From e4840f0db911eaf3aee1195030c6efca70d78f14 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 6 Dec 2001 07:37:58 +0000 Subject: merge from 2.2 (This used to be commit c5ee06b7c8fc9f1fec679acc7d7f47f333707456) --- docs/htmldocs/Samba-HOWTO-Collection.html | 1285 ++++++++++++++++------------- 1 file changed, 707 insertions(+), 578 deletions(-) (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html') diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index c4e4b2c74b..db3c6598df 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -336,12 +336,12 @@ HREF="#AEN455" >
3.2. Distributed Authentication
3.3. PAM Configuration in smb.conf
4.1. Instructions
4.1.1. Notes
5.1. Viewing and changing UNIX permissions using the NT security dialogs
5.2. How to view file security on a Samba share
5.3. Viewing file ownership
5.4. Viewing file or directory permissions
5.4.1. File Permissions
5.4.2. Directory Permissions
5.5. Modifying file or directory permissions
5.6. Interaction with the standard Samba create mask parameters
5.7. Interaction with the standard Samba file attribute mapping
6.1. Introduction
6.2. Configuration
6.2.1. Creating [print$]
6.2.2. Setting Drivers for Existing Printers
6.2.3. Support a large number of printers
6.2.4. Adding New Printers via the Windows NT APW
6.2.5. Samba and Printer Ports
6.3. The Imprints Toolset
6.3.1. What is Imprints?
6.3.2. Creating Printer Driver Packages
6.3.3. The Imprints server
6.3.4. The Installation Client
6.4.
7.1. Joining an NT Domain with Samba 2.2
7.2. Samba and Windows 2000 Domains
7.3. Why is this better than security = server?
8.1. Prerequisite Reading
8.2. Background
8.3. Configuring the Samba Domain Controller
8.4. Creating Machine Trust Accounts and Joining Clients -to the DomainCreating Machine Trust Accounts and Joining Clients to the +Domain
8.4.1. Manually creating machine trust accountsManual Creation of Machine Trust Accounts
8.4.2. Creating machine trust accounts "on the fly""On-the-Fly" Creation of Machine Trust Accounts
8.4.3. Joining the Client to the Domain
8.5. Common Problems and Errors
8.6. System Policies and Profiles
8.7. What other help can I get ?What other help can I get?
8.8. Domain Control for Windows 9x/ME
8.8.1. Configuration Instructions: Network Logons
8.8.2. Configuration Instructions: Setting up Roaming User Profiles
8.8.2.1. Windows NT Configuration
8.8.2.2. Windows 9X Configuration
8.8.2.3. Win9X and WinNT Configuration
8.8.2.4. Windows 9X Profile Setup
8.8.2.5. Windows NT Workstation 4.0
8.8.2.6. Windows NT Server
8.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0
8.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
9.1. Abstract
9.2. Introduction
9.3. What Winbind Provides
9.3.1. Target Uses
9.4. How Winbind Works
9.4.1. Microsoft Remote Procedure Calls
9.4.2. Name Service Switch
9.4.3. Pluggable Authentication Modules
9.4.4. User and Group ID Allocation
9.4.5. Result Caching
9.5. Installation and Configuration
9.5.1. Introduction
9.5.2. Requirements
9.5.3. Testing Things Out
9.5.3.1. Configure and compile SAMBA
9.5.3.2. Configure nsswitch.conf and the winbind librariesConfigure nsswitch.conf and the +winbind libraries
9.5.3.3. Configure smb.conf
9.5.3.4. Join the SAMBA server to the PDC domain
9.5.3.5. Start up the winbindd daemon and test it!
9.5.3.6. Fix the /etc/rc.d/init.d/smb startup filesFix the /etc/rc.d/init.d/smb startup files
9.5.3.7. Configure Winbind and PAM
9.6. Limitations
9.7. Conclusion
10.1. FAQs
10.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?
10.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?
10.1.3. Are there any other issues when OS/2 (any version) is used as a client?
10.1.4. How do I get printer driver download working for OS/2 clients?
11.1. Introduction
11.2. CVS Access to samba.org
11.2.1. Access via CVSweb
11.2.2. Access via cvs
Index
pam_smbpass.so module is provided by -Samba version 2.2.1 or later. It can be compiled only if the ---with-pam --with-pam_smbpass options are both -provided to the Samba configure program.

