From 57d93d21f345ef5892b33a7a7370762373b9421f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 21 Jun 2001 14:27:41 +0000 Subject: merge from 2.2 (This used to be commit 5932471a03e74ef7fcc71e22dbb52c530332a713) --- docs/htmldocs/Samba-HOWTO-Collection.html | 2075 +++++++++++++++++++++++------ 1 file changed, 1653 insertions(+), 422 deletions(-) (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html') diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index acfb1a7a3c..c7393bc71b 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -181,76 +181,215 @@ HREF="#AEN209" >
2. LanMan and NT Password Encryption in Samba 2.xIntegrating MS Windows networks with Samba
2.1. IntroductionAgenda
2.2. How does it work?Name Resolution in a pure Unix/Linux world
2.2.1. /etc/hosts
2.2.2. /etc/resolv.conf
2.2.3. /etc/host.conf
2.2.4. /etc/nsswitch.conf
2.3. Important Notes About SecurityName resolution as used within MS Windows networking
2.3.1. Advantages of SMB EncryptionThe NetBIOS Name Cache
2.3.2. Advantages of non-encrypted passwordsThe LMHOSTS file
2.3.3. HOSTS file
2.3.4. DNS Lookup
2.3.5. WINS Lookup
2.4. How browsing functions and how to deploy stable and +dependable browsing using Samba
2.5. MS Windows security options and how to configure +Samba for seemless integration
2.5.1. Use MS Windows NT as an authentication server
2.5.2. Make Samba a member of an MS Windows NT security domain
2.5.3. Configure Samba as an authentication server
2.5.3.1. Users
2.5.3.2. MS Windows NT Machine Accounts
2.6. Configuration of Samba as ...
3. LanMan and NT Password Encryption in Samba 2.x
3.1. Introduction
3.2. How does it work?
3.3. Important Notes About Security
3.3.1. Advantages of SMB Encryption
3.3.2. Advantages of non-encrypted passwords
3.4. The smbpasswd file
2.5. 3.5. The smbpasswd Command
2.6. 3.6. Setting up Samba to support LanManager Encryption
3. 4. Hosting a Microsoft Distributed File System tree on Samba
3.1. 4.1. Instructions
3.1.1. 4.1.1. Notes
4. 5. Printing Support in Samba 2.2.x
4.1. 5.1. Introduction
4.2. 5.2. Configuration
4.2.1. 5.2.1. Creating [print$]
4.2.2. 5.2.2. Setting Drivers for Existing Printers
4.2.3. 5.2.3. Support a large number of printers
4.2.4. 5.2.4. Adding New Printers via the Windows NT APW
4.2.5. 5.2.5. Samba and Printer Ports
4.3. 5.3. The Imprints Toolset
4.3.1. 5.3.1. What is Imprints?
4.3.2. 5.3.2. Creating Printer Driver Packages
4.3.3. 5.3.3. The Imprints server
4.3.4. 5.3.4. The Installation Client
4.4. 5.4.
5. 6. security = domain in Samba 2.x
5.1. 6.1. Joining an NT Domain with Samba 2.2
5.2. 6.2. Samba and Windows 2000 Domains
5.3. 6.3. Why is this better than security = server?
6. 7. How to Configure Samba 2.2 as a Primary Domain Controller
6.1. 7.1. Prerequisite Reading
6.2. 7.2. Background
6.3. 7.3. Configuring the Samba Domain Controller
6.4. 7.4. Creating Machine Trust Accounts and Joining Clients to the Domain
6.4.1. 7.4.1. Manually creating machine trust accounts
6.4.2. 7.4.2. Creating machine trust accounts "on the fly"
6.5. 7.5. Common Problems and Errors
6.6. 7.6. System Policies and Profiles
6.7. 7.7. What other help can I get ?
6.8. 7.8. Domain Control for Windows 9x/ME
6.8.1. 7.8.1. Configuration Instructions: Network Logons
6.8.2. 7.8.2. Configuration Instructions: Setting up Roaming User Profiles
6.8.2.1. 7.8.2.1. Windows NT Configuration
6.8.2.2. 7.8.2.2. Windows 9X Configuration
6.8.2.3. 7.8.2.3. Win9X and WinNT Configuration
6.8.2.4. 7.8.2.4. Windows 9X Profile Setup
6.8.2.5. 7.8.2.5. Windows NT Workstation 4.0
6.8.2.6. 7.8.2.6. Windows NT Server
6.8.2.7. 7.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0
6.9. 7.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
7. 8. Unifed Logons between Windows NT and UNIX using Winbind
7.1. 8.1. Abstract
7.2. 8.2. Introduction
7.3. 8.3. What Winbind Provides
7.3.1. 8.3.1. Target Uses
7.4. 8.4. How Winbind Works
7.4.1. 8.4.1. Microsoft Remote Procedure Calls
7.4.2. 8.4.2. Name Service Switch
7.4.3. 8.4.3. Pluggable Authentication Modules
7.4.4. 8.4.4. User and Group ID Allocation
7.4.5. 8.4.5. Result Caching
7.5. 8.5. Installation and Configuration
7.6. 8.6. Limitations
7.7. 8.7. Conclusion
8. 9. UNIX Permission Bits and WIndows NT Access Control Lists
8.1. 9.1. Viewing and changing UNIX permissions using the NT security dialogs
8.2. 9.2. How to view file security on a Samba share
8.3. 9.3. Viewing file ownership
8.4. 9.4. Viewing file or directory permissions
8.4.1. 9.4.1. File Permissions
8.4.2. 9.4.2. Directory Permissions
8.5. 9.5. Modifying file or directory permissions
8.6. 9.6. Interaction with the standard Samba create mask parameters
8.7. 9.7. Interaction with the standard Samba file attribute mapping
9. 10. OS2 Client HOWTO
9.1. 10.1. FAQs
9.1.1. 10.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?
9.1.2. 10.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?
9.1.3. 10.1.3. Are there any other issues when OS/2 (any version) is used as a client?
9.1.4. 10.1.4. How do I get printer driver download working for OS/2 clients?
10. 11. HOWTO Access Samba source code via CVS
10.1. 11.1. Introduction
10.2. 11.2. CVS Access to samba.org
10.2.1. 11.2.1. Access via CVSweb
10.2.2. 11.2.2. Access via cvs

1.10.4. Printing from UNIX to a Client PC

To use a printer that is available via a smb-based + server from a unix host you will need to compile the + smbclient program. You then need to install the script + "smbprint". Read the instruction in smbprint for more details. +

There is also a SYSV style script that does much + the same thing called smbprint.sysv. It contains instructions.

