT Configuration 5.8.2.3. Win9X and WinNT ConfigurationYou can support profiles for both Win9X and WinNT clients by setting both the "logon home" and "logon path" parameters. For example: 5.8.2.4. Windows 9X Profile Setup 5.8.2.4. Windows 9X Profile SetupWhen a user first logs in on Windows 9X, the file user.DAT is created, as are folders "Start Menu", "Desktop", "Programs" and "Nethood". @@ -6459,9 +6007,9 @@ CLASS="SECT3" > 5.8.2.5. Windows NT Workstation 4.0 5.8.2.5. Windows NT Workstation 4.0When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile location can be now specified @@ -6573,9 +6121,9 @@ CLASS="SECT3" > 5.8.2.6. Windows NT Server 5.8.2.6. Windows NT ServerThere is nothing to stop you specifying any path that you like for the location of users' profiles. Therefore, you could specify that the @@ -6587,9 +6135,9 @@ CLASS="SECT3" > 5.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0 5.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0 5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba 5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & SambaThe registry files can be located on any Windows NT machine by opening a command prompt and typing: C:\WINNT\>C:\WINNT\> dir %SystemRoot%\System32\config The environment variable %SystemRoot% value can be obtained by typing: C:\WINNT>C:\WINNT>echo %SystemRoot% The active parts of the registry that you may want to be familiar with are @@ -6825,9 +6373,9 @@ CLASS="SECT1" > 6.1. Prerequisite Reading 6.1. Prerequisite ReadingBefore you continue reading in this chapter, please make sure that you are comfortable with configuring a Samba PDC @@ -6842,9 +6390,9 @@ CLASS="SECT1" > 6.2. Background 6.2. BackgroundWhat is a Domain Controller? It is a machine that is able to answer logon requests from workstations in a Windows NT Domain. Whenever a @@ -6887,9 +6435,9 @@ CLASS="SECT1" > 6.3. What qualifies a Domain Controller on the network? 6.3. What qualifies a Domain Controller on the network?Every machine that is a Domain Controller for the domain SAMBA has to register the NetBIOS group name SAMBA#1c with the WINS server and/or @@ -6904,9 +6452,9 @@ CLASS="SECT2" > 6.3.1. How does a Workstation find its domain controller? 6.3.1. How does a Workstation find its domain controller?A NT workstation in the domain SAMBA that wants a local user to be authenticated has to find the domain controller for SAMBA. It does @@ -6923,9 +6471,9 @@ CLASS="SECT2" > 6.3.2. When is the PDC needed? 6.3.2. When is the PDC needed?Whenever a user wants to change his password, this has to be done on the PDC. To find the PDC, the workstation does a NetBIOS name query @@ -6939,9 +6487,9 @@ CLASS="SECT1" > 6.4. Can Samba be a Backup Domain Controller to an NT PDC? 6.4. Can Samba be a Backup Domain Controller to an NT PDC?With version 2.2, no. The native NT SAM replication protocols have not yet been fully implemented. The Samba Team is working on @@ -6962,9 +6510,9 @@ CLASS="SECT1" > 6.5. How do I set up a Samba BDC? 6.5. How do I set up a Samba BDC?Several things have to be done: 6.5.1. How do I replicate the smbpasswd file? 6.5.1. How do I replicate the smbpasswd file?Replication of the smbpasswd file is sensitive. It has to be done whenever changes to the SAM are made. Every user's password change is @@ -7050,9 +6598,9 @@ CLASS="SECT2" > 6.5.2. Can I do this all with LDAP? 6.5.2. Can I do this all with LDAP?The simple answer is YES. Samba's pdb_ldap code supports binding to a replica LDAP server, and will also follow referrals and @@ -7106,9 +6654,9 @@ CLASS="SECT1" > 7.1. Installing the required packages for Debian 7.1. Installing the required packages for DebianOn Debian you need to install the following packages: 7.2. Installing the required packages for RedHat 7.2. Installing the required packages for RedHatOn RedHat this means you should have at least: 7.3. Compile Samba 7.3. Compile SambaIf your kerberos libraries are in a non-standard location then remember to add the configure option --with-krb5=DIR. 7.4. Setup your /etc/krb5.conf 7.4. Setup your /etc/krb5.confThe minimal configuration for krb5.conf is: 7.5. Create the computer account 7.5. Create the computer accountAs a user that has write permission on the Samba private directory (usually root) run: @@ -7285,9 +6833,9 @@ CLASS="SECT2" > 7.5.1. Possible errors 7.5.1. Possible errors 7.6. Test your server setup 7.6. Test your server setupOn a Windows 2000 client try 7.7. Testing with smbclient 7.7. Testing with smbclientOn your Samba server try to login to a Win2000 server or your Samba server using smbclient and kerberos. Use smbclient as usual, but @@ -7343,9 +6891,9 @@ CLASS="SECT1" > 7.8. Notes 7.8. NotesYou must change administrator password at least once after DC install, to create the right encoding types 8.1. Joining an NT Domain with Samba 3.0 8.1. Joining an NT Domain with Samba 3.0Assume you have a Samba 3.0 server with a NetBIOS name of - SERV1SERV1 and are joining an or Win2k NT domain called - DOMDOM, which has a PDC with a NetBIOS name - of DOMPDCDOMPDC and two backup domain controllers - with NetBIOS names DOMBDC1 and DOMBDC1 and DOMBDC2 - . Firstly, you must edit your Change (or add) your security =security = line in the [global] section of your smb.conf to read: Next change the workgroup = workgroup = line in the [global] section to read: You must also have the parameter encrypt passwordsencrypt passwords set to set to yes - in order for your users to authenticate to the NT PDC. Finally, add (or modify) a password server =password server = line in the [global] section to read: In order to actually join the domain, you must run this command: root# root# net join -S DOMPDC - -UAdministrator%passwordAdministrator%password as we are joining the domain DOM and the PDC for that domain (the only machine that has write access to the domain SAM database) - is DOMPDC. The Administrator%passwordAdministrator%password is the login name and password for an account which has the necessary privilege to add machines to the domain. If this is successful you will see the message: Joined domain DOM.Joined domain DOM. - or Joined 'SERV1' to realm 'MYREALM'Joined 'SERV1' to realm 'MYREALM' 8.2. Samba and Windows 2000 Domains 8.2. Samba and Windows 2000 DomainsMany people have asked regarding the state of Samba's ability to participate in a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows @@ -7582,16 +7116,16 @@ CLASS="SECT1" > 8.3. Why is this better than security = server? 8.3. Why is this better than security = server?Currently, domain security in Samba doesn't free you from having to create local Unix users to represent the users attaching - to your server. This means that if domain user DOM\fred - attaches to your domain security Samba server, there needs to be a local Unix user fred to represent that user in the Unix filesystem. This is very similar to the older Samba security mode @@ -7676,7 +7210,7 @@ CLASS="TITLE" > Introduction 9.1. Agenda 9.2. Name Resolution in a pure Unix/Linux world 9.2.1. /etc/hosts 9.2.2. /etc/resolv.conf 9.2.3. /etc/host.conf 9.2.4. /etc/nsswitch.conf 9.3. Name resolution as used within MS Windows networking 9.3.1. The NetBIOS Name Cache 9.3.2. The LMHOSTS file 9.3.3. HOSTS file 9.3.4. DNS Lookup 9.3.5. WINS Lookup 9.4. How browsing functions and how to deploy stable and dependable browsing using Samba 9.5. MS Windows security options and how to configure Samba for seemless integration 9.5.1. Use MS Windows NT as an authentication server 9.5.2. Make Samba a member of an MS Windows NT security domain 9.5.3. Configure Samba as an authentication server 9.6. Conclusions 10.1. Viewing and changing UNIX permissions using the NT security dialogs 10.2. How to view file security on a Samba share 10.3. Viewing file ownership 10.4. Viewing file or directory permissions 10.4.1. File Permissions 10.4.2. Directory Permissions 10.5. Modifying file or directory permissions 10.6. Interaction with the standard Samba create mask parameters 10.7. Interaction with the standard Samba file attribute mapping 11.1. Samba and PAM 11.2. Distributed Authentication 11.3. PAM Configuration in smb.conf 12.1. Instructions 12.1.1. Notes 13.1. Introduction 13.2. Configuration 13.2.1. Creating [print$] 13.2.2. Setting Drivers for Existing Printers 13.2.3. Support a large number of printers 13.2.4. Adding New Printers via the Windows NT APW 13.2.5. Samba and Printer Ports 13.3. The Imprints Toolset 13.3.1. What is Imprints? 13.3.2. Creating Printer Driver Packages 13.3.3. The Imprints server 13.3.4. The Installation Client 13.4. Diagnosis 13.4.1. Introduction 13.4.2. Debugging printer problems 13.4.3. What printers do I have? 13.4.4. Setting up printcap and print servers 13.4.5. Job sent, no output 13.4.6. Job sent, strange output 13.4.7. Raw PostScript printed 13.4.8. Advanced Printing 13.4.9. Real debugging 14.1. Abstract 14.2. Introduction 14.3. What Winbind Provides 14.3.1. Target Uses 14.4. How Winbind Works 14.4.1. Microsoft Remote Procedure Calls 14.4.2. Microsoft Active Directory Services 14.4.3. Name Service Switch 14.4.4. Pluggable Authentication Modules 14.4.5. User and Group ID Allocation 14.4.6. Result Caching 14.5. Installation and Configuration 14.5.1. Introduction 14.5.2. Requirements 14.5.3. Testing Things Out 14.6. Limitations 14.7. Conclusion 15.1. Overview of browsing 15.2. Browsing support in samba 15.3. Problem resolution 15.4. Browsing across subnets 15.4.1. How does cross subnet browsing work ? 15.5. Setting up a WINS server 15.6. Setting up Browsing in a WORKGROUP 15.7. Setting up Browsing in a DOMAIN 15.8. Forcing samba to be the master 15.9. Making samba the domain master 15.10. Note about broadcast addresses 15.11. Multiple interfaces 16.1. Introduction and configuration 16.2. Included modules 16.2.1. audit 16.2.2. recycle 16.2.3. netatalk 16.3. VFS modules available elsewhere 16.3.1. DatabaseFS 16.3.2. vscan 17. Access Samba source code via CVS 17.1. Introduction 17.2. CVS Access to samba.org 17.2.1. Access via CVSweb 17.2.2. Access via cvs 18. Group mapping HOWTO 19. 18. Samba performance issues 19.1. 18.1. Comparisons 19.2. 18.2. Socket options 19.3. 18.3. Read size 19.4. 18.4. Max xmit 19.5. 18.5. Log level 19.6. 18.6. Read raw 19.7. 18.7. Write raw 19.8. 18.8. Slow Clients 19.9. 18.9. Slow Logins 19.10. 18.10. Client tuning 20. 19. Creating Group ProfilesCreating Group Prolicy Files 20.1. 19.1. Windows '9x 20.2. 19.2. Windows NT 4 20.2.1. 19.2.1. Side bar Notes 20.2.2. 19.2.2. Mandatory profiles 20.2.3. 19.2.3. moveuser.exe 20.2.4. 19.2.4. Get SID 20.3. 19.3. Windows 2000/XP Chapter 9. Integrating MS Windows networks with Samba 9.1. Agenda To identify the key functional mechanisms of MS Windows networking +> 20. Securing Samba 20.1. Introduction 20.2. Using host based protection 20.3. Using interface protection 20.4. Using a firewall 20.5. Using a IPC$ share deny 20.6. Upgrading Samba Chapter 9. Integrating MS Windows networks with Samba 9.1. Agenda To identify the key functional mechanisms of MS Windows networking to enable the deployment of Samba as a means of extending and/or replacing MS Windows NT/2000 technology. 