--with-pam_smbpass options when running Samba's +configure script. For more information +on the pam_smbpass module, see the documentation +in the source/pam_smbpass directory of the Samba +source distribution.

3.2. Distributed Authentication

3.3. PAM Configuration in smb.conf

4.1. Instructions

4.1.1. Notes

5.1. Viewing and changing UNIX permissions using the NT security dialogs

5.2. How to view file security on a Samba share

5.3. Viewing file ownership

5.4. Viewing file or directory permissions

5.4.1. File Permissions

5.4.2. Directory Permissions

5.5. Modifying file or directory permissions

5.6. Interaction with the standard Samba create mask parameters

5.7. Interaction with the standard Samba file attribute mapping

6.1. Introduction

6.2. Configuration

6.2.1. Creating [print$]

6.2.2. Setting Drivers for Existing Printers

6.2.3. Support a large number of printers

6.2.4. Adding New Printers via the Windows NT APW

6.2.5. Samba and Printer Ports

6.3. The Imprints Toolset

6.3.1. What is Imprints?

6.3.2. Creating Printer Driver Packages

6.3.3. The Imprints server

6.3.4. The Installation Client

6.4.

7.1. Joining an NT Domain with Samba 2.2

In order for a Samba-2 server to join an NT domain, - you must first add the NetBIOS name of the Samba server to the - NT domain on the PDC using Server Manager for Domains. This creates - the machine account in the domain (PDC) SAM. Note that you should - add the Samba server as a "Windows NT Workstation or Server", - NOT as a Primary or backup domain controller.

Assume you have a Samba-2 server with a NetBIOS name of +>Assume you have a Samba 2.x server with a NetBIOS name of SERV1smbpasswd -j DOM -r DOMPDC - Administrator%password

as we are joining the domain DOM and the PDC for that domain (the only machine that has write access to the domain SAM database) - is DOMPDC. If this is successful you will see the message:

Administrator%password is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message:

7.2. Samba and Windows 2000 Domains

7.3. Why is this better than security = server?

8.1. Prerequisite Reading

8.2. Background

Note: Author's Note :Author's Note: This document is a combination -of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ. +of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ". Both documents are superseded by this one.

Version of Samba prior to release 2.2 had marginal capabilities to -act as a Windows NT 4.0 Primary DOmain Controller (PDC). Beginning with -Samba 2.2.0, we are proud to announce official support for Windows NT 4.0 -style domain logons from Windows NT 4.0 (through SP6) and Windows 2000 (through -SP1) clients. This article outlines the steps necessary for configuring Samba -as a PDC. It is necessary to have a working Samba server prior to implementing the -PDC functionality. If you have not followed the steps outlined in -Versions of Samba prior to release 2.2 had marginal capabilities to act +as a Windows NT 4.0 Primary Domain Controller + +(PDC). With Samba 2.2.0, we are proud to announce official support for +Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows +2000 clients. This article outlines the steps +necessary for configuring Samba as a PDC. It is necessary to have a +working Samba server prior to implementing the PDC functionality. If +you have not followed the steps outlined in UNIX_INSTALL.html, please make sure -that your server is configured correctly before proceeding. Another good -resource in the , please make sure +that your server is configured correctly before proceeding. Another +good resource in the smb.conf(5) man +>smb.conf(5) man page. The following functionality should work in 2.2:

. The following functionality should work in 2.2:

  • Windows NT 4.0 style system policies +> Windows NT 4.0-style system policies

Windows 2000 Service Pack 2 Clients

Samba 2.2.1 is required for PDC functionality when using Windows 2000 - SP2 clients. -

The following pieces of functionality are not included in the 2.2 release:

Please note that Windows 9x clients are not true members of a domain for reasons outlined in this article. Therefore the protocol for -support Windows 9x style domain logons is completely different +support Windows 9x-style domain logons is completely different from NT4 domain logons and has been officially supported for some time.