1.10.5. Locking

One area which sometimes causes trouble is locking.

There are two types of locking which need to be + performed by a SMB server. The first is "record locking" + which allows a client to lock a range of bytes in a open file. + The second is the "deny modes" that are specified when a file + is open.

Samba supports "record locking" using the fcntl() unix system + call. This is often implemented using rpc calls to a rpc.lockd process + running on the system that owns the filesystem. Unfortunately many + rpc.lockd implementations are very buggy, particularly when made to + talk to versions from other vendors. It is not uncommon for the + rpc.lockd to crash.

There is also a problem translating the 32 bit lock + requests generated by PC clients to 31 bit requests supported + by most unixes. Unfortunately many PC applications (typically + OLE2 applications) use byte ranges with the top bit set + as semaphore sets. Samba attempts translation to support + these types of applications, and the translation has proved + to be quite successful.

Strictly a SMB server should check for locks before + every read and write call on a file. Unfortunately with the + way fcntl() works this can be slow and may overstress the + rpc.lockd. It is also almost always unnecessary as clients + are supposed to independently make locking calls before reads + and writes anyway if locking is important to them. By default + Samba only makes locking calls when explicitly asked + to by a client, but if you set "strict locking = yes" then it will + make lock checking calls on every read and write.

You can also disable by range locking completely + using "locking = no". This is useful for those shares that + don't support locking or don't need it (such as cdroms). In + this case Samba fakes the return codes of locking calls to + tell clients that everything is OK.

The second class of locking is the "deny modes". These + are set by an application when it opens a file to determine + what types of access should be allowed simultaneously with + its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE + or DENY_ALL. There are also special compatability modes called + DENY_FCB and DENY_DOS.

You can disable share modes using "share modes = no". + This may be useful on a heavily loaded server as the share + modes code is very slow. See also the FAST_SHARE_MODES + option in the Makefile for a way to do full share modes + very fast using shared memory (if your OS supports it).

1.10.6. Mapping Usernames

If you have different usernames on the PCs and + the unix server then take a look at the "username map" option. + See the smb.conf man page for details.

1.10.7. Other Character Sets

If you have problems using filenames with accented + characters in them (like the German, French or Scandinavian + character sets) then I recommmend you look at the "valid chars" + option in smb.conf and also take a look at the validchars + package in the examples directory.

Chapter 2. Integrating MS Windows networks with Samba

2.1. Agenda

To identify the key functional mechanisms of MS Windows networking +to enable the deployment of Samba as a means of extending and/or +replacing MS Windows NT/2000 technology.

We will examine:

  1. Name resolution in a pure Unix/Linux TCP/IP + environment +

  2. Name resolution as used within MS Windows + networking +

  3. How browsing functions and how to deploy stable + and dependable browsing using Samba +

  4. MS Windows security options and how to + configure Samba for seemless integration +

  5. Configuration of Samba as:

    1. A stand-alone server

    2. An MS Windows NT 3.x/4.0 security domain member +

    3. An alternative to an MS Windows NT 3.x/4.0 Domain Controller +

2.2. Name Resolution in a pure Unix/Linux world

The key configuration files :

2.2.1. /etc/hosts

Contains a static list of IP Addresses and names. +eg:

	127.0.0.1	localhost localhost.localdomain
+	192.168.1.1	bigbox.caldera.com	bigbox	alias4box

The purpose of /etc/hosts is to provide a +name resolution mechanism so that uses do not need to remember +IP addresses.

Network packets that are sent over the physical network transport +layer communicate not via IP addresses but rather using the Media +Access Control address, or MAC address. IP Addresses are currently +32 bits in length and are typically presented as four (4) decimal +numbers that are separated by a dot (or period). eg: 168.192.1.1

MAC Addresses use 48 bits (or 6 bytes) and are typically represented +as two digit hexadecimal numbers separated by colons. eg: +40:8e:0a:12:34:56

Every network interfrace must have an MAC address. Associated with +a MAC address there may be one or more IP addresses. There is NO +relationship between an IP address and a MAC address, all such assignments +are arbitary or discretionary in nature. At the most basic level all +network communications takes place using MAC addressing. Since MAC +addresses must be globally unique, and generally remains fixed for +any particular interface, the assignment of an IP address makes sense +from a network management perspective. More than one IP address can +be assigned per MAC address. One address must be the primary IP address, +this is the address that will be returned in the ARP reply.

When a user or a process wants to communicate with another machine +the protocol implementation ensures that the "machine name" or "host +name" is resolved to an IP address in a manner that is controlled +by the TCP/IP configuration control files. The file +/etc/hosts is one such file.

When the IP address of the destination interface has been +determined a protocol called ARP/RARP isused to identify +the MAC address of the target interface. ARP stands for Address +Resolution Protocol, and is a broadcast oriented method that +uses UDP (User Datagram Protocol) to send a request to all +interfaces on the local network segment using the all 1's MAC +address. Network interfaces are programmed to respond to two +MAC addresses only; their own unique address and the address +ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will +contain the MAC address and the primary IP address for each +interface.

The /etc/hosts file is foundational to all +Unix/Linux TCP/IP installations and as a minumum will contain +the localhost and local network interface IP addresses and the +primary names by which they are known within the local machine. +This file helps to prime the pump so that a basic level of name +resolution can exist before any other method of name resolution +becomes available.