9.2. Name Resolution in a pure Unix/Linux world 9.2. Name Resolution in a pure Unix/Linux worldThe key configuration files covered in this section are: 9.2.1. /etc/hosts Contains a static list of IP Addresses and names. @@ -8642,11 +8182,11 @@ CLASS="SECT2" > 9.2.2. /etc/resolv.conf This file tells the name resolution libraries: 9.2.3. /etc/host.conf 9.2.4. /etc/nsswitch.conf This file controls the actual name resolution targets. The @@ -8778,9 +8318,9 @@ CLASS="SECT1" > 9.3. Name resolution as used within MS Windows networking 9.3. Name resolution as used within MS Windows networkingMS Windows networking is predicated about the name each machine is given. This name is known variously (and inconsistently) as @@ -8800,16 +8340,16 @@ the client/server. Unique NetBIOS Names: - MACHINENAME<00> = Server Service is running on MACHINENAME - MACHINENAME<03> = Generic Machine Name (NetBIOS name) - MACHINENAME<20> = LanMan Server service is running on MACHINENAME - WORKGROUP<1b> = Domain Master Browser + MACHINENAME<00> = Server Service is running on MACHINENAME + MACHINENAME<03> = Generic Machine Name (NetBIOS name) + MACHINENAME<20> = LanMan Server service is running on MACHINENAME + WORKGROUP<1b> = Domain Master Browser Group Names: - WORKGROUP<03> = Generic Name registered by all members of WORKGROUP - WORKGROUP<1c> = Domain Controllers / Netlogon Servers - WORKGROUP<1d> = Local Master Browsers - WORKGROUP<1e> = Internet Name Resolvers It should be noted that all NetBIOS machines register their own @@ -8828,7 +8368,7 @@ be needed. An example of this is what happens when an MS Windows client wants to locate a domain logon server. It find this service and the IP address of a server that provides it by performing a lookup (via a NetBIOS broadcast) for enumeration of all machines that have -registered the name type *<1c>. A logon request is then sent to each +registered the name type *<1c>. A logon request is then sent to each IP address that is returned in the enumerated list of IP addresses. Which ever machine first replies then ends up providing the logon services. 9.3.1. The NetBIOS Name Cache 9.3.1. The NetBIOS Name CacheAll MS Windows machines employ an in memory buffer in which is stored the NetBIOS names and IP addresses for all external @@ -8890,9 +8430,9 @@ CLASS="SECT2" > 9.3.2. The LMHOSTS file 9.3.2. The LMHOSTS fileThis file is usually located in MS Windows NT 4.0 or 2000 in 9.3.3. HOSTS file 9.3.3. HOSTS fileThis file is usually located in MS Windows NT 4.0 or 2000 in 9.3.4. DNS Lookup 9.3.4. DNS LookupThis capability is configured in the TCP/IP setup area in the network configuration facility. If enabled an elaborate name resolution sequence @@ -9035,9 +8575,9 @@ CLASS="SECT2" > 9.3.5. WINS Lookup 9.3.5. WINS LookupA WINS (Windows Internet Name Server) service is the equivaent of the rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores @@ -9064,11 +8604,9 @@ CLASS="PROGRAMLISTING" wins server = xxx.xxx.xxx.xxx where where xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx is the IP address of the WINS server. 9.4. How browsing functions and how to deploy stable and -dependable browsing using Samba As stated above, MS Windows machines register their NetBIOS names (i.e.: the machine name for each service type in operation) on start @@ -9145,10 +8683,10 @@ CLASS="SECT1" > 9.5. MS Windows security options and how to configure -Samba for seemless integration MS Windows clients may use encrypted passwords as part of a challenege/response authentication model (a.k.a. NTLMv1) or @@ -9217,43 +8755,35 @@ CLASS="PROGRAMLISTING" HREF="smb.conf.5.html#PASSWORDLEVEL" TARGET="_top" >passsword level = = integerinteger username level = = integerinteger By default Samba will lower case the username before attempting to lookup the user in the database of local system accounts. Because UNIX usernames conventionally only contain lower case -character, the username levelusername level parameter is rarely even needed. However, password on UNIX systems often make use of mixed case characters. This means that in order for a user on a Windows 9x client to connect to a Samba server using clear text authentication, -the password levelpassword level must be set to the maximum number of upper case letter which appear is a password. Note that is the server OS uses the traditional -DES version of crypt(), then a password levelpassword level of 8 will result in case insensitive passwords as seen from Windows users. This will also result in longer login times as Samba @@ -9282,9 +8810,9 @@ CLASS="SECT2" > 9.5.1. Use MS Windows NT as an authentication server 9.5.1. Use MS Windows NT as an authentication serverThis method involves the additions of the following parameters in the smb.conf file: 9.5.2. Make Samba a member of an MS Windows NT security domain 9.5.2. Make Samba a member of an MS Windows NT security domainThis method involves additon of the following paramters in the smb.conf file: 9.5.3. Configure Samba as an authentication server 9.5.3. Configure Samba as an authentication serverThis mode of authentication demands that there be on the Unix/Linux system both a Unix style account as well as an @@ -9418,9 +8946,9 @@ CLASS="SECT3" > 9.5.3.1. Users 9.5.3.1. UsersA user account that may provide a home directory should be created. The following Linux system commands are typical of @@ -9430,10 +8958,10 @@ the procedure for creating an account. # useradd -s /bin/bash -d /home/"userid" -m "userid" # passwd "userid" - Enter Password: <pw> + Enter Password: <pw> # smbpasswd -a "userid" - Enter Password: <pw> 9.5.3.2. MS Windows NT Machine Accounts 9.5.3.2. MS Windows NT Machine AccountsThese are required only when Samba is used as a domain controller. Refer to the Samba-PDC-HOWTO for more details. 9.6. Conclusions 9.6. ConclusionsSamba provides a flexible means to operate as... 10.1. Viewing and changing UNIX permissions using the NT - security dialogs New in the Samba 2.0.4 release is the ability for Windows NT clients to use their native security settings dialog box to @@ -9525,9 +9053,9 @@ CLASS="SECT1" > 10.2. How to view file security on a Samba share 10.2. How to view file security on a Samba shareFrom an NT 4.0 client, single-click with the right mouse button on any file or directory in a Samba mounted @@ -9595,9 +9123,9 @@ CLASS="SECT1" > 10.3. Viewing file ownership 10.3. Viewing file ownershipClicking on the "SERVER\user (Long name)" Where Where SERVERSERVER is the NetBIOS name of - the Samba server, useruser is the user name of - the UNIX user who owns the file, and (Long name)(Long name) is the descriptive string identifying the user (normally found in the GECOS field of the UNIX password database). Click on the button to remove this dialog.If the parameter If the parameter nt acl supportnt acl support - is set to falsefalse then the file owner will be shown as the NT user 10.4. Viewing file or directory permissions 10.4. Viewing file or directory permissionsThe third button is the "SERVER\user (Long name)" Where Where SERVERSERVER is the NetBIOS name of - the Samba server, useruser is the user name of - the UNIX user who owns the file, and (Long name)(Long name) is the descriptive string identifying the user (normally found in the GECOS field of the UNIX password database).If the parameter If the parameter nt acl supportnt acl support - is set to falsefalse then the file owner will be shown as the NT user 10.4.1. File Permissions 10.4.1. File PermissionsThe standard UNIX user/group/world triple and the corresponding "read", "write", "execute" permissions @@ -9813,9 +9325,9 @@ CLASS="SECT2" > 10.4.2. Directory Permissions 10.4.2. Directory PermissionsDirectories on an NT NTFS file system have two different sets of permissions. The first set of permissions @@ -9845,9 +9357,9 @@ CLASS="SECT1" > 10.5. Modifying file or directory permissions 10.5. Modifying file or directory permissionsModifying file and directory permissions is as simple as changing the displayed permissions in the dialog box, and @@ -9859,15 +9371,13 @@ CLASS="COMMAND" with the standard Samba permission masks and mapping of DOS attributes that need to also be taken into account. If the parameter If the parameter nt acl supportnt acl support - is set to falsefalse then any attempt to set security permissions will fail with an 10.6. Interaction with the standard Samba create mask - parameters Note that with Samba 2.0.5 there are four new parameters to control this interaction. These are : security masksecurity mask force security modeforce security mode directory security maskdirectory security mask force directory security modeforce directory security mode Once a user clicks - security masksecurity mask parameter. Any bits that were changed that are not set to '1' in this parameter are left alone in the file permissions. Essentially, zero bits in the Essentially, zero bits in the security masksecurity mask mask may be treated as a set of bits the user is create mask - parameter to provide compatibility with Samba 2.0.4 where this permission change facility was introduced. To allow a user to @@ -10035,22 +9531,18 @@ CLASS="PARAMETER" the bits set in the force security modeforce security mode parameter. Any bits that were changed that correspond to bits set to '1' in this parameter are forced to be set. Essentially, bits set in the Essentially, bits set in the force security mode - parameter may be treated as a set of bits that, when modifying security on a file, the user has always set to be 'on'. force - create mode parameter to provide compatibility with Samba 2.0.4 where the permission change facility was introduced. To allow a user to modify all the user/group/world permissions on a file with no restrictions set this parameter to 000. The The security mask and security mask and force - security mode parameters are applied to the change request in that order. For a directory Samba will perform the same operations as - described above for a file except using the parameter directory security mask instead of directory security mask instead of security - mask, and , and force directory security mode - parameter instead of parameter instead of force security mode - . The The directory security maskdirectory security mask parameter - by default is set to the same value as the directory mask - parameter and the parameter and the force directory security - mode parameter by default is set to the same value as - the force directory modeforce directory mode parameter to provide compatibility with Samba 2.0.4 where the permission change facility was introduced. file in that share specific section : security mask = 0777security mask = 0777 force security mode = 0force security mode = 0 directory security mask = 0777directory security mask = 0777 force directory security mode = 0force directory security mode = 0 As described, in Samba 2.0.4 the parameters : create maskcreate mask force create modeforce create mode directory maskdirectory mask force directory modeforce directory mode were used instead of the parameters discussed here. 10.7. Interaction with the standard Samba file attribute - mapping Samba maps some of the DOS attribute bits (such as "read only") into the UNIX permissions of a file. This means there can @@ -10276,9 +9730,9 @@ CLASS="SECT1" > 11.1. Samba and PAM 11.1. Samba and PAMA number of Unix systems (eg: Sun Solaris), as well as the xxxxBSD family and Linux, now utilize the Pluggable Authentication @@ -10490,9 +9944,9 @@ CLASS="SECT1" > 11.2. Distributed Authentication 11.2. Distributed AuthenticationThe astute administrator will realize from this that the combination of 11.3. PAM Configuration in smb.conf 11.3. PAM Configuration in smb.confThere is an option in smb.conf called When Samba 2.2 is configure to enable PAM support (i.e. ---with-pam--with-pam), this parameter will control whether or not Samba should obey PAM's account and session management directives. The default behavior @@ -10571,9 +10025,9 @@ CLASS="SECT1" > 12.1. Instructions 12.1. InstructionsThe Distributed File System (or Dfs) provides a means of separating the logical view of files and directories that users @@ -10589,21 +10043,17 @@ TARGET="_top" machine (for Dfs-aware clients to browse) using Samba. To enable SMB-based DFS for Samba, configure it with the - --with-msdfs--with-msdfs option. Once built, a Samba server can be made a Dfs server by setting the global boolean host msdfs host msdfs parameter in the msdfs root msdfs root parameter. A Dfs root directory on Samba hosts Dfs links in the form of symbolic links that point to other servers. For example, a symbolic link junction->msdfs:storage1\share1junction->msdfs:storage1\share1 in the share directory acts as the Dfs junction. When Dfs-aware clients attempt to access the junction link, they are redirected @@ -10652,54 +10100,44 @@ CLASS="PROGRAMLISTING" >In the /export/dfsroot directory we set up our dfs links to other servers on the network. root# root# cd /export/dfsrootcd /export/dfsroot root# root# chown root /export/dfsrootchown root /export/dfsroot root# root# chmod 755 /export/dfsrootchmod 755 /export/dfsroot root# root# ln -s msdfs:storageA\\shareA linkaln -s msdfs:storageA\\shareA linka root# root# ln -s msdfs:serverB\\share,serverC\\share linkbln -s msdfs:serverB\\share,serverC\\share linkb You should set up the permissions and ownership of @@ -10719,9 +10157,9 @@ CLASS="SECT2" > 12.1.1. Notes 12.1.1. Notes 13.1. Introduction 13.1. IntroductionBeginning with the 2.2.0 release, Samba supports the native Windows NT printing mechanisms implemented via @@ -10843,9 +10281,9 @@ CLASS="SECT1" > 13.2. Configuration 13.2. Configuration However, the initial implementation allowed for a -parameter named printer driver locationprinter driver location to be used on a per share basis to specify the location of the driver files associated with that printer. Another -parameter named printer driverprinter driver provided a means of defining the printer driver name to be sent to the client. 