8.3. Configuring the Samba Domain Controller

. For convenience, the parameters have been linked with the actual smb.conf description.

Here is an example smb.conf for acting as a PDC:

Here is an example smb.conf for acting as a PDC:

path = /usr/local/samba/lib/netlogon writeable = no +>read only = yes path = /export/smb/ntprofile writeable = yes +>read only = no

As Samba 2.2 does not offer a complete implementation of group mapping between -Windows NT groups and UNIX groups (this is really quite complicated to explain -in a short space), you should refer to the As Samba 2.2 does not offer a complete implementation of group mapping +between Windows NT groups and Unix groups (this is really quite +complicated to explain in a short space), you should refer to the +domain -admin group smb.conf parameter for information of creating "Domain Admins" -style accounts.

domain admin +group smb.conf parameter for information of creating "Domain +Admins" style accounts.

8.4. Creating Machine Trust Accounts and Joining Clients -to the Domain8.4. Creating Machine Trust Accounts and Joining Clients to the +Domain

A machine trust account is a samba user account owned by a computer. -The account password acts as the shared secret for secure -communication with the Domain Controller. This is a security feature -to prevent an unauthorized machine with the same NetBIOS name from -joining the domain and gaining access to domain user/group accounts. -Hence a Windows 9x host is never a true member of a domain because it does -not posses a machine trust account, and thus has no shared secret with the DC.

A machine trust account is a Samba account that is used to +authenticate a client machine (rather than a user) to the Samba +server. In Windows terminology, this is known as a "Computer +Account."

The password of a machine trust account acts as the shared secret for +secure communication with the Domain Controller. This is a security +feature to prevent an unauthorized machine with the same NetBIOS name +from joining the domain and gaining access to domain user/group +accounts. Windows NT and 2000 clients use machine trust accounts, but +Windows 9x clients do not. Hence, a Windows 9x client is never a true +member of a domain because it does not possess a machine trust +account, and thus has no shared secret with the domain controller.

A Windows PDC stores each machine trust account in the Windows +Registry. A Samba PDC, however, stores each machine trust account +in two parts, as follows: + +

  • On a Windows NT PDC, these machine trust account passwords are stored -in the registry. A Samba PDC stores these accounts in the same location -as user LanMan and NT password hashes (currently A Samba account, stored in the same location as user + LanMan and NT password hashes (currently + smbpasswd). -However, machine trust accounts only possess and use the NT password hash.

    ). The Samba account + possesses and uses only the NT password hash.

  • Because Samba requires machine accounts to possess a UNIX uid from -which an Windows NT SID can be generated, all of these accounts -must have an entry in A corresponding Unix account, typically stored in + /etc/passwd and smbpasswd. -Future releases will alleviate the need to create -. (Future releases will alleviate the need to + create /etc/passwd entries.

    entries.)

There are two means of creating machine trust accounts.

There are two ways to create machine trust accounts:

  • Manual creation before joining the client to the domain. In this case, - the password is set to a known value -- the lower case of the - machine's NetBIOS name. -

    Manual creation. Both the Samba and corresponding + Unix account are created by hand.

  • Creation of the account at the time of joining the domain. In - this case, the session key of the administrative account used to join - the client to the domain acts as an encryption key for setting the - password to a random value (This is the recommended method). -

    "On-the-fly" creation. The Samba machine trust + account is automatically created by Samba at the time the client + is joined to the domain. (For security, this is the + recommended method.) The corresponding Unix account may be + created automatically or manually.