2.2.2. /etc/resolv.conf

This file tells the name resolution libraries:

  • The name of the domain to which the machine + belongs +

  • The name(s) of any domains that should be + automatically searched when trying to resolve unqualified + host names to their IP address +

  • The name or IP address of available Domain + Name Servers that may be asked to perform name to address + translation lookups +

2.2.3. /etc/host.conf

/etc/host.conf is the primary means by +which the setting in /etc/resolv.conf may be affected. It is a +critical configuration file. This file controls the order by +which name resolution may procede. The typical structure is:

	order hosts,bind
+	multi on

then both addresses should be returned. Please refer to the +man page for host.conf for further details.

2.2.4. /etc/nsswitch.conf

This file controls the actual name resolution targets. The +file typically has resolver object specifications as follows:

	# /etc/nsswitch.conf
+	#
+	# Name Service Switch configuration file.
+	#
+
+	passwd:		compat
+	# Alternative entries for password authentication are:
+	# passwd:	compat files nis ldap winbind
+	shadow:		compat
+	group:		compat
+
+	hosts:		files nis dns
+	# Alternative entries for host name resolution are:
+	# hosts:	files dns nis nis+ hesoid db compat ldap wins
+	networks:	nis files dns
+
+	ethers:		nis files
+	protocols:	nis files
+	rpc:		nis files
+	services:	nis files

Of course, each of these mechanisms requires that the appropriate +facilities and/or services are correctly configured.

It should be noted that unless a network request/message must be +sent, TCP/IP networks are silent. All TCP/IP communications assumes a +principal of speaking only when necessary.

Samba version 2.2.0 will add Linux support for extensions to +the name service switch infrastructure so that linux clients will +be able to obtain resolution of MS Windows NetBIOS names to IP +Addresses. To gain this functionality Samba needs to be compiled +with appropriate arguments to the make command (ie: make +nsswitch/libnss_wins.so). The resulting library should +then be installed in the /lib directory and +the "wins" parameter needs to be added to the "hosts:" line in +the /etc/nsswitch.conf file. At this point it +will be possible to ping any MS Windows machine by it's NetBIOS +machine name, so long as that machine is within the workgroup to +which both the samba machine and the MS Windows machine belong.

2.3. Name resolution as used within MS Windows networking

MS Windows networking is predicated about the name each machine +is given. This name is known variously (and inconsistently) as +the "computer name", "machine name", "networking name", "netbios name", +"SMB name". All terms mean the same thing with the exception of +"netbios name" which can apply also to the name of the workgroup or the +domain name. The terms "workgroup" and "domain" are really just a +simply name with which the machine is associated. All NetBIOS names +are exactly 16 characters in length. The 16th character is reserved. +It is used to store a one byte value that indicates service level +information for the NetBIOS name that is registered. A NetBIOS machine +name is therefore registered for each service type that is provided by +the client/server.

The following are typical NetBIOS name/service type registrations:

	Unique NetBIOS Names:
+		MACHINENAME<00>	= Server Service is running on MACHINENAME
+		MACHINENAME<03> = Generic Machine Name (NetBIOS name)
+		MACHINENAME<20> = LanMan Server service is running on MACHINENAME
+		WORKGROUP<1b> = Domain Master Browser
+
+	Group Names:
+		WORKGROUP<03> = Generic Name registered by all members of WORKGROUP
+		WORKGROUP<1c> = Domain Controllers / Netlogon Servers
+		WORKGROUP<1d> = Local Master Browsers
+		WORKGROUP<1e> = Internet Name Resolvers

It should be noted that all NetBIOS machines register their own +names as per the above. This is in vast contrast to TCP/IP +installations where traditionally the system administrator will +determine in the /etc/hosts or in the DNS database what names +are associated with each IP address.

One further point of clarification should be noted, the /etc/hosts +file and the DNS records do not provide the NetBIOS name type information +that MS Windows clients depend on to locate the type of service that may +be needed. An example of this is what happens when an MS Windows client +wants to locate a domain logon server. It find this service and the IP +address of a server that provides it by performing a lookup (via a +NetBIOS broadcast) for enumeration of all machines that have +registered the name type *<1c>. A logon request is then sent to each +IP address that is returned in the enumerated list of IP addresses. Which +ever machine first replies then ends up providing the logon services.

The name "workgroup" or "domain" really can be confusing since these +have the added significance of indicating what is the security +architecture of the MS Windows network. The term "workgroup" indicates +that the primary nature of the network environment is that of a +peer-to-peer design. In a WORKGROUP all machines are responsible for +their own security, and generally such security is limited to use of +just a password (known as SHARE MORE security). In most situations +with peer-to-peer networking the users who control their own machines +will simply opt to have no security at all. It is possible to have +USER MODE security in a WORKGROUP environment, thus requiring use +of a user name and a matching password.

MS Windows networking is thus predetermined to use machine names +for all local and remote machine message passing. The protocol used is +called Server Message Block (SMB) and this is implemented using +the NetBIOS protocol (Network Basic Input Output System). NetBIOS can +be encapsulated using LLC (Logical Link Control) protocol - in which case +the resulting protocol is called NetBEUI (Network Basic Extended User +Interface). NetBIOS can also be run over IPX (Internetworking Packet +Exchange) protocol as used by Novell NetWare, and it can be run +over TCP/IP protocols - in which case the resulting protocol is called +NBT or NetBT, the NetBIOS over TCP/IP.

MS Windows machines use a complex array of name resolution mechanisms. +Since we are primarily concerned with TCP/IP this demonstration is +limited to this area.

2.3.1. The NetBIOS Name Cache

All MS Windows machines employ an in memory buffer in which is +stored the NetBIOS names and their IP addresses for all external +machines that that the local machine has communicated with over the +past 10-15 minutes. It is more efficient to obtain an IP address +for a machine from the local cache than it is to go through all the +configured name resolution mechanisms.