13.2.1. Creating [print$] 13.2.1. Creating [print$]In order to support the uploading of printer driver files, you must first configure a file share named [print$]. @@ -10950,11 +10384,9 @@ CLASS="PROGRAMLISTING" >The write listwrite list is used to allow administrative level user accounts to have write access in order to update files @@ -11094,12 +10526,10 @@ one of two conditions must hold true: printer - admin list. Once you have created the required [print$] service and associated subdirectories, simply log onto the Samba server using -a root (or printer adminprinter admin) account from a Windows NT 4.0/2k client. Open "Network Neighbourhood" or "My Network Places" and browse for the Samba host. Once you have located @@ -11132,9 +10560,9 @@ CLASS="SECT2" > 13.2.2. Setting Drivers for Existing Printers 13.2.2. Setting Drivers for Existing PrintersThe initial listing of printers in the Samba host's Printers folder will have no real printer driver assigned @@ -11204,9 +10632,9 @@ CLASS="SECT2" > 13.2.3. Support a large number of printers 13.2.3. Support a large number of printersOne issue that has arisen during the development phase of Samba 2.2 is the need to support driver downloads for @@ -11227,9 +10655,9 @@ of how this could be accomplished: -$ $ rpcclient pogo -U root%secret -c "enumdrivers" Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] @@ -11243,9 +10671,9 @@ Printer Driver Info 1: Printer Driver Info 1: Driver Name: [HP LaserJet 4Si/4SiMX PS] -$ $ rpcclient pogo -U root%secret -c "enumprinters" Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] flags:[0x800000] @@ -11253,13 +10681,13 @@ Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,] comment:[] -$ $ rpcclient pogo -U root%secret \ -> > -c "setdriver hp-print \"HP LaserJet 4000 Series PS\"" Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] Successfully set hp-print to driver HP LaserJet 4000 Series PS. 13.2.4. Adding New Printers via the Windows NT APW 13.2.4. Adding New Printers via the Windows NT APWBy default, Samba offers all printer shares defined in The connected user is able to successfully execute an OpenPrinterEx(\\server) with administrative - privileges (i.e. root or printer adminprinter admin). show - add printer wizard = yes (the default). add -printer command must have a defined value. The program hook must successfully add the printer to the system (i.e. @@ -11338,35 +10760,29 @@ CLASS="FILENAME" not exist, smbd will execute the will execute the add printer -command and reparse to the smb.conf to attempt to locate the new printer share. If the share is still not defined, an error of "Access Denied" is returned to the client. Note that the -add printer programadd printer program is executed under the context of the connected user, not necessarily a root account. There is a complementary delete -printer command for removing entries from the "Printers..." folder. The following is an example add printer commandadd printer command script. It adds the appropriate entries to 13.2.5. Samba and Printer Ports 13.2.5. Samba and Printer PortsWindows NT/2000 print servers associate a port with each printer. These normally take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the @@ -11460,12 +10874,10 @@ CLASS="FILENAME" > possesses a enumports -command which can be used to define an external program that generates a listing of ports on a system. 13.3. The Imprints Toolset 13.3. The Imprints ToolsetThe Imprints tool set provides a UNIX equivalent of the Windows NT Add Printer Wizard. For complete information, please @@ -11494,9 +10906,9 @@ CLASS="SECT2" > 13.3.1. What is Imprints? 13.3.1. What is Imprints?Imprints is a collection of tools for supporting the goals of 13.3.2. Creating Printer Driver Packages 13.3.2. Creating Printer Driver PackagesThe process of creating printer driver packages is beyond the scope of this document (refer to Imprints.txt also included @@ -11542,9 +10954,9 @@ CLASS="SECT2" > 13.3.3. The Imprints server 13.3.3. The Imprints serverThe Imprints server is really a database server that may be queried via standard HTTP mechanisms. Each printer @@ -11566,9 +10978,9 @@ CLASS="SECT2" > 13.3.4. The Installation Client 13.3.4. The Installation ClientMore information regarding the Imprints installation client is available in the 13.4. Diagnosis 13.4. Diagnosis13.4.1. Introduction 13.4.1. IntroductionThis is a short description of how to debug printing problems with Samba. This describes how to debug problems with printing from a SMB @@ -11732,7 +11144,7 @@ and it should be periodically cleaned out. Samba used the lpq command to determine the "job number" assigned to your print job by the spooler. The %>letter< are "macros" that get dynamically replaced with appropriate +>The %>letter< are "macros" that get dynamically replaced with appropriate values when they are used. The %s gets replaced with the name of the spool file that Samba creates and the %p gets replaced with the name of the printer. The %j gets replaced with the "job number" which comes from @@ -11743,9 +11155,9 @@ CLASS="SECT2" > 13.4.2. Debugging printer problems 13.4.2. Debugging printer problemsOne way to debug printing problems is to start by replacing these command with shell scripts that record the arguments and the contents @@ -11761,7 +11173,7 @@ CLASS="PROGRAMLISTING" /usr/bin/id -p >/tmp/tmp.print # we run the command and save the error messages # replace the command with the one appropriate for your system - /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print Then you print a file and try removing it. You may find that the @@ -11800,9 +11212,9 @@ CLASS="SECT2" > 13.4.3. What printers do I have? 13.4.3. What printers do I have?You can use the 'testprns' program to check to see if the printer name you are using is recognized by Samba. For example, you can @@ -11829,9 +11241,9 @@ CLASS="SECT2" > 13.4.4. Setting up printcap and print servers 13.4.4. Setting up printcap and print serversYou may need to set up some printcaps for your Samba system to use. It is strongly recommended that you use the facilities provided by @@ -11913,9 +11325,9 @@ CLASS="SECT2" > 13.4.5. Job sent, no output 13.4.5. Job sent, no outputThis is the most frustrating part of printing. You may have sent the job, verified that the job was forwarded, set up a wrapper around @@ -11958,9 +11370,9 @@ CLASS="SECT2" > 13.4.6. Job sent, strange output 13.4.6. Job sent, strange outputOnce you have the job printing, you can then start worrying about making it print nicely. 13.4.7. Raw PostScript printed 13.4.7. Raw PostScript printedThis is a problem that is usually caused by either the print spooling system putting information at the start of the print job that makes @@ -12019,9 +11431,9 @@ CLASS="SECT2" > 13.4.8. Advanced Printing 13.4.8. Advanced PrintingNote that you can do some pretty magic things by using your imagination with the "print command" option and some shell scripts. @@ -12035,9 +11447,9 @@ CLASS="SECT2" > 13.4.9. Real debugging 13.4.9. Real debuggingIf the above debug tips don't help, then maybe you need to bring in the bug guns, system tracing. See Tracing.txt in this directory. 14.1. Abstract 14.1. AbstractIntegration of UNIX and Microsoft Windows NT through a unified logon has been considered a "holy grail" in heterogeneous @@ -12083,9 +11495,9 @@ CLASS="SECT1" > 14.2. Introduction 14.2. IntroductionIt is well known that UNIX and Microsoft Windows NT have different models for representing user and group information and @@ -12137,9 +11549,9 @@ CLASS="SECT1" > 14.3. What Winbind Provides 14.3. What Winbind ProvidesWinbind unifies UNIX and Windows NT account management by allowing a UNIX box to become a full member of a NT domain. Once @@ -12179,9 +11591,9 @@ CLASS="SECT2" > 14.3.1. Target Uses 14.3.1. Target UsesWinbind is targeted at organizations that have an existing NT based domain infrastructure into which they wish @@ -12203,9 +11615,9 @@ CLASS="SECT1" > 14.4. How Winbind Works 14.4. How Winbind WorksThe winbind system is designed around a client/server architecture. A long running 14.4.1. Microsoft Remote Procedure Calls 14.4.1. Microsoft Remote Procedure CallsOver the last few years, efforts have been underway by various Samba Team members to decode various aspects of @@ -12249,9 +11661,9 @@ CLASS="SECT2" > 14.4.2. Microsoft Active Directory Services 14.4.2. Microsoft Active Directory Services Since late 2001, Samba has gained the ability to interact with Microsoft Windows 2000 using its 'Native @@ -12268,9 +11680,9 @@ CLASS="SECT2" > 14.4.3. Name Service Switch 14.4.3. Name Service SwitchThe Name Service Switch, or NSS, is a feature that is present in many UNIX operating systems. It allows system @@ -12348,9 +11760,9 @@ CLASS="SECT2" > 14.4.4. Pluggable Authentication Modules 14.4.4. Pluggable Authentication ModulesPluggable Authentication Modules, also known as PAM, is a system for abstracting authentication and authorization @@ -12397,9 +11809,9 @@ CLASS="SECT2" > 14.4.5. User and Group ID Allocation 14.4.5. User and Group ID AllocationWhen a user or group is created under Windows NT is it allocated a numerical relative identifier (RID). This is @@ -12423,9 +11835,9 @@ CLASS="SECT2" > 14.4.6. Result Caching 14.4.6. Result CachingAn active system can generate a lot of user and group name lookups. To reduce the network cost of these lookups winbind @@ -12446,9 +11858,9 @@ CLASS="SECT1" > 14.5. Installation and Configuration 14.5. Installation and ConfigurationMany thanks to John Trostel 14.5.1. Introduction 14.5.1. IntroductionThis HOWTO describes the procedures used to get winbind up and running on my RedHat 7.1 system. Winbind is capable of providing access @@ -12532,9 +11944,9 @@ CLASS="SECT2" > 14.5.2. Requirements 14.5.2. RequirementsIf you have a samba configuration file that you are currently using... 14.5.3. Testing Things Out 14.5.3. Testing Things OutBefore starting, it is probably best to kill off all the SAMBA related daemons running on your server. Kill off all 14.5.3.1. Configure and compile SAMBA 14.5.3.1. Configure and compile SAMBAThe configuration and compilation of SAMBA is pretty straightforward. The first three steps may not be necessary depending upon @@ -12657,44 +12069,44 @@ whether or not you have previously built the Samba binaries. root#root# autoconf -root#root# make clean -root#root# rm config.cache -root#root# ./configure -root#root# make -root#root# make install 14.5.3.2. Configure nsswitch.conf and the -winbind libraries The libraries needed to run the daemon through nsswitch need to be copied to their proper locations, so root#root# cp ../samba/source/nsswitch/libnss_winbind.so /lib I also found it necessary to make the following symbolic link: root#root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 And, in the case of Sun solaris: root#root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1 -root#root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1 -root#root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2 root#root# /sbin/ldconfig -v | grep winbind 14.5.3.3. Configure smb.conf 14.5.3.3. Configure smb.confSeveral parameters are needed in the smb.conf file to control the behavior of [global] - <...