8.4.1. Manually creating machine trust accounts8.4.1. Manual Creation of Machine Trust Accounts

The first step in creating a machine trust account by hand is to -create an entry for the machine in /etc/passwd. This can be done -using The first step in manually creating a machine trust account is to +manually create the corresponding Unix account in +/etc/passwd. This can be done using +vipw or any 'add userr' command which is normally -used to create new UNIX accounts. The following is an example for a Linux -based Samba server:

or other 'add user' command that is normally +used to create new Unix accounts. The following is an example for a +Linux based Samba server:

root# /usr/sbin/useradd -g 100 -d /dev/null -c machine_name$

$

root# passwd -l machine_name$

$

The /etc/passwd entry will list the machine name -with a $ appended, won't have a passwd, will have a null shell and no -home directory. For example a machine called 'doppy' would have an +with a "$" appended, won't have a password, will have a null shell and no +home directory. For example a machine named 'doppy' would have an /etc/passwd entry like this :

entry like this:

machine_nickname can be any descriptive name for the -pc i.e. BasementComputer. The can be any +descriptive name for the client, i.e., BasementComputer. +machine_name absolutely must be -the NetBIOS name of the pc to be added to the domain. The "$" must append the NetBIOS -name of the pc or samba will not recognize this as a machine account

Now that the UNIX account has been created, the next step is to create -the smbpasswd entry for the machine containing the well known initial -trust account password. This can be done using the absolutely must be the NetBIOS +name of the client to be joined to the domain. The "$" must be +appended to the NetBIOS name of the client or Samba will not recognize +this as a machine trust account.

Now that the corresponding Unix account has been created, the next step is to create +the Samba account for the client containing the well-known initial +machine trust account password. This can be done using the root# smbpasswd -a -m smbpasswd -a -m machine_name

where machine_name is the machine's NetBIOS -name.

Manually creating a machine trust account using this method is the - equivalent of creating a machine account on a Windows NT PDC using + equivalent of creating a machine trust account on a Windows NT PDC using the "Server Manager". From the time at which the account is created - to the time which th client joins the domain and changes the password, + to the time which the client joins the domain and changes the password, your domain is vulnerable to an intruder joining your domain using a a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user @@ -6124,18 +6160,30 @@ CLASS="SECT2" >

8.4.2. Creating machine trust accounts "on the fly"8.4.2. "On-the-Fly" Creation of Machine Trust Accounts

The second, and most recommended way of creating machine trust accounts -is to create them as needed at the time the client is joined to -the domain. You will need to include a value for the The second (and recommended) way of creating machine trust accounts is +simply to allow the Samba server to create them as needed when the client +is joined to the domain.

Since each Samba machine trust account requires a corresponding +Unix account, a method for automatically creating the +Unix account is usually supplied; this requires configuration of the +add user script -parameter. Below is an example from a RedHat 6.2 Linux system.

+option in smb.conf. This +method is not required, however; corresponding Unix accounts may also +be created manually.

Below is an example for a RedHat 6.2 Linux system.

add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
[global] + # <...remainder of parameters...> + add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

8.4.3. Joining the Client to the Domain

The procedure for joining a client to the domain varies with the +version of Windows.

  • In Samba 2.2.1, only the root account can be used to create -machine accounts like this. Therefore, it is required to create -an entry in smbpasswd for root. The password -SHOULD be set to a different password that the -associated Windows 2000

    When the user elects to join the client to a domain, Windows prompts for + an account and password that is privileged to join the domain. A + Samba administrative account (i.e., a Samba account that has root + privileges on the Samba server) must be entered here; the + operation will fail if an ordinary user account is given. + The password for this account should be + set to a different password than the associated + /etc/passwd entry for security reasons.

    entry, for security + reasons.

    The session key of the Samba administrative account acts as an + encryption key for setting the password of the machine trust + account. The machine trust account will be created on-the-fly, or + updated if it already exists.

  • Windows NT

    If the machine trust account was created manually, on the + Identification Changes menu enter the domain name, but do not + check the box "Create a Computer Account in the Domain." In this case, + the existing machine trust account is used to join the machine to + the domain.