If a machine whose name is in the local name cache has been shut +down before the name had been expired and flushed from the cache, then +an attempt to exchange a message with that machine will be subject +to time-out delays. ie: It's name is in the cache, so a name resolution +lookup will succeed, but the machine can not respond. This can be +frustrating for users - but it is a characteristic of the protocol.

The MS Windows utility that allows examination of the NetBIOS +name cache is called "nbtstat". The Samba equivalent of this +is called "nmblookup".

2.3.2. The LMHOSTS file

This file is usually located in MS Windows NT 4.0 or +2000 in C:\WINNT\SYSTEM32\DRIVERS\ETC and contains +the IP Address and the machine name in matched pairs. The +LMHOSTS file performs NetBIOS name +to IP address mapping oriented.

It typically looks like:

	# Copyright (c) 1998 Microsoft Corp.
+	#
+	# This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS
+	# over TCP/IP) stack for Windows98
+	#
+	# This file contains the mappings of IP addresses to NT computernames
+	# (NetBIOS) names.  Each entry should be kept on an individual line.
+	# The IP address should be placed in the first column followed by the
+	# corresponding computername. The address and the comptername
+	# should be separated by at least one space or tab. The "#" character
+	# is generally used to denote the start of a comment (see the exceptions
+	# below).
+	#
+	# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
+	# files and offers the following extensions:
+	#
+	#      #PRE
+	#      #DOM:<domain>
+	#      #INCLUDE <filename>
+	#      #BEGIN_ALTERNATE
+	#      #END_ALTERNATE
+	#      \0xnn (non-printing character support)
+	#
+	# Following any entry in the file with the characters "#PRE" will cause
+	# the entry to be preloaded into the name cache. By default, entries are
+	# not preloaded, but are parsed only after dynamic name resolution fails.
+	#
+	# Following an entry with the "#DOM:<domain>" tag will associate the
+	# entry with the domain specified by <domain>. This affects how the
+	# browser and logon services behave in TCP/IP environments. To preload
+	# the host name associated with #DOM entry, it is necessary to also add a
+	# #PRE to the line. The <domain> is always preloaded although it will not
+	# be shown when the name cache is viewed.
+	#
+	# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
+	# software to seek the specified <filename> and parse it as if it were
+	# local. <filename> is generally a UNC-based name, allowing a
+	# centralized lmhosts file to be maintained on a server.
+	# It is ALWAYS necessary to provide a mapping for the IP address of the
+	# server prior to the #INCLUDE. This mapping must use the #PRE directive.
+	# In addtion the share "public" in the example below must be in the
+	# LanManServer list of "NullSessionShares" in order for client machines to
+	# be able to read the lmhosts file successfully. This key is under
+	# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
+	# in the registry. Simply add "public" to the list found there.
+	#
+	# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
+	# statements to be grouped together. Any single successful include
+	# will cause the group to succeed.
+	#
+	# Finally, non-printing characters can be embedded in mappings by
+	# first surrounding the NetBIOS name in quotations, then using the
+	# \0xnn notation to specify a hex value for a non-printing character.
+	#
+	# The following example illustrates all of these extensions:
+	#
+	# 102.54.94.97     rhino         #PRE #DOM:networking  #net group's DC
+	# 102.54.94.102    "appname  \0x14"                    #special app server
+	# 102.54.94.123    popular            #PRE             #source server
+	# 102.54.94.117    localsrv           #PRE             #needed for the include
+	#
+	# #BEGIN_ALTERNATE
+	# #INCLUDE \\localsrv\public\lmhosts
+	# #INCLUDE \\rhino\public\lmhosts
+	# #END_ALTERNATE
+	#
+	# In the above example, the "appname" server contains a special
+	# character in its name, the "popular" and "localsrv" server names are
+	# preloaded, and the "rhino" server name is specified so it can be used
+	# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
+	# system is unavailable.
+	#
+	# Note that the whole file is parsed including comments on each lookup,
+	# so keeping the number of comments to a minimum will improve performance.
+	# Therefore it is not advisable to simply add lmhosts file entries onto the
+	# end of this file.

2.3.3. HOSTS file

This file is usually located in MS Windows NT 4.0 or 2000 in +C:\WINNT\SYSTEM32\DRIVERS\ETC and contains +the IP Address and the IP hostname in matched pairs. It can be +used by the name resolution infrastructure in MS Windows, depending +on how the TCP/IP environment is configured. This file is in +every way the equivalent of the Unix/Linux /etc/hosts file.

2.3.4. DNS Lookup

This capability is configured in the TCP/IP setup area in the network +configuration facility. If enabled an elaborate name resolution sequence +is followed the precise nature of which isdependant on what the NetBIOS +Node Type parameter is configured to. A Node Type of 0 means use +NetBIOS broadcast (over UDP broadcast) is first used if the name +that is the subject of a name lookup is not found in the NetBIOS name +cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to +Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the +WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast +lookup is used.

2.3.5. WINS Lookup

Refer to above details for section DNS Lookups. A +WINS (Windows Internet Name Server) service is the equivaent of the +rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores +the names and IP addresses that are registered by a Windows client +if the TCP/IP setup has been given at least one WINS Server IP Address.

To configure Samba to be a WINS server the following parameter needs +to be added to the smb.conf file:

	wins support = Yes

To configure Samba to use a WINS server the following parameters are +needed in the smb.conf file:

	wins support = No
+	wins server = xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is the IP address +of the WINS server.

2.4. How browsing functions and how to deploy stable and +dependable browsing using Samba

As stated above, MS Windows machines register their NetBIOS names +(ie: the machine name for each service type in operation) on start +up. Also, as stated above, the exact method by which this name registration +takes place is determined by whether or not the MS Windows client/server +has been given a WINS server address, whether or not LMHOSTS lookup +is enabled, or if DNS for NetBIOS name resolution is enabled, etc.