> + <...> # separate domain and username with '+', like DOMAIN+username 14.5.3.4. Join the SAMBA server to the PDC domain 14.5.3.4. Join the SAMBA server to the PDC domainEnter the following command to make the SAMBA server join the -PDC domain, where DOMAINDOMAIN is the name of -your Windows domain and AdministratorAdministrator is a domain user who has administrative privileges in the domain. root#root# /usr/local/samba/bin/net join -S PDC -U Administrator The proper response to the command should be: "Joined the domain -DOMAIN" where DOMAIN" where DOMAINDOMAIN is your DOMAIN name. 14.5.3.5. Start up the winbindd daemon and test it! 14.5.3.5. Start up the winbindd daemon and test it!Eventually, you will want to modify your smb startup script to automatically invoke the winbindd daemon when the other parts of @@ -12949,9 +12353,9 @@ SAMBA start, but it is possible to test out just the winbind portion first. To start up winbind services, enter the following command as root: root#root# /usr/local/samba/bin/winbinddI'm always paranoid and like to make sure the daemon is really running... root#root# ps -ae | grep winbinddNow... for the real test, try to get some information about the users on your PDC root#root# /usr/local/samba/bin/wbinfo -u Obviously, I have named my domain 'CEO' and my Obviously, I have named my domain 'CEO' and my winbind -separator is '+'. You can do the same sort of thing to get group information from @@ -13010,9 +12412,9 @@ the PDC: root#root# /usr/local/samba/bin/wbinfo -groot#root# getent passwd The same thing can be done for groups with the command root#root# getent group 14.5.3.6. Fix the init.d startup scripts 14.5.3.6. Fix the init.d startup scripts14.5.3.6.1. Linux 14.5.3.6.1. LinuxThe 14.5.3.6.2. Solaris 14.5.3.6.2. SolarisOn solaris, you need to modify the 14.5.3.6.3. Restarting 14.5.3.6.3. RestartingIf you restart the 14.5.3.7. Configure Winbind and PAM 14.5.3.7. Configure Winbind and PAMIf you have made it this far, you know that winbindd and samba are working together. If you want to use winbind to provide authentication for other @@ -13281,9 +12683,9 @@ CLASS="FILENAME" > directory by invoking the commandroot#root# make nsswitch/pam_winbind.so/usr/lib/security. root#root# cp ../samba/source/nsswitch/pam_winbind.so /lib/security 14.5.3.7.1. Linux/FreeBSD-specific PAM configuration 14.5.3.7.1. Linux/FreeBSD-specific PAM configurationThe 14.5.3.7.2. Solaris-specific configuration 14.5.3.7.2. Solaris-specific configurationThe /etc/pam.conf needs to be changed. I changed this file so that my Domain users can logon both locally as well as telnet.The following are the changes @@ -13535,9 +12937,9 @@ CLASS="SECT1" > 14.6. Limitations 14.6. LimitationsWinbind has a number of limitations in its current released version that we hope to overcome in future @@ -13577,9 +12979,9 @@ CLASS="SECT1" > 14.7. Conclusion 14.7. ConclusionThe winbind system, through the use of the Name Service Switch, Pluggable Authentication Modules, and appropriate @@ -13601,9 +13003,9 @@ CLASS="SECT1" > 15.1. Overview of browsing 15.1. Overview of browsingSMB networking provides a mechanism by which clients can access a list of machines in a network, a so-called "browse list". This list @@ -13614,8 +13016,13 @@ list is heavily used by all SMB clients. Configuration of SMB browsing has been problematic for some Samba users, hence this document. Browsing will NOT work if name resolution from NetBIOS names to IP -addresses does not function correctly. Use of a WINS server is highly +>MS Windows 2000 and later, as with Samba-3 and later, can be +configured to not use NetBIOS over TCP/IP. When configured this way +it is imperative that name resolution (using DNS/LDAP/ADS) be correctly +configured and operative. Browsing will NOT work if name resolution +from SMB machine names to IP addresses does not function correctly. Where NetBIOS over TCP/IP is enabled use of a WINS server is highly recommended to aid the resolution of NetBIOS (SMB) names to IP addresses. WINS allows remote segment clients to obtain NetBIOS name_type information that can NOT be provided by any other means of name resolution. 15.2. Browsing support in samba Samba now fully supports browsing. The browsing is supported by nmbd -and is also controlled by options in the smb.conf file (see smb.conf(5)). 15.2. Browsing support in sambaSamba can act as a local browse master for a workgroup and the ability -for samba to support domain logons and scripts is now available. See -DOMAIN.txt for more information on domain logons.Samba facilitates browsing. The browsing is supported by nmbd +and is also controlled by options in the smb.conf file (see smb.conf(5)). +Samba can act as a local browse master for a workgroup and the ability +for samba to support domain logons and scripts is now available. Samba can also act as a domain master browser for a workgroup. This means that it will collate lists from local browse masters into a @@ -13649,12 +13054,12 @@ regardless of whether it is NT, Samba or any other type of domain master that is providing this service. [Note that nmbd can be configured as a WINS server, but it is not -necessary to specifically use samba as your WINS server. NTAS can -be configured as your WINS server. In a mixed NT server and -samba environment on a Wide Area Network, it is recommended that -you use the NT server's WINS server capabilities. In a samba-only -environment, it is recommended that you use one and only one nmbd -as your WINS server]. To get browsing to work you need to run nmbd as usual, but will need to use the "workgroup" option in smb.conf to control what workgroup @@ -13670,9 +13075,9 @@ CLASS="SECT1" > 15.3. Problem resolution 15.3. Problem resolutionIf something doesn't work then hopefully the log.nmb file will help you track down the problem. Try a debug level of 2 or 3 for finding @@ -13688,6 +13093,19 @@ filemanager should display the list of available shares. MS Windows 2000 and upwards (as with Samba) can be configured to disallow +anonymous (ie: Guest account) access to the IPC$ share. In that case, the +MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the +name of the currently logged in user to query the IPC$ share. MS Windows +9X clients are not able to do this and thus will NOT be able to browse +server resources. Also, a lot of people are getting bitten by the problem of too many parameters on the command line of nmbd in inetd.conf. This trick is to not use spaces between the option and the parameter (eg: -d2 instead @@ -13704,11 +13122,11 @@ CLASS="SECT1" > 15.4. Browsing across subnets 15.4. Browsing across subnetsWith the release of Samba 1.9.17(alpha1 and above) Samba has been +>Since the release of Samba 1.9.17(alpha1) Samba has been updated to enable it to support the replication of browse lists across subnet boundaries. New code and options have been added to achieve this. This section describes how to set this feature up @@ -13735,15 +13153,14 @@ CLASS="SECT2" > 15.4.1. How does cross subnet browsing work ? 15.4.1. How does cross subnet browsing work ?Cross subnet browsing is a complicated dance, containing multiple moving parts. It has taken Microsoft several years to get the code that achieves this correct, and Samba lags behind in some areas. -However, with the 1.9.17 release, Samba is capable of cross subnet -browsing when configured correctly. Consider a network set up as follows : Once N2_B knows the address of the Domain master browser it @@ -13947,9 +13364,9 @@ CLASS="SECT1" > 15.5. Setting up a WINS server 15.5. Setting up a WINS serverEither a Samba machine or a Windows NT Server machine may be set up as a WINS server. To set a Samba machine to be a WINS server you must @@ -13961,9 +13378,9 @@ CLASS="COMMAND" > wins support = yes Versions of Samba previous to 1.9.17 had this parameter default to +>Versions of Samba prior to 1.9.17 had this parameter default to yes. If you have any older versions of Samba on your network it is -strongly suggested you upgrade to 1.9.17 or above, or at the very +strongly suggested you upgrade to a recent version, or at the very least set the parameter to 'no' on all these machines. Machines with " wins server = >name or IP address<wins server = >name or IP address< where >name or IP address< is either the DNS name of the WINS server +>where >name or IP address< is either the DNS name of the WINS server machine or its IP address.Note that this line MUST NOT BE SET in the smb.conf file of the Samba @@ -14015,7 +13432,7 @@ CLASS="COMMAND" >" option and the "wins server = >name<wins server = <name>" option then nmbd will fail to start. 15.6. Setting up Browsing in a WORKGROUP 15.6. Setting up Browsing in a WORKGROUPTo set up cross subnet browsing on a network containing machines in up to be in a WORKGROUP, not an NT Domain you need to set up one @@ -14073,11 +13490,12 @@ server, if you require. Next, you should ensure that each of the subnets contains a machine that can act as a local master browser for the -workgroup. Any NT machine should be able to do this, as will -Windows 95 machines (although these tend to get rebooted more -often, so it's not such a good idea to use these). To make a -Samba server a local master browser set the following -options in the [global] section of the smb.conf file : 15.7. Setting up Browsing in a DOMAIN 15.7. Setting up Browsing in a DOMAINIf you are adding Samba servers to a Windows NT Domain then you must not set up a Samba server as a domain master browser. By default, a Windows NT Primary Domain Controller for a Domain name is also the Domain master browser for that name, and many things will break if a Samba server registers the Domain master -browser NetBIOS name (DOMAIN>1B<) with WINS instead of the PDC. For subnets other than the one containing the Windows NT PDC you may set up Samba servers as local master browsers as @@ -14165,9 +13583,9 @@ CLASS="SECT1" > 15.8. Forcing samba to be the master 15.8. Forcing samba to be the masterWho becomes the "master browser" is determined by an election process using broadcasts. Each election packet contains a number of parameters @@ -14180,8 +13598,8 @@ option in smb.conf to a higher number. It defaults to 0. Using 34 would make it win all elections over every other system (except other samba systems!) A "os level" of 2 would make it beat WfWg and Win95, but not NTAS. A -NTAS domain controller uses level 32.A "os level" of 2 would make it beat WfWg and Win95, but not MS Windows +NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32. The maximum os level is 255 15.9. Making samba the domain master 15.9. Making samba the domain masterThe domain master is responsible for collating the browse lists of multiple subnets so that browsing can occur between subnets. You can @@ -14286,9 +13704,9 @@ CLASS="SECT1" > 15.10. Note about broadcast addresses 15.10. Note about broadcast addressesIf your network uses a "0" based broadcast address (for example if it ends in a 0) then you will strike problems. Windows for Workgroups @@ -14300,9 +13718,9 @@ CLASS="SECT1" > 15.11. Multiple interfaces 15.11. Multiple interfacesSamba now supports machines with multiple network interfaces. If you have multiple interfaces then you will need to use the "interfaces" @@ -14321,9 +13739,9 @@ CLASS="SECT1" > 16.1. Introduction and configuration 16.1. Introduction and configurationSince samba 3.0, samba supports stackable VFS(Virtual File System) modules. Samba passes each request to access the unix file system thru the loaded VFS modules. @@ -14362,17 +13780,17 @@ CLASS="SECT1" > 16.2. Included modules 16.2. Included modules16.2.1. audit 16.2.1. auditA simple module to audit file access to the syslog facility. The following operations are logged: @@ -14408,9 +13826,9 @@ CLASS="SECT2" > 16.2.2. recycle 16.2.2. recycleA recycle-bin like modules. When used any unlink call will be intercepted and files moved to the recycle @@ -14479,9 +13897,9 @@ CLASS="SECT2" > 16.2.3. netatalk 16.2.3. netatalkA netatalk module, that will ease co-existence of samba and netatalk file sharing services. 