    If the machine trust account is to be created + on-the-fly, on the Identification Changes menu enter the domain + name, and check the box "Create a Computer Account in the Domain." In + this case, joining the domain proceeds as above for Windows 2000 + (i.e., you must supply a Samba administrative account when + prompted).

8.5. Common Problems and Errors

/etc/passwd of the machine name with a '$' appended. FreeBSD (and other BSD - systems ?) won't create a user with a '$' in their name. + systems?) won't create a user with a '$' in their name.

The problem is only in the program used to make the entry, once @@ -6202,7 +6296,7 @@ CLASS="COMMAND" >vipw to edit the entry, adding the '$'. Or create the whole entry with vipw if you like, make sure you use a - unique uid ! + unique User ID !

  • I get told "You already have a connection to the Domain...." or "Cannot join domain, the credentials supplied conflict with an - existing set.." when creating a machine account.

    This happens if you try to create a machine account from the +> This happens if you try to create a machine trust account from the machine itself and already have a connection (e.g. mapped drive) to a share (or IPC$) on the Samba PDC. The following command will remove all network drive connections: @@ -6266,17 +6360,17 @@ CLASS="COMMAND" >

  • The machine account for this computer either does not +>The machine trust account for this computer either does not exist or is not accessible.

    When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessible". Whats + for this computer either does not exist or is not accessible". What's wrong?

    This problem is caused by the PDC not having a suitable machine account. +> This problem is caused by the PDC not having a suitable machine trust account. If you are using the

    Alternatively if you are creating account entries manually then they have not been created correctly. Make sure that you have the entry - correct for the machine account in smbpasswd file on the Samba PDC. + correct for the machine trust account in smbpasswd file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, make sure that the account name is the machine NetBIOS name with a '$' appended to it ( i.e. computer_name$ ). There must be an entry @@ -6371,7 +6465,7 @@ CLASS="SECT1" >

    8.6. System Policies and Profiles

  • What about Windows NT Policy Editor ?What about Windows NT Policy Editor?

  • Can Win95 do Policies ?Can Win95 do Policies?

    Since I don't need to buy an NT Server CD now, how do I get - the 'User Manager for Domains', the 'Server Manager' ? + the 'User Manager for Domains', the 'Server Manager'?

    Microsoft distributes a version of these tools called nexus for @@ -6528,8 +6622,8 @@ CLASS="SECT1" >

    8.7. What other help can I get ?8.7. What other help can I get?

    There are many sources of information available in the form @@ -6592,7 +6686,7 @@ HREF="http://www.tcpdump.org/" TARGET="_top" >http://www.tcpdup.org/. - Ethereal, another good packet sniffer for UNIX and Win32 + Ethereal, another good packet sniffer for Unix and Win32 hosts, can be downloaded from

  • How do I get help from the mailing lists ?How do I get help from the mailing lists?

    Please think carefully before attaching a document to an email. Consider pasting the relevant parts into the body of the message. The samba mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory ?

  • How do I get off the mailing lists ?How do I get off the mailing lists?

    8.8. Domain Control for Windows 9x/ME

    Note: The following section contains much of the original DOMAIN.txt file previously included with Samba. Much of -the material is based on what went into the book Special -Edition, Using Samba. (Richard Sharpe)

    Special +Edition, Using Samba, by Richard Sharpe.

    Issues related to the single-logon network model are discussed in this -document. Samba supports domain logons, network logon scripts, and user -profiles for MS Windows for workgroups and MS Windows 9X clients.

    When an SMB client in a domain wishes to logon it broadcast requests for a logon server. The first one to reply gets the job, and validates its @@ -6967,37 +7064,12 @@ servers advertising themselves as participating in a domain. This demonstrates how authentication is quite different from but closely involved with domains.

    Another thing commonly associated with single-logon domains is remote -administration over the SMB protocol. Again, there is no reason why this -cannot be implemented with an underlying username database which is -different from the Windows NT SAM. Support for the Remote Administration -Protocol is planned for a future release of Samba.