In the case where there is no WINS server all name registrations as +well as name lookups are done by UDP broadcast. This isolates name +resolution to the local subnet, unless LMHOSTS is used to list all +names and IP addresses. In such situations Samba provides a means by +which the samba server name may be forcibly injected into the browse +list of a remote MS Windows network (using the "remote announce" parameter).

Where a WINS server is used, the MS Windows client will use UDP +unicast to register with the WINS server. Such packets can be routed +and thus WINS allows name resolution to function across routed networks.

During the startup process an election will take place to create a +local master browser if one does not already exist. On each NetBIOS network +one machine will be elected to function as the domain master browser. This +domain browsing has nothing to do with MS security domain control. +Instead, the domain master browser serves the role of contacting each local +master browser (found by asking WINS or from LMHOSTS) and exchanging browse +list contents. This way every master browser will eventually obtain a complete +list of all machines that are on the network. Every 11-15 minutes an election +is held to determine which machine will be the master browser. By nature of +the election criteria used, the machine with the highest uptime, or the +most senior protocol version, or other criteria, will win the election +as domain master browser.

Clients wishing to browse the network make use of this list, but also depend +on the availability of correct name resolution to the respective IP +address/addresses.

Any configuration that breaks name resolution and/or browsing intrinsics +will annoy users because they will have to put up with protracted +inability to use the network services.

Samba supports a feature that allows forced synchonisation +of browse lists across routed networks using the "remote +browse sync" parameter in the smb.conf file. This causes Samba +to contact the local master browser on a remote network and +to request browse list synchronisation. This effectively bridges +two networks that are separated by routers. The two remote +networks may use either broadcast based name resolution or WINS +based name resolution, but it should be noted that the "remote +browse sync" parameter provides browse list synchronisation - and +that is distinct from name to address resolution, in other +words, for cross subnet browsing to function correctly it is +essential that a name to address resolution mechanism be provided. +This mechanism could be via DNS, /etc/hosts, +and so on.

2.5. MS Windows security options and how to configure +Samba for seemless integration

MS Windows clients may use encrypted passwords alone, or encrypted +as well as plain text passwords in the authentication process. It +should be realized that with the SMB protocol the password is passed +over the network either in plain text or encrypted. When encrypted +passwords are used a password that has been entered by the user is +encrypted in two ways:

  • The case preserved password is encrypted + using an MD5/DES one way hash +

  • The case is converted to upper case and then + encrypted using an MD5/DES one way hash

Both of these enrypted passwords are sent over the network +in the one authentication datagram.

MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x +and version 4.0 pre-service pack 3 will use either mode of +password authentication. All versions of MS Windows that follow +these versions no longer support plain text passwords by default.

MS Windows clients have a habit of dropping network mappings that +have been idle for 10 minutes or longer. When the user attempts to +use the mapped drive connection that has been dropped the SMB protocol +has a mechanism by which the connection can be re-established using +a cached copy of the password.

When Microsoft changed the default password mode, they dropped support for +caching of the plain text password. This means that when the registry +parameter is changed to re-enable use of plain text passwords it appears to +work, but when a dropped mapping attempts to revalidate it will fail if +the remote authentication server does not support encrypted passwords. +This means that it is definitely not a good idea to re-enable plain text +password support in such clients.

It is recommended that the following parameters be added to the +smb.conf file:

See the smb.conf(5) manual page for more details.

	passsword level = 8
+	username level = 8

Note: To support print queue reporting you may find - that you have to use TCP/IP as the default protocol under - WfWg. For some reason if you leave Netbeui as the default - it may break the print queue reporting on some systems. - It is presumably a WfWg bug.

these configuration parameters will compensate for the fact that +in some circumstances MS Windows and MS DOS clients may twiddle the +password that has been supplied by the user by converting characters to +upper case. The above entries will try every combination of upper and +lower case for the first 8 characters. Please refer to the man page +for smb.conf for more information on use of these parameters.

The best option to adopt is to enable support for encrypted passwords +where ever Samba is used. There are three configuration possibilities +for support of encrypted passwords:

1.10.4. Printing from UNIX to a Client PC2.5.1. Use MS Windows NT as an authentication server

To use a printer that is available via a smb-based - server from a unix host you will need to compile the - smbclient program. You then need to install the script - "smbprint". Read the instruction in smbprint for more details. -

This method involves the additions of the following parameters +in the smb.conf file:

There is also a SYSV style script that does much - the same thing called smbprint.sysv. It contains instructions.

	encrypt passwords = Yes
+	security = server
+	password server = "NetBIOS_name_of_PDC"

There are two ways of identifying whether or not a username and +password pair was valid or not. One uses the reply information provided +as part of the authentication messaging process, the other uses +just and error code.

The down-side of this mode of configuration is the fact that +for security reasons Samba will send the password server a bogus +username and a bogus password and if the remote server fails to +reject the username and password pair then an alternative mode +of identification of validation is used. Where a site uses password +lock out after a certain number of failed authentication attempts +this will result in user lockouts.

Use of this mode of authentication does require there to be +a standard Unix account for the user, this account can be blocked +to prevent logons by other than MS Windows clients.

1.10.5. Locking2.5.2. Make Samba a member of an MS Windows NT security domain

One area which sometimes causes trouble is locking.

This method involves additon of the following paramters in the smb.conf file:

There are two types of locking which need to be - performed by a SMB server. The first is "record locking" - which allows a client to lock a range of bytes in a open file. - The second is the "deny modes" that are specified when a file - is open.

	encrypt passwords = Yes
+	security = domain
+	workgroup = "name of NT domain"
+	password server = *

Samba supports "record locking" using the fcntl() unix system - call. This is often implemented using rpc calls to a rpc.lockd process - running on the system that owns the filesystem. Unfortunately many - rpc.lockd implementations are very buggy, particularly when made to - talk to versions from other vendors. It is not uncommon for the - rpc.lockd to crash.

The use of the "*" argument to "password server" will cause samba +to locate the domain controller in a way analogous to the way +this is done within MS Windows NT.