16.3. VFS modules available elsewhere 16.3. VFS modules available elsewhereThis section contains a listing of various other VFS modules that have been posted but don't currently reside in the Samba CVS @@ -14528,9 +13946,9 @@ CLASS="SECT2" > 16.3.1. DatabaseFS 16.3.1. DatabaseFSURL: 16.3.2. vscan 16.3.2. vscanURL: Chapter 17. Access Samba source code via CVS 17.1. Introduction Chapter 17. Group mapping HOWTOSamba is developed in an open environment. Developers use CVS -(Concurrent Versioning System) to "checkin" (also known as -"commit") new source code. Samba's various CVS branches can -be accessed via anonymous CVS using the instructions -detailed in this chapter. +Starting with Samba 3.0 alpha 2, a new group mapping function is available. The +current method (likely to change) to manage the groups is a new command called +smbgroupedit. This document is a modified version of the instructions found at -http://samba.org/samba/cvs.html 17.2. CVS Access to samba.orgThe first immediate reason to use the group mapping on a PDC, is that +the domain admin group of smb.conf is +now gone. This parameter was used to give the listed users local admin rights +on their workstations. It was some magic stuff that simply worked but didn't +scale very well for complex setups. The machine samba.org runs a publicly accessible CVS -repository for access to the source code of several packages, -including samba, rsync and jitterbug. There are two main ways of -accessing the CVS server on this host. 17.2.1. Access via CVSwebLet me explain how it works on NT/W2K, to have this magic fade away. +When installing NT/W2K on a computer, the installer program creates some users +and groups. Notably the 'Administrators' group, and gives to that group some +privileges like the ability to change the date and time or to kill any process +(or close too) running on the local machine. The 'Administrator' user is a +member of the 'Administrators' group, and thus 'inherit' the 'Administrators' +group privileges. If a 'joe' user is created and become a member of the +'Administrator' group, 'joe' has exactly the same rights as 'Administrator'. You can access the source code via your -favourite WWW browser. This allows you to access the contents of -individual files in the repository and also to look at the revision -history and commit logs of individual files. You can also ask for a diff -listing between any two versions on the repository.When a NT/W2K machine is joined to a domain, during that phase, the "Domain +Administrators' group of the PDC is added to the 'Administrators' group of the +workstation. Every members of the 'Domain Administrators' group 'inherit' the +rights of the 'Administrators' group when logging on the workstation. You are now wondering how to make some of your samba PDC users members of the +'Domain Administrators' ? That's really easy. Use the URL : http://samba.org/cgi-bin/cvsweb 17.2.2. Access via cvs You can also access the source code via a -normal cvs client. This gives you much more control over you can -do with the repository and allows you to checkout whole source trees -and keep them up to date via normal cvs commands. This is the -preferred method of access if you are a developer and not -just a casual browser. To download the latest cvs source code, point your -browser at the URL : http://www.cyclic.com/. -and click on the 'How to get cvs' link. CVS is free software under -the GNU GPL (as is Samba). Note that there are several graphical CVS clients -which provide a graphical interface to the sometimes mundane CVS commands. -Links to theses clients are also available from http://www.cyclic.com. To gain access via anonymous cvs use the following steps. -For this example it is assumed that you want a copy of the -samba source code. For the other source code repositories -on this system just substitute the correct package name Install a recent copy of cvs. All you really need is a - copy of the cvs client binary. - Run the command - cvs -d :pserver:cvs@samba.org:/cvsroot login - When it asks you for a password type cvs. - Run the command - cvs -d :pserver:cvs@samba.org:/cvsroot co samba - This will create a directory called samba containing the - latest samba source code (i.e. the HEAD tagged cvs branch). This - currently corresponds to the 3.0 development tree. - CVS branches other HEAD can be obtained by using the -r - and defining a tag name. A list of branch tag names can be found on the - "Development" page of the samba web site. A common request is to obtain the - latest 2.2 release code. This could be done by using the following command. - cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba - Whenever you want to merge in the latest code changes use - the following command from within the samba directory: - cvs update -d -P - Chapter 18. Group mapping HOWTO -Starting with Samba 3.0 alpha 2, a new group mapping function is available. The -current method (likely to change) to manage the groups is a new command called -smbgroupedit. The first immediate reason to use the group mapping on a PDC, is that -the domain admin group of smb.conf is -now gone. This parameter was used to give the listed users local admin rights -on their workstations. It was some magic stuff that simply worked but didn't -scale very well for complex setups. Let me explain how it works on NT/W2K, to have this magic fade away. -When installing NT/W2K on a computer, the installer program creates some users -and groups. Notably the 'Administrators' group, and gives to that group some -privileges like the ability to change the date and time or to kill any process -(or close too) running on the local machine. The 'Administrator' user is a -member of the 'Administrators' group, and thus 'inherit' the 'Administrators' -group privileges. If a 'joe' user is created and become a member of the -'Administrator' group, 'joe' has exactly the same rights as 'Administrator'. When a NT/W2K machine is joined to a domain, during that phase, the "Domain -Administrators' group of the PDC is added to the 'Administrators' group of the -workstation. Every members of the 'Domain Administrators' group 'inherit' the -rights of the 'Administrators' group when logging on the workstation. You are now wondering how to make some of your samba PDC users members of the -'Domain Administrators' ? That's really easy. create a unix group (usually in /etc/group), let's call it domadm create a unix group (usually in /etc/group), let's call it domadm add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in Chapter 19. Samba performance issuesChapter 18. Samba performance issues 19.1. Comparisons 18.1. ComparisonsThe Samba server uses TCP to talk to the client. Thus if you are trying to see if it performs well you should really compare it to @@ -14896,9 +14142,9 @@ CLASS="SECT1" > 19.2. Socket options 18.2. Socket optionsThere are a number of socket options that can greatly affect the performance of a TCP based server like Samba. 19.3. Read size 18.3. Read sizeThe option "read size" affects the overlap of disk reads/writes with network reads/writes. If the amount of data being transferred in @@ -14950,9 +14196,9 @@ CLASS="SECT1" > 19.4. Max xmit 18.4. Max xmitAt startup the client and server negotiate a "maximum transmit" size, which limits the size of nearly all SMB commands. You can set the @@ -14973,9 +14219,9 @@ CLASS="SECT1" > 19.5. Log level 18.5. Log levelIf you set the log level (also known as "debug level") higher than 2 then you may suffer a large drop in performance. This is because the @@ -14987,9 +14233,9 @@ CLASS="SECT1" > 19.6. Read raw 18.6. Read rawThe "read raw" operation is designed to be an optimised, low-latency file read operation. A server may choose to not support it, @@ -15009,9 +14255,9 @@ CLASS="SECT1" > 19.7. Write raw 18.7. Write rawThe "write raw" operation is designed to be an optimised, low-latency file write operation. A server may choose to not support it, @@ -15026,9 +14272,9 @@ CLASS="SECT1" > 19.8. Slow Clients 18.8. Slow ClientsOne person has reported that setting the protocol to COREPLUS rather than LANMAN2 gave a dramatic speed improvement (from 10k/s to 150k/s). 19.9. Slow Logins 18.9. Slow LoginsSlow logins are almost always due to the password checking time. Using the lowest practical "password level" will improve things a lot. You @@ -15056,9 +14302,9 @@ CLASS="SECT1" > 19.10. Client tuning 18.10. Client tuningOften a speed problem can be traced to the client. The client (for example Windows for Workgroups) can often be tuned for better TCP @@ -15164,15 +14410,15 @@ CLASS="CHAPTER" >Chapter 20. Creating Group ProfilesChapter 19. Creating Group Prolicy Files 20.1. Windows '9x 19.1. Windows '9xYou need the Win98 Group Policy Editor to set Group Profiles up under Windows '9x. It can be found on the Original @@ -15196,25 +14442,28 @@ CLASS="FILENAME" > that needs to be placed in the root of the [NETLOGON] share. If your Win98 is configured to log onto the Samba Domain, it will automatically read this file and update the -Win98 registry of the machine that is logging on. All of this is covered in the Win98 Resource Kit documentation. If you do not do it this way, then every so often Win98 will check the +>If you do not do it this way, then every so often Win9x/Me will check the integrity of the registry and will restore it's settings from the back-up -copy of the registry it stores on each Win98 machine. Hence, you will notice -things changing back to the original settings. The following all refers to Windows NT/200x profile migration - not to policies. +We need a separate section on policies (NTConfig.Pol) for NT4/200x. 20.2. Windows NT 4 19.2. Windows NT 4Unfortunately, the Resource Kit info is Win NT4/2K version specific. Unfortunately, the Resource Kit info is Win NT4 or 200x specific. Here is a quick guide: I am using the term "migrate" lossely. You can copy a profile to +>I am using the term "migrate" lossely. You can copy a profile to create a group profile. You can give the user 'Everyone' rights to the profile you copy this to. That is what you need to do, since your samba domain is not a member of a trust relationship with your NT4 PDC. 20.2.1. Side bar Notes 19.2.1. Side bar NotesYou should obtain the SID of your NT4 domain. You can use smbpasswd to do this. Read the man page. 20.2.2. Mandatory profiles 19.2.2. Mandatory profilesThe above method can be used to create mandatory profiles also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT file @@ -15320,9 +14569,9 @@ CLASS="SECT2" > 20.2.3. moveuser.exe 19.2.3. moveuser.exeThe W2K professional resource kit has moveuser.exe. moveuser.exe changes the security of a profile from one user to another. This allows the account @@ -15333,9 +14582,9 @@ CLASS="SECT2" > 20.2.4. Get SID 19.2.4. Get SIDYou can identify the SID by using GetSID.exe from the Windows NT Server 4.0 Resource Kit. 20.3. Windows 2000/XP 19.3. Windows 2000/XPYou must first convert the profile from a local profile to a domain profile on the MS Windows workstation as follows: Chapter 20. Securing Samba 20.1. Introduction This note was attached to the Samba 2.2.8 release notes as it contained an +important security fix. The information contained here applies to Samba +installations in general. 20.2. Using host based protection In many installations of Samba the greatest threat comes for outside +your immediate network. By default Samba will accept connections from +any host, which means that if you run an insecure version of Samba on +a host that is directly connected to the Internet you can be +especially vulnerable. One of the simplest fixes in this case is to use the 'hosts allow' and +'hosts deny' options in the Samba smb.conf configuration file to only +allow access to your server from a specific range of hosts. An example +might be: hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 + hosts deny = 0.0.0.0/0 The above will only allow SMB connections from 'localhost' (your own +computer) and from the two private networks 192.168.2 and +192.168.3. All other connections will be refused connections as soon +as the client sends its first packet. The refusal will be marked as a +'not listening on called name' error. 