    Network logon support as discussed in this section is aimed at Window for -Workgroups, and Windows 9X clients.

    Support for profiles is confirmed as working for Win95, NT 4.0 and NT 3.51. -It is possible to specify: the profile location; script file to be loaded -on login; the user's home directory; and for NT a kick-off time could also -now easily be supported. However, there are some differences between Win9X -profile support and WinNT profile support. These are discussed below.

    With NT Workstations, all this does not require the use or intervention of -an NT 4.0 or NT 3.51 server: Samba can now replace the logon services -provided by an NT server, to a limited and experimental degree (for example, -running "User Manager for Domains" will not provide you with access to -a domain created by a Samba Server).

    With Win95, the help of an NT server can be enlisted, both for profile storage -and for user authentication. For details on user authentication, see -security_level.txt. For details on profile storage, see below.

    Using these features you can make your clients verify their logon via the Samba server; make clients run a batch file when they logon to the network and download their preferences, desktop and start menu.

    Before launching into the configuration instructions, it is worthwhile looking -at how a Win9X client performs a logon:

    Before launching into the configuration instructions, it is +worthwhile lookingat how a Windows 9x/ME client performs a logon:

    1. The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS address DOMAIN<00> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -7060,122 +7132,27 @@ CLASS="SECT2" >

      8.8.1. Configuration Instructions: Network Logons

      To use domain logons and profiles you need to do the following:

      1. Create a share called [netlogon] in your smb.conf. This share should - be readable by all users, and probably should not be writeable. This - share will hold your network logon scripts, and the CONFIG.POL file - (Note: for details on the CONFIG.POL file, how to use it, what it is, - refer to the Microsoft Windows NT Administration documentation. - The format of these files is not known, so you will need to use - Microsoft tools). -

        For example I have used: - 

        [netlogon]
-     path = /data/dos/netlogon
-     writeable = no
-     guest ok = no

        Note that it is important that this share is not writeable by ordinary - users, in a secure environment: ordinary users should not be allowed - to modify or add files that another user's computer would then download - when they log in. -

      2. in the [global] section of smb.conf set the following: - 

        domain logons = yes
-logon script = %U.bat
-

        The choice of batch file is, of course, up to you. The above would - give each user a separate batch file as the %U will be changed to - their username automatically. The other standard % macros may also be - used. You can make the batch files come from a subdirectory by using - something like: -

        The main difference between a PDC and a Windows 9x logon +server configuration is that

        logon script = scripts\%U.bat
-

        • create the batch files to be run when the user logs in. If the batch - file doesn't exist then no batch file will be run. -

          In the batch files you need to be careful to use DOS style cr/lf line - endings. If you don't then DOS may get confused. I suggest you use a - DOS editor to remotely edit the files if you don't know how to produce - DOS style files under unix. -

          Password encryption is not required for a Windows 9x logon server.

        • Use smbclient with the -U option for some users to make sure that - the \\server\NETLOGON share is available, the batch files are - visible and they are readable by the users. -

          Windows 9x/ME clients do not possess machine trust accounts.

        you will probably find that your clients automatically mount the - \\SERVER\NETLOGON share as drive z: while logging in. You can put - some useful programs there to execute from the batch files. -

      Therefore, a Samba PDC will also act as a Windows 9x logon +server.

      mode security is really just a variation on SMB user level security.

      Actually, this issue is also closer tied to the debate on whether +>Actually, this issue is also closely tied to the debate on whether or not Samba must be the domain master browser for its workgroup when operating as a DC. While it may technically be possible to configure a server as such (after all, browsing and domain logons @@ -7249,7 +7226,7 @@ CLASS="SECT2" >

      8.8.2. Configuration Instructions: Setting up Roaming User Profiles

      8.8.2.1. Windows NT Configuration

      To support WinNT clients, inn the [global] section of smb.conf set the +>To support WinNT clients, in the [global] section of smb.conf set the following (for example):

      8.8.2.2. Windows 9X Configuration

      8.8.2.3. Win9X and WinNT Configuration

      8.8.2.4. Windows 9X Profile Setup

      If you have made the folders / files read-only on the samba server, then you will get errors from the w95 machine on logon and logout, as it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the w95 machine, check the unix file +you have any errors reported by the w95 machine, check the Unix file permissions and ownership rights on the profile directory contents, on the samba server.