There is also a problem translating the 32 bit lock - requests generated by PC clients to 31 bit requests supported - by most unixes. Unfortunately many PC applications (typically - OLE2 applications) use byte ranges with the top bit set - as semaphore sets. Samba attempts translation to support - these types of applications, and the translation has proved - to be quite successful.

In order for this method to work the Samba server needs to join the +MS Windows NT security domain. This is done as follows:

Strictly a SMB server should check for locks before - every read and write call on a file. Unfortunately with the - way fcntl() works this can be slow and may overstress the - rpc.lockd. It is also almost always unnecessary as clients - are supposed to independently make locking calls before reads - and writes anyway if locking is important to them. By default - Samba only makes locking calls when explicitly asked - to by a client, but if you set "strict locking = yes" then it will - make lock checking calls on every read and write.

  • You can also disable by range locking completely - using "locking = no". This is useful for those shares that - don't support locking or don't need it (such as cdroms). In - this case Samba fakes the return codes of locking calls to - tell clients that everything is OK.

    On the MS Windows NT domain controller using + the Server Manager add a machine account for the Samba server. +

  • The second class of locking is the "deny modes". These - are set by an application when it opens a file to determine - what types of access should be allowed simultaneously with - its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE - or DENY_ALL. There are also special compatability modes called - DENY_FCB and DENY_DOS.

    Next, on the Linux system execute: + smbpasswd -r PDC_NAME -j DOMAIN_NAME +

You can disable share modes using "share modes = no". - This may be useful on a heavily loaded server as the share - modes code is very slow. See also the FAST_SHARE_MODES - option in the Makefile for a way to do full share modes - very fast using shared memory (if your OS supports it).

Use of this mode of authentication does require there to be +a standard Unix account for the user, this account can be +blocked to prevent logons by other than MS Windows clients.

1.10.6. Mapping Usernames2.5.3. Configure Samba as an authentication server

If you have different usernames on the PCs and - the unix server then take a look at the "username map" option. - See the smb.conf man page for details.

This mode of authentication demands that there be on the +Unix/Linux system both a Unix style account as well as and +smbpasswd entry for the user. The Unix system account can be +locked if required as only the encrypted password will be +used for SMB client authentication.

This method involves addition of the following parameters to +the smb.conf file:

	encrypt passwords = Yes
+	security = user

in order for this method to work a Unix system account needs +to be created for each user, as well as for each MS Windows NT/2000 +machine. The following structure is required.

2.5.3.1. Users

A user account that may provide a home directory should be +created. The following Linux system commands are typical of +the procedure for creating an account.

	# useradd -s /bin/bash -d /home/"userid" -m
+	# passwd "userid"
+	  Enter Password: pass
+	  
+	# smbpasswd -a "userid"
+	  Enter Password: pass

1.10.7. Other Character Sets

2.5.3.2. MS Windows NT Machine Accounts

If you have problems using filenames with accented - characters in them (like the German, French or Scandinavian - character sets) then I recommmend you look at the "valid chars" - option in smb.conf and also take a look at the validchars - package in the examples directory.

These are required only when Samba is used as a domain +controller. Refer to the Samba-PDC-HOWTO for more details.

	# useradd -a /bin/false -d /dev/null "machine_name"\$
+	# passwd -l "machine_name"\$
+	# smbpasswd -a -m "machine_name"

2.6. Configuration of Samba as ...

  • A Stand-alone server - No special action is needed + other than to create user accounts. Stand-alone servers do NOT + provide network logon services, meaning that machines that use this + server do NOT perform a domain logon but instead make use only of + the MS Windows logon which is local to the MS Windows + workstation/server. +

  • An MS Windows NT 3.x/4.0 security domain member - + Refer to the previous section(s) above. +

  • An alternative to an MS Windows NT 3.x/4.0 + Domain Controller - In the smb.conf file the following parameters + should be added:

## please refer to the Samba PDC HOWTO chapter later in 
+## this collection for more details
+[global]
+	domain logons = Yes
+	; an OS level of 33 or more is recommended
+	os level = 33
+
+	[NETLOGON]
+		path = /somewhare/in/file/system
+		read only = yes
+		available = yes

Chapter 2. LanMan and NT Password Encryption in Samba 2.xChapter 3. LanMan and NT Password Encryption in Samba 2.x

2.1. Introduction3.1. Introduction

With the development of LanManager and Windows NT @@ -1560,8 +2791,8 @@ CLASS="SECT1" >

2.2. How does it work?3.2. How does it work?

LanManager encryption is somewhat similar to UNIX @@ -1625,8 +2856,8 @@ CLASS="SECT1" >

2.3. Important Notes About Security3.3. Important Notes About Security

The unix and SMB password encryption techniques seem similar @@ -1717,8 +2948,8 @@ CLASS="SECT2" >

2.3.1. Advantages of SMB Encryption3.3.1. Advantages of SMB Encryption

2.3.2. Advantages of non-encrypted passwords3.3.2. Advantages of non-encrypted passwords

2.4. 3.4. The smbpasswd file

2.5. The smbpasswd Command3.5. The smbpasswd Command

The smbpasswd command maintains the two 32 byte password fields @@ -2134,8 +3365,8 @@ CLASS="SECT1" >

2.6. Setting up Samba to support LanManager Encryption3.6. Setting up Samba to support LanManager Encryption

This is a very brief description on how to setup samba to @@ -2181,16 +3412,16 @@ HREF="#SMBPASSWDFILEFORMAT" CLASS="CHAPTER" >

Chapter 3. Hosting a Microsoft Distributed File System tree on SambaChapter 4. Hosting a Microsoft Distributed File System tree on Samba

3.1. Instructions4.1. Instructions

The Distributed File System (or Dfs) provides a means of @@ -2346,8 +3577,8 @@ CLASS="SECT2" >

3.1.1. Notes4.1.1. Notes

Chapter 4. Printing Support in Samba 2.2.xChapter 5. Printing Support in Samba 2.2.x