20.3. Using interface protection By default Samba will accept connections on any network interface that +it finds on your system. That means if you have a ISDN line or a PPP +connection to the Internet then Samba will accept connections on those +links. This may not be what you want. You can change this behaviour using options like the following: interfaces = eth* lo + bind interfaces only = yes This tells Samba to only listen for connections on interfaces with a +name starting with 'eth' such as eth0, eth1, plus on the loopback +interface called 'lo'. The name you will need to use depends on what +OS you are using, in the above I used the common name for Ethernet +adapters on Linux. If you use the above and someone tries to make a SMB connection to +your host over a PPP interface called 'ppp0' then they will get a TCP +connection refused reply. In that case no Samba code is run at all as +the operating system has been told not to pass connections from that +interface to any process. 20.4. Using a firewall Many people use a firewall to deny access to services that they don't +want exposed outside their network. This can be a very good idea, +although I would recommend using it in conjunction with the above +methods so that you are protected even if your firewall is not active +for some reason. If you are setting up a firewall then you need to know what TCP and +UDP ports to allow and block. Samba uses the following: UDP/137 - used by nmbd +UDP/138 - used by nmbd +TCP/139 - used by smbd +TCP/445 - used by smbd The last one is important as many older firewall setups may not be +aware of it, given that this port was only added to the protocol in +recent years. 20.5. Using a IPC$ share deny If the above methods are not suitable, then you could also place a +more specific deny on the IPC$ share that is used in the recently +discovered security hole. This allows you to offer access to other +shares while denying access to IPC$ from potentially untrustworthy +hosts. To do that you could use: [ipc$] + hosts allow = 192.168.115.0/24 127.0.0.1 + hosts deny = 0.0.0.0/0 this would tell Samba that IPC$ connections are not allowed from +anywhere but the two listed places (localhost and a local +subnet). Connections to other shares would still be allowed. As the +IPC$ share is the only share that is always accessible anonymously +this provides some level of protection against attackers that do not +know a username/password for your host. If you use this method then clients will be given a 'access denied' +reply when they try to access the IPC$ share. That means that those +clients will not be able to browse shares, and may also be unable to +access some other resources. This is not recommended unless you cannot use one of the other +methods listed above for some reason. 20.6. Upgrading Samba Please check regularly on http://www.samba.org/ for updates and +important announcements. Occasionally security releases are made and +it is highly recommended to upgrade Samba when a security vulnerability +is discovered. 21.1. HPUX 21.2. SCO Unix 21.3. DNIX 21.4. RedHat Linux Rembrandt-II 21.5. AIX 21.5.1. Sequential Read Ahead 22.1. Macintosh clients? 22.2. OS2 Client 22.2.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba? 22.2.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba? 22.2.3. Are there any other issues when OS/2 (any version) is used as a client? 22.2.4. How do I get printer driver download working for OS/2 clients? 22.3. Windows for Workgroups 22.3.1. Use latest TCP/IP stack from Microsoft 22.3.2. Delete .pwl files after password change 22.3.3. Configure WfW password handling 22.3.4. Case handling of passwords 22.3.5. Use TCP/IP as default protocol 22.4. Windows '95/'98 22.5. Windows 2000 Service Pack 2 23. Reporting BugsHow to compile SAMBA 23.1. Access Samba source code via CVS 23.1.1. Introduction 23.1.2. CVS Access to samba.org 23.2. General infoAccessing the samba sources via rsync and ftp 23.3. Debug levelsBuilding the Binaries 23.4. Starting the smbd and nmbd 23.4.1. Starting from inetd.conf 23.4.2. Alternative: starting it as a daemon 24. Reporting Bugs 24.1. Introduction 24.2. General info 24.3. Debug levels 24.4. Internal errors 23.5. 24.5. Attaching to a running process 23.6. 24.6. Patches 24. 25. Diagnosing your samba serverThe samba checklist 24.1. 25.1. Introduction 24.2. 25.2. Assumptions 24.3. 25.3. Tests 24.3.1. 25.3.1. Test 1 24.3.2. 25.3.2. Test 2 24.3.3. 25.3.3. Test 3 24.3.4. 25.3.4. Test 4 24.3.5. 25.3.5. Test 5 24.3.6. 25.3.6. Test 6 24.3.7. 25.3.7. Test 7 24.3.8. 25.3.8. Test 8 24.3.9. 25.3.9. Test 9 24.3.10. 25.3.10. Test 10 24.3.11. 25.3.11. Test 11 24.4. 25.4. Still having troubles? 21.1. HPUX 21.1. HPUXHP's implementation of supplementary groups is, er, non-standard (for hysterical reasons). There are two group files, /etc/group and @@ -15897,9 +15394,9 @@ CLASS="SECT1" > 21.2. SCO Unix 21.2. SCO Unix If you run an old version of SCO Unix then you may need to get important @@ -15914,9 +15411,9 @@ CLASS="SECT1" > 21.3. DNIX 21.3. DNIXDNIX has a problem with seteuid() and setegid(). These routines are needed for Samba to work correctly, but they were left out of the DNIX @@ -16021,9 +15518,9 @@ CLASS="SECT1" > 21.4. RedHat Linux Rembrandt-II 21.4. RedHat Linux Rembrandt-IIBy default RedHat Rembrandt-II during installation adds an entry to /etc/hosts as follows: @@ -16040,6 +15537,27 @@ is the master browse list holder and who is the master browser.Corrective Action: Delete the entry after the word loopback in the line starting 127.0.0.1 21.5. AIX 21.5.1. Sequential Read Ahead Disabling Sequential Read Ahead using "vmtune -r 0" improves +samba performance significally. 22.1. Macintosh clients? 22.1. Macintosh clients?Yes. 22.2. OS2 Client 22.2. OS2 Client22.2.1. How can I configure OS/2 Warp Connect or - OS/2 Warp 4 as a client for Samba? A more complete answer to this question can be found on 22.2.2. How can I configure OS/2 Warp 3 (not Connect), - OS/2 1.2, 1.3 or 2.x for Samba? You can use the free Microsoft LAN Manager 2.2c Client for OS/2 from @@ -16212,10 +15730,10 @@ CLASS="SECT2" > 22.2.3. Are there any other issues when OS/2 (any version) - is used as a client? When you do a NET VIEW or use the "File and Print Client Resource Browser", no Samba servers show up. This can @@ -16234,10 +15752,10 @@ CLASS="SECT2" > 22.2.4. How do I get printer driver download working - for OS/2 clients? First, create a share called [PRINTDRV] that is world-readable. Copy your OS/2 driver files there. Note @@ -16247,17 +15765,13 @@ NAME="AEN3350" > Install the NT driver first for that printer. Then, add to your smb.conf a parameter, os2 driver map = - filenamefilename". Then, in the file - specified by filenamefilename, map the name of the NT driver name to the OS/2 driver name as follows: 22.3. Windows for Workgroups 22.3. Windows for Workgroups22.3.1. Use latest TCP/IP stack from Microsoft 22.3.1. Use latest TCP/IP stack from MicrosoftUse the latest TCP/IP stack from microsoft if you use Windows for workgroups. 22.3.2. Delete .pwl files after password change 22.3.2. Delete .pwl files after password changeWfWg does a lousy job with passwords. I find that if I change my password on either the unix box or the PC the safest thing to do is to @@ -16335,9 +15849,9 @@ CLASS="SECT2" > 22.3.3. Configure WfW password handling 22.3.3. Configure WfW password handlingThere is a program call admincfg.exe on the last disk (disk 8) of the WFW 3.11 disk set. To install it @@ -16354,9 +15868,9 @@ CLASS="SECT2" > 22.3.4. Case handling of passwords 22.3.4. Case handling of passwordsWindows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the password level to specify what characters samba should try to uppercase when checking. 22.3.5. Use TCP/IP as default protocol To support print queue reporting you may find +that you have to use TCP/IP as the default protocol under +WfWg. For some reason if you leave Netbeui as the default +it may break the print queue reporting on some systems. +It is presumably a WfWg bug. 22.4. Windows '95/'98 When using Windows 95 OEM SR2 the following updates are recommended where Samba +is being used. Please NOTE that the above change will affect you once these +updates have been installed. +There are more updates than the ones mentioned here. You are referred to the +Microsoft Web site for all currently available updates to your specific version +of Windows 95. Kernel Update: KRNLUPD.EXE Ping Fix: PINGUPD.EXE RPC Update: RPCRTUPD.EXE TCP/IP Update: VIPUPD.EXE Redirector Update: VRDRUPD.EXE Also, if using MS OutLook it is desirable to install the OLEUPD.EXE fix. This +fix may stop your machine from hanging for an extended period when exiting +OutLook and you may also notice a significant speedup when accessing network +neighborhood services. 22.4. Windows '95/'98 22.5. Windows 2000 Service Pack 2 +There are several annoyances with Windows 2000 SP2. One of which +only appears when using a Samba server to host user profiles +to Windows 2000 SP2 clients in a Windows domain. This assumes +that Samba is a member of the domain, but the problem will +likely occur if it is not. +In order to server profiles successfully to Windows 2000 SP2 +clients (when not operating as a PDC), Samba must have +nt acl support = no +added to the file share which houses the roaming profiles. +If this is not done, then the Windows 2000 SP2 client will +complain about not being able to access the profile (Access +Denied) and create multiple copies of it on disk (DOMAIN.user.001, +DOMAIN.user.002, etc...). See the +smb.conf(5) man page +for more details on this option. Also note that the +nt acl support parameter was formally a global parameter in +releases prior to Samba 2.2.2. +The following is a minimal profile share: [profile] + path = /export/profile + create mask = 0600 + directory mask = 0700 + nt acl support = no + read only = no The reason for this bug is that the Win2k SP2 client copies +the security descriptor for the profile which contains +the Samba server's SID, and not the domain SID. The client +compares the SID for SAMBA\user and realizes it is +different that the one assigned to DOMAIN\user. Hence the reason +for the "access denied" message. By disabling the nt acl support parameter, Samba will send +the Win2k client a response to the QuerySecurityDescriptor +trans2 call which causes the client to set a default ACL +for the profile. This default ACL includes DOMAIN\user "Full Control" NOTE : This bug does not occur when using winbind to +create accounts on the Samba host for Domain users. Chapter 23. How to compile SAMBA You can obtain the samba source from the samba website. To obtain a development version, +you can download samba from CVS or using rsync. 