      8.8.2.5. Windows NT Workstation 4.0

      8.8.2.6. Windows NT Server

      8.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0

      8.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

      9.1. Abstract

      9.2. Introduction

      9.3. What Winbind Provides

      9.3.1. Target Uses

      9.4. How Winbind Works

      9.4.1. Microsoft Remote Procedure Calls

      9.4.2. Name Service Switch

      9.4.3. Pluggable Authentication Modules

      9.4.4. User and Group ID Allocation

      9.4.5. Result Caching

      9.5. Installation and Configuration

      9.5.1. Introduction

      9.5.2. Requirements

      If you have a samba configuration file that you are currently -using... BACK IT UP! If your system already uses PAM, BACK UP -THE BACK IT UP! If your system already uses PAM, +back up the /etc/pam.d directory contents! If you -haven't already made a boot disk, MAKE ON NOW!

      directory +contents! If you haven't already made a boot disk, +MAKE ONE NOW!

      Messing with the pam configuration files can make it nearly impossible to log in to yourmachine. That's why you want to be able to boot back @@ -8322,10 +8306,15 @@ CLASS="FILENAME" > back to the original state they were in if you get frustrated with the way things are going. ;-)

      The newest version of SAMBA (version 2.2.2), available from -cvs.samba.org, now include a functioning winbindd daemon. Please refer -to the main SAMBA web page or, better yet, your closest SAMBA mirror -site for instructions on downloading the source code.

      The latest version of SAMBA (version 2.2.2 as of this writing), now +includes a functioning winbindd daemon. Please refer to the +main SAMBA web page or, +better yet, your closest SAMBA mirror site for instructions on +downloading the source code.

      To allow Domain users the ability to access SAMBA shares and files, as well as potentially other services provided by your @@ -8333,15 +8322,21 @@ SAMBA machine, PAM (pluggable authentication modules) must be setup properly on your machine. In order to compile the winbind modules, you should have at least the pam libraries resident on your system. For recent RedHat systems (7.1, for instance), that -means 'pam-0.74-22'. For best results, it is helpful to also -install the development packages in 'pam-devel-0.74-22'.

      pam-0.74-22      . For best results, it is helpful to also +install the development packages in pam-devel-0.74-22.

      9.5.3. Testing Things Out

      /usr/man entries for pam. Winbind built better in SAMBA if the pam-devel package was also installed. This package includes -the header files needed to compile pam-aware applications. For instance, my RedHat -system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed.

      pam-0.74-22 and +pam-devel-0.74-22 RPMs installed.

      9.5.3.1. Configure and compile SAMBA

      The configuration and compilation of SAMBA is pretty straightforward. -The first three steps maynot be necessary depending upon +The first three steps may not be necessary depending upon whether or not you have previously built the Samba binaries.

      root# autoconf +>root#autoconfroot# make clean +>root#make cleanroot# rm config.cache +>root#rm config.cacheroot# ./configure --with-winbind +>root#./configure --with-winbindroot# make +>root#makeroot# make installroot#make install

      This will, by default, install SAMBA in /usr/local/samba. See the -main SAMBA documentation if you want to install SAMBA somewhere else. +>This will, by default, install SAMBA in /usr/local/samba. +See the main SAMBA documentation if you want to install SAMBA somewhere else. It will also build the winbindd executable and libraries.