4.1. Introduction5.1. Introduction

Beginning with the 2.2.0 release, Samba supports @@ -2471,8 +3702,8 @@ CLASS="SECT1" >

4.2. Configuration5.2. Configuration

4.2.1. Creating [print$]5.2.1. Creating [print$]

In order to support the uploading of printer driver @@ -2733,8 +3964,8 @@ CLASS="SECT2" >

4.2.2. Setting Drivers for Existing Printers5.2.2. Setting Drivers for Existing Printers

The initial listing of printers in the Samba host's @@ -2805,8 +4036,8 @@ CLASS="SECT2" >

4.2.3. Support a large number of printers5.2.3. Support a large number of printers

One issue that has arisen during the development @@ -2880,8 +4111,8 @@ CLASS="SECT2" >

4.2.4. Adding New Printers via the Windows NT APW5.2.4. Adding New Printers via the Windows NT APW

By default, Samba offers all printer shares defined in

4.2.5. Samba and Printer Ports5.2.5. Samba and Printer Ports

Windows NT/2000 print servers associate a port with each printer. These normally @@ -3023,8 +4254,8 @@ CLASS="SECT1" >

4.3. The Imprints Toolset5.3. The Imprints Toolset

The Imprints tool set provides a UNIX equivalent of the @@ -3041,8 +4272,8 @@ CLASS="SECT2" >

4.3.1. What is Imprints?5.3.1. What is Imprints?

Imprints is a collection of tools for supporting the goals @@ -3073,8 +4304,8 @@ CLASS="SECT2" >

4.3.2. Creating Printer Driver Packages5.3.2. Creating Printer Driver Packages

The process of creating printer driver packages is beyond @@ -3089,8 +4320,8 @@ CLASS="SECT2" >

4.3.3. The Imprints server5.3.3. The Imprints server

The Imprints server is really a database server that @@ -3109,8 +4340,8 @@ CLASS="SECT2" >

4.3.4. The Installation Client5.3.4. The Installation Client

More information regarding the Imprints installation client @@ -3212,8 +4443,8 @@ CLASS="SECT1" >

4.4. 5.4. Migration to from Samba 2.0.x to 2.2.x

Chapter 5. security = domain in Samba 2.xChapter 6. security = domain in Samba 2.x

5.1. Joining an NT Domain with Samba 2.26.1. Joining an NT Domain with Samba 2.2

In order for a Samba-2 server to join an NT domain, @@ -3624,8 +4855,8 @@ CLASS="SECT1" >

5.2. Samba and Windows 2000 Domains6.2. Samba and Windows 2000 Domains

Many people have asked regarding the state of Samba's ability to participate in @@ -3649,8 +4880,8 @@ CLASS="SECT1" >

5.3. Why is this better than security = server?6.3. Why is this better than security = server?

Currently, domain security in Samba doesn't free you from @@ -3735,16 +4966,16 @@ TARGET="_top" CLASS="CHAPTER" >

Chapter 6. How to Configure Samba 2.2 as a Primary Domain ControllerChapter 7. How to Configure Samba 2.2 as a Primary Domain Controller

6.1. Prerequisite Reading7.1. Prerequisite Reading

Before you continue readingin this chapter, please make sure @@ -3771,8 +5002,8 @@ CLASS="SECT1" >

6.2. Background7.2. Background

6.3. Configuring the Samba Domain Controller7.3. Configuring the Samba Domain Controller

The first step in creating a working Samba PDC is to @@ -4150,8 +5381,8 @@ CLASS="SECT1" >

6.4. Creating Machine Trust Accounts and Joining Clients +NAME="AEN1079" +>7.4. Creating Machine Trust Accounts and Joining Clients to the Domain

6.4.1. Manually creating machine trust accounts7.4.1. Manually creating machine trust accounts

The first step in creating a machine trust account by hand is to @@ -4348,8 +5579,8 @@ CLASS="SECT2" >

6.4.2. Creating machine trust accounts "on the fly"7.4.2. Creating machine trust accounts "on the fly"

The second, and most recommended way of creating machine trust accounts @@ -4396,8 +5627,8 @@ CLASS="SECT1" >

6.5. Common Problems and Errors7.5. Common Problems and Errors

6.6. System Policies and Profiles7.6. System Policies and Profiles

Much of the information necessary to implement System Policies and @@ -4752,8 +5983,8 @@ CLASS="SECT1" >

6.7. What other help can I get ?7.7. What other help can I get ?

There are many sources of information available in the form @@ -5148,8 +6379,8 @@ CLASS="SECT1" >

6.8. Domain Control for Windows 9x/ME7.8. Domain Control for Windows 9x/ME

6.8.1. Configuration Instructions: Network Logons7.8.1. Configuration Instructions: Network Logons

To use domain logons and profiles you need to do the following:

6.8.2. Configuration Instructions: Setting up Roaming User Profiles7.8.2. Configuration Instructions: Setting up Roaming User Profiles

6.8.2.1. Windows NT Configuration7.8.2.1. Windows NT Configuration

To support WinNT clients, inn the [global] section of smb.conf set the @@ -5564,8 +6795,8 @@ CLASS="SECT3" >

6.8.2.2. Windows 9X Configuration7.8.2.2. Windows 9X Configuration

To support Win9X clients, you must use the "logon home" parameter. Samba has @@ -5604,8 +6835,8 @@ CLASS="SECT3" >

6.8.2.3. Win9X and WinNT Configuration7.8.2.3. Win9X and WinNT Configuration

You can support profiles for both Win9X and WinNT clients by setting both the @@ -5642,8 +6873,8 @@ CLASS="SECT3" >

6.8.2.4. Windows 9X Profile Setup7.8.2.4. Windows 9X Profile Setup

When a user first logs in on Windows 9X, the file user.DAT is created, @@ -5798,8 +7029,8 @@ CLASS="SECT3" >