23.1. Access Samba source code via CVS 23.1.1. Introduction Samba is developed in an open environment. Developers use CVS +(Concurrent Versioning System) to "checkin" (also known as +"commit") new source code. Samba's various CVS branches can +be accessed via anonymous CVS using the instructions +detailed in this chapter. This chapter is a modified version of the instructions found at +http://samba.org/samba/cvs.html 23.1.2. CVS Access to samba.org The machine samba.org runs a publicly accessible CVS +repository for access to the source code of several packages, +including samba, rsync and jitterbug. There are two main ways of +accessing the CVS server on this host. 23.1.2.1. Access via CVSweb You can access the source code via your +favourite WWW browser. This allows you to access the contents of +individual files in the repository and also to look at the revision +history and commit logs of individual files. You can also ask for a diff +listing between any two versions on the repository. Use the URL : http://samba.org/cgi-bin/cvsweb 23.1.2.2. Access via cvs You can also access the source code via a +normal cvs client. This gives you much more control over you can +do with the repository and allows you to checkout whole source trees +and keep them up to date via normal cvs commands. This is the +preferred method of access if you are a developer and not +just a casual browser. To download the latest cvs source code, point your +browser at the URL : http://www.cyclic.com/. +and click on the 'How to get cvs' link. CVS is free software under +the GNU GPL (as is Samba). Note that there are several graphical CVS clients +which provide a graphical interface to the sometimes mundane CVS commands. +Links to theses clients are also available from http://www.cyclic.com. To gain access via anonymous cvs use the following steps. +For this example it is assumed that you want a copy of the +samba source code. For the other source code repositories +on this system just substitute the correct package name Install a recent copy of cvs. All you really need is a + copy of the cvs client binary. + Run the command + cvs -d :pserver:cvs@samba.org:/cvsroot login + When it asks you for a password type cvs. + Run the command + cvs -d :pserver:cvs@samba.org:/cvsroot co samba + This will create a directory called samba containing the + latest samba source code (i.e. the HEAD tagged cvs branch). This + currently corresponds to the 3.0 development tree. + CVS branches other HEAD can be obtained by using the -r + and defining a tag name. A list of branch tag names can be found on the + "Development" page of the samba web site. A common request is to obtain the + latest 2.2 release code. This could be done by using the following command. + cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba + Whenever you want to merge in the latest code changes use + the following command from within the samba directory: + cvs update -d -P + 23.2. Accessing the samba sources via rsync and ftp pserver.samba.org also exports unpacked copies of most parts of the CVS tree at ftp://pserver.samba.org/pub/unpacked and also via anonymous rsync at rsync://pserver.samba.org/ftp/unpacked/. I recommend using rsync rather than ftp. + See the rsync homepage for more info on rsync. + The disadvantage of the unpacked trees + is that they do not support automatic + merging of local changes like CVS does. + rsync access is most convenient for an + initial install. + 23.3. Building the Binaries To do this, first run the program ./configure + in the source directory. This should automatically + configure Samba for your operating system. If you have unusual + needs then you may wish to run root# ./configure --help + first to see what special options you can enable. + Then executing root# make will create the binaries. Once it's successfully + compiled you can use root# make install to install the binaries and manual pages. You can + separately install the binaries and/or man pages using root# make installbin + and root# make installman + Note that if you are upgrading for a previous version + of Samba you might like to know that the old versions of + the binaries will be renamed with a ".old" extension. You + can go back to the previous version with root# make revert + if you find this version a disaster! 23.4. Starting the smbd and nmbd You must choose to start smbd and nmbd either + as daemons or from inetd. Don't try + to do both! Either you can put them in inetd.conf and have them started on demand + by inetd, or you can start them as + daemons either from the command line or in /etc/rc.local. See the man pages for details + on the command line options. Take particular care to read + the bit about what user you need to be in order to start + Samba. In many cases you must be root. The main advantage of starting smbd + and nmbd using the recommended daemon method + is that they will respond slightly more quickly to an initial connection + request. 23.4.1. Starting from inetd.conf When using Windows 95 OEM SR2 the following updates are recommended where Samba -is being used. Please NOTE that the above change will affect you once these -updates have been installed. NOTE; The following will be different if + you use NIS, NIS+ or LDAP to distribute services maps. -There are more updates than the ones mentioned here. You are referred to the -Microsoft Web site for all currently available updates to your specific version -of Windows 95. Look at your /etc/services. + What is defined at port 139/tcp. If nothing is defined + then add a line like this: netbios-ssn 139/tcp Kernel Update: KRNLUPD.EXE similarly for 137/udp you should have an entry like: Ping Fix: PINGUPD.EXE netbios-ns 137/udp RPC Update: RPCRTUPD.EXE Next edit your /etc/inetd.conf + and add two lines something like this: TCP/IP Update: VIPUPD.EXE netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd + netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd + Redirector Update: VRDRUPD.EXE The exact syntax of /etc/inetd.conf + varies between unixes. Look at the other entries in inetd.conf + for a guide. Also, if using MS OutLook it is desirable to install the OLEUPD.EXE fix. This -fix may stop your machine from hanging for an extended period when exiting -OutLook and you may also notice a significant speedup when accessing network -neighborhood services. 22.5. Windows 2000 Service Pack 2 NOTE: Some unixes already have entries like netbios_ns + (note the underscore) in /etc/services. + You must either edit /etc/services or + /etc/inetd.conf to make them consistent. NOTE: On many systems you may need to use the + "interfaces" option in smb.conf to specify the IP address + and netmask of your interfaces. Run ifconfig -There are several annoyances with Windows 2000 SP2. One of which -only appears when using a Samba server to host user profiles -to Windows 2000 SP2 clients in a Windows domain. This assumes -that Samba is a member of the domain, but the problem will -likely occur if it is not. nmbd tries to determine it at run + time, but fails on some unixes. See the section on "testing nmbd" + for a method of finding if you need to do this. -In order to server profiles successfully to Windows 2000 SP2 -clients (when not operating as a PDC), Samba must have -!!!WARNING!!! Many unixes only accept around 5 + parameters on the command line in inetd.conf. + This means you shouldn't use spaces between the options and + arguments, or you should use a script, and start the script + from nt acl support = no -added to the file share which houses the roaming profiles. -If this is not done, then the Windows 2000 SP2 client will -complain about not being able to access the profile (Access -Denied) and create multiple copies of it on disk (DOMAIN.user.001, -DOMAIN.user.002, etc...). See the -smb.conf(5) man page -for more details on this option. Also note that the -inetd. Restart nt acl support parameter was formally a global parameter in -releases prior to Samba 2.2.2. inetd, perhaps just send + it a HUP. If you have installed an earlier version of nmbd then you may need to kill nmbd as well. 23.4.2. Alternative: starting it as a daemon -The following is a minimal profile share: To start the server as a daemon you should create + a script something like this one, perhaps calling + it startsmb. [profile] - path = /export/profile - create mask = 0600 - directory mask = 0700 - nt acl support = no - read only = no #!/bin/sh + /usr/local/samba/bin/smbd -D + /usr/local/samba/bin/nmbd -D + The reason for this bug is that the Win2k SP2 client copies -the security descriptor for the profile which contains -the Samba server's SID, and not the domain SID. The client -compares the SID for SAMBA\user and realizes it is -different that the one assigned to DOMAIN\user. Hence the reason -for the "access denied" message. then make it executable with chmod + +x startsmb By disabling the You can then run nt acl support parameter, Samba will send -the Win2k client a response to the QuerySecurityDescriptor -trans2 call which causes the client to set a default ACL -for the profile. This default ACL includes startsmb by + hand or execute it from /etc/rc.local + To kill it send a kill signal to the processes + DOMAIN\user "Full Control" nmbd and smbd. NOTE : This bug does not occur when using winbind to -create accounts on the Samba host for Domain users.NOTE: If you use the SVR4 style init system then + you may like to look at the examples/svr4-startup + script to make Samba fit into that system. Chapter 23. Reporting BugsChapter 24. Reporting Bugs23.1. Introduction 24.1. IntroductionThe email address for bug reports for stable releases is 23.2. General info 24.2. General infoBefore submitting a bug report check your config for silly errors. Look in your log files for obvious messages that tell you that @@ -16581,9 +16606,9 @@ CLASS="SECT1" > 23.3. Debug levels 24.3. Debug levelsIf the bug has anything to do with Samba behaving incorrectly as a server (like refusing to open a file) then the log files will probably @@ -16651,9 +16676,9 @@ CLASS="SECT1" > 23.4. Internal errors 24.4. Internal errorsIf you get a "INTERNAL ERROR" message in your log files it means that Samba got an unexpected signal while running. It is probably a @@ -16695,9 +16720,9 @@ CLASS="SECT1" > 23.5. Attaching to a running process 24.5. Attaching to a running processUnfortunately some unixes (in particular some recent linux kernels) refuse to dump a core file if the task has changed uid (which smbd @@ -16712,9 +16737,9 @@ CLASS="SECT1" > 23.6. Patches 24.6. PatchesThe best sort of bug report is one that includes a fix! If you send us patches please use Chapter 24. Diagnosing your samba serverChapter 25. The samba checklist 24.1. Introduction 25.1. IntroductionThis file contains a list of tests you can perform to validate your Samba server. It also tells you what the likely cause of the problem @@ -16763,9 +16788,9 @@ CLASS="SECT1" > 24.2. Assumptions 25.2. AssumptionsIn all of the tests it is assumed you have a Samba server called BIGSERVER and a PC called ACLIENT both in workgroup TESTGROUP. 24.3. Tests 25.3. Tests24.3.1. Test 1 25.3.1. Test 1In the directory in which you store your smb.conf file, run the command "testparm smb.conf". If it reports any errors then your smb.conf @@ -16831,9 +16856,9 @@ CLASS="SECT2" > 24.3.2. Test 2 25.3.2. Test 2Run the command "ping BIGSERVER" from the PC and "ping ACLIENT" from the unix box. If you don't get a valid response then your TCP/IP @@ -16857,9 +16882,9 @@ CLASS="SECT2" > 24.3.3. Test 3 25.3.3. Test 3Run the command "smbclient -L BIGSERVER" on the unix box. You should get a list of available shares back. 24.3.4. Test 4 25.3.4. Test 4Run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the IP address of your Samba server back. 24.3.5. Test 5 25.3.5. Test 5run the command 24.3.6. Test 6 25.3.6. Test 6Run the command 24.3.7. Test 7 25.3.7. Test 7Run the command . You should then be prompted for a password. You should use the password of the account you are logged into the unix box with. If you want to test with -another account then add the -U >accountname< option to the end of +another account then add the -U >accountname< option to the end of the command line. eg: etc. Type help >command<help >command< for instructions. You should especially check that the amount of free disk space shown is correct when you type 24.3.8. Test 8 25.3.8. Test 8On the PC type the command 24.3.9. Test 9 25.3.9. Test 9Run the command 24.3.10. Test 10 25.3.10. Test 10Run the command 24.3.11. Test 11 25.3.11. Test 11From file manager try to browse the server. Your samba server should appear in the browse list of your local workgroup (or the one you @@ -17241,9 +17266,9 @@ CLASS="SECT1" > 24.4. Still having troubles? 25.4. Still having troubles?Try the mailing list or newsgroup, or use the ethereal utility to sniff the problem. The official samba mailing list can be reached at -- cgit