6.8.2.5. Windows NT Workstation 4.07.8.2.5. Windows NT Workstation 4.0

When a user first logs in to a Windows NT Workstation, the profile @@ -5880,8 +7111,8 @@ CLASS="SECT3" >

6.8.2.6. Windows NT Server7.8.2.6. Windows NT Server

There is nothing to stop you specifying any path that you like for the @@ -5894,8 +7125,8 @@ CLASS="SECT3" >

6.8.2.7. Sharing Profiles between W95 and NT Workstation 4.07.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0

6.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba7.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

Chapter 7. Unifed Logons between Windows NT and UNIX using WinbindChapter 8. Unifed Logons between Windows NT and UNIX using Winbind

7.1. Abstract8.1. Abstract

Integration of UNIX and Microsoft Windows NT through @@ -6110,8 +7341,8 @@ CLASS="SECT1" >

7.2. Introduction8.2. Introduction

It is well known that UNIX and Microsoft Windows NT have @@ -6164,8 +7395,8 @@ CLASS="SECT1" >

7.3. What Winbind Provides8.3. What Winbind Provides

Winbind unifies UNIX and Windows NT account management by @@ -6206,8 +7437,8 @@ CLASS="SECT2" >

7.3.1. Target Uses8.3.1. Target Uses

Winbind is targeted at organizations that have an @@ -6230,8 +7461,8 @@ CLASS="SECT1" >

7.4. How Winbind Works8.4. How Winbind Works

The winbind system is designed around a client/server @@ -6250,8 +7481,8 @@ CLASS="SECT2" >

7.4.1. Microsoft Remote Procedure Calls8.4.1. Microsoft Remote Procedure Calls

Over the last two years, efforts have been underway @@ -6276,8 +7507,8 @@ CLASS="SECT2" >

7.4.2. Name Service Switch8.4.2. Name Service Switch

The Name Service Switch, or NSS, is a feature that is @@ -6355,8 +7586,8 @@ CLASS="SECT2" >

7.4.3. Pluggable Authentication Modules8.4.3. Pluggable Authentication Modules

Pluggable Authentication Modules, also known as PAM, @@ -6404,8 +7635,8 @@ CLASS="SECT2" >

7.4.4. User and Group ID Allocation8.4.4. User and Group ID Allocation

When a user or group is created under Windows NT @@ -6430,8 +7661,8 @@ CLASS="SECT2" >

7.4.5. Result Caching8.4.5. Result Caching

An active system can generate a lot of user and group @@ -6453,8 +7684,8 @@ CLASS="SECT1" >

7.5. Installation and Configuration8.5. Installation and Configuration

The easiest way to install winbind is by using the packages @@ -6484,8 +7715,8 @@ CLASS="SECT1" >

7.6. Limitations8.6. Limitations

Winbind has a number of limitations in its current @@ -6532,8 +7763,8 @@ CLASS="SECT1" >

7.7. Conclusion8.7. Conclusion

The winbind system, through the use of the Name Service @@ -6548,16 +7779,16 @@ NAME="AEN1415" CLASS="CHAPTER" >

Chapter 8. UNIX Permission Bits and WIndows NT Access Control ListsChapter 9. UNIX Permission Bits and WIndows NT Access Control Lists

8.1. Viewing and changing UNIX permissions using the NT +NAME="AEN1638" +>9.1. Viewing and changing UNIX permissions using the NT security dialogs

8.2. How to view file security on a Samba share9.2. How to view file security on a Samba share

From an NT 4.0 client, single-click with the right @@ -6641,8 +7872,8 @@ CLASS="SECT1" >

8.3. Viewing file ownership9.3. Viewing file ownership

Clicking on the

8.4. Viewing file or directory permissions9.4. Viewing file or directory permissions

The third button is the

8.4.1. File Permissions9.4.1. File Permissions

The standard UNIX user/group/world triple and @@ -6851,8 +8082,8 @@ CLASS="SECT2" >

8.4.2. Directory Permissions9.4.2. Directory Permissions

Directories on an NT NTFS file system have two @@ -6883,8 +8114,8 @@ CLASS="SECT1" >

8.5. Modifying file or directory permissions9.5. Modifying file or directory permissions

Modifying file and directory permissions is as simple @@ -6981,8 +8212,8 @@ CLASS="SECT1" >

8.6. Interaction with the standard Samba create mask +NAME="AEN1736" +>9.6. Interaction with the standard Samba create mask parameters

8.7. Interaction with the standard Samba file attribute +NAME="AEN1800" +>9.7. Interaction with the standard Samba file attribute mapping

Chapter 9. OS2 Client HOWTOChapter 10. OS2 Client HOWTO

9.1. FAQs10.1. FAQs

9.1.1. How can I configure OS/2 Warp Connect or +NAME="AEN1823" +>10.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?

9.1.2. How can I configure OS/2 Warp 3 (not Connect), +NAME="AEN1838" +>10.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?

9.1.3. Are there any other issues when OS/2 (any version) +NAME="AEN1847" +>10.1.3. Are there any other issues when OS/2 (any version) is used as a client?

9.1.4. How do I get printer driver download working +NAME="AEN1851" +>10.1.4. How do I get printer driver download working for OS/2 clients?

Chapter 10. HOWTO Access Samba source code via CVSChapter 11. HOWTO Access Samba source code via CVS

10.1. Introduction11.1. Introduction

Samba is developed in an open environnment. Developers use CVS @@ -7529,8 +8760,8 @@ CLASS="SECT1" >

10.2. CVS Access to samba.org11.2. CVS Access to samba.org

The machine samba.org runs a publicly accessible CVS @@ -7542,8 +8773,8 @@ CLASS="SECT2" >

10.2.1. Access via CVSweb11.2.1. Access via CVSweb

You can access the source code via your @@ -7563,8 +8794,8 @@ CLASS="SECT2" >

10.2.2. Access via cvs11.2.2. Access via cvs

You can also access the source code via a -- cgit