1.2. Building the Binaries

1.2.1. Editing the smb.conf file

1.3. The all important step

1.4. Create the smb configuration file.

1.5. Test your config file with +NAME="AEN50" +>1.2.1.1. Test your config file with testparm

1.2.2. SWAT

1.6. Starting the smbd and nmbd

1.6.1. Starting from inetd.conf

1.5. Try connecting from a DOS, WfWg, Win9x, WinNT, + Win2k, OS/2, etc... client

1.6. What If Things Don't Work?

1.6.1. Scope IDs

1.6.2. Alternative: starting it as a daemon

1.7. Try listing the shares available on your - server

1.8. Try connecting with the unix client

1.9. Try connecting from a DOS, WfWg, Win9x, WinNT, - Win2k, OS/2, etc... client

1.10. What If Things Don't Work?

1.10.1. Diagnosing Problems

1.10.2. Scope IDs

1.10.3. Choosing the Protocol Level

1.10.4. Printing from UNIX to a Client PC

1.10.5. Locking

1.10.6. Mapping Usernames

Chapter 2. Quick Cross Subnet Browsing / Cross Workgroup Browsing guide

2.1. Discussion

2.2. Use of the "Remote Announce" parameter

2.3. Use of the "Remote Browse Sync" parameter

2.4. Use of WINS

2.5. Do NOT use more than one (1) protocol on MS Windows machines

2.6. Name Resolution Order

3.1. Introduction

3.2. Important Notes About Security

3.2.1. Advantages of SMB Encryption

3.2.2. Advantages of non-encrypted passwords

3.3. The smbpasswd Command

3.4. Plain text

3.5. TDB

3.6. LDAP

3.6.1. Introduction

3.6.2. Introduction

3.6.3. Supported LDAP Servers

3.6.4. Schema and Relationship to the RFC 2307 posixAccount

3.6.5. Configuring Samba with LDAP

3.6.5.1. OpenLDAP configuration

3.6.5.2. Configuring Samba

3.6.6. Accounts and Groups management

3.6.7. Security and sambaAccount

3.6.8. LDAP specials attributes for sambaAccounts

3.6.9. Example LDIF Entries for a sambaAccount

3.7. MySQL

3.7.1. Building

3.7.2. Creating the database

3.7.3. Configuring

3.7.4. Using plaintext passwords or encrypted password

3.7.5. Getting non-column data from the table

3.8. Passdb XML plugin

3.8.1. Building

3.8.2. Usage

Introduction

5.1. Prerequisite Reading

5.2. Background

5.3. Configuring the Samba Domain Controller

5.4. Creating Machine Trust Accounts and Joining Clients to the -Domain

5.4.1. Manual Creation of Machine Trust Accounts

5.4.2. "On-the-Fly" Creation of Machine Trust Accounts

5.4.3. Joining the Client to the Domain

5.5. Common Problems and Errors

5.6. System Policies and Profiles

5.7. What other help can I get?

5.8. Domain Control for Windows 9x/ME

5.8.1. Configuration Instructions: Network Logons

5.8.2. Configuration Instructions: Setting up Roaming User Profiles

5.8.2.1. Windows NT Configuration

5.8.2.2. Windows 9X Configuration

5.8.2.3. Win9X and WinNT Configuration

5.8.2.4. Windows 9X Profile Setup

5.8.2.5. Windows NT Workstation 4.0

5.8.2.6. Windows NT Server

5.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0

5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

6.1. Prerequisite Reading

`1.5. Test your config file with +NAME="AEN50" +>1.2.1.1. Test your config file with testparm`

`1.2.2. SWAT`

`1.6. Starting the smbd and nmbd`

`1.6.1. Starting from inetd.conf`

`1.5. Try connecting from a DOS, WfWg, Win9x, WinNT, + Win2k, OS/2, etc... client`

`1.6. What If Things Don't Work?`

`1.7. Try listing the shares available on your - server`

`3.5. TDB`

`3.7.3. Configuring`

`5.6. System Policies and Profiles`

`Chapter 9. Integrating MS Windows networks with Samba`

`9.1. Agenda`

`Chapter 9. Integrating MS Windows networks with Samba`

`9.1. Agenda`

`9.2. Name Resolution in a pure Unix/Linux world`

9.2.1. `/etc/hosts`

9.2.2. `/etc/resolv.conf`

9.2.3. `/etc/host.conf`

`9.2.4. /etc/nsswitch.conf`

`9.3. Name resolution as used within MS Windows networking`

`9.3.3. HOSTS file`

`9.3.4. DNS Lookup`

`9.4. How browsing functions and how to deploy stable and -dependable browsing using Samba`

`9.5. MS Windows security options and how to configure -Samba for seemless integration`

`9.5.1. Use MS Windows NT as an authentication server`

`9.5.3.2. MS Windows NT Machine Accounts`

`11.3. PAM Configuration in smb.conf`