      9.5.3.2. Configure nsswitch.conf and the winbind libraries9.5.3.2. Configure nsswitch.conf and the +winbind libraries

      The libraries needed to run the winbind daemon through nsswitch -need to be copied to their proper locations, so

      The libraries needed to run the winbindd daemon +through nsswitch need to be copied to their proper locations, so

      root# cp ../samba/source/nsswitch/libnss_winbind.so /lib

      root#       cp ../samba/source/nsswitch/libnss_winbind.so /lib

      I also found it necessary to make the following symbolic link:

      root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

      root#       ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

      Now, as root you need to edit winbindd -daemon, as well as from your /etc/hosts files and NIS servers. My -/etc/nsswitch.conf file look like this after editing:

      file look like +this after editing:

      	passwd:     files winbind
-	shadow:     files winbind
+	shadow:     files 
 	group:      files winbind

      The libraries needed by the winbind daemon will be automatically -entered into the ldconfig cache the next time your system reboots, but it +entered into the ldconfig cache the next time +your system reboots, but it is faster (and you don't need to reboot) if you do it manually:

      root# /sbin/ldconfig -v | grep winbind

      root#/sbin/ldconfig -v | grep winbind

      This makes

      9.5.3.3. Configure smb.conf

      [global] <...> # separate domain and username with '+', like DOMAIN+username - winbind separator = + + winbind separator = + # use uids from 10000 to 20000 for domain users - winbind uid = 10000-20000 + winbind uid = 10000-20000 # use gids from 10000 to 20000 for domain groups - winbind gid = 10000-20000 + winbind gid = 10000-20000 # allow enumeration of winbind users and groups - winbind enum users = yes - winbind enum groups = yes + winbind enum users = yes + winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) - template shell = /bin/bashtemplate homedir = /home/winnt/%D/%U + template shell = /bin/bash

      9.5.3.4. Join the SAMBA server to the PDC domain

      root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator

      root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator

      The proper response to the command should be: "Joined the domain

      9.5.3.5. Start up the winbindd daemon and test it!

      root# /usr/local/samba/bin/winbindd

      root# /usr/local/samba/bin/winbindd

      I'm always paranoid and like to make sure the daemon is really running...

      root# ps -ae | grep winbindd -3025 ? 00:00:00 winbindd

      root#       ps -ae | grep winbindd

      This command should produce output like this, if the daemon is running

      3025 ? 00:00:00 winbindd

      Now... for the real test, try to get some information about the users on your PDC

      root# # /usr/local/samba/bin/wbinfo -u

      root#       /usr/local/samba/bin/wbinfo -u

      This should echo back a list of users on your Windows users on @@ -8656,7 +8743,13 @@ CEO+TsInternetUser

      Obviously, I have named my domain 'CEO' and my winbindd separator is '+'.

      Obviously, I have named my domain 'CEO' and my winbindd +separator is '+'.

      You can do the same sort of thing to get group information from the PDC:

      root# /usr/local/samba/bin/wbinfo -g +>root#       /usr/local/samba/bin/wbinfo -g CEO+Domain Admins CEO+Domain Users CEO+Domain Guests @@ -8693,8 +8789,11 @@ Try the following command:

      root# getent passwd

      root# getent passwd

      You should get a list that looks like your

      root# getent group

      root# getent group

      9.5.3.6. Fix the /etc/rc.d/init.d/smb startup files9.5.3.6. Fix the /etc/rc.d/init.d/smb startup files

      The

      If you restart the smbd, nmbd, +and winbindd daemons at this point, you +should be able to connect to the samba server as a domain member just as +if you were a local user.

      9.5.3.7. Configure Winbind and PAM

      If you have made it this far, you know that winbindd is working. -Now it is time to integrate it into the operation of samba and other -services. The pam configuration files need to be altered in +>If you have made it this far, you know that winbindd and samba are working +together. If you want to use winbind to provide authentication for other +services, keep reading. The pam configuration files need to be altered in this step. (Did you remember to make backups of your original /etc/pam.d files? If not, do it now.)

      To get samba to allow domain users and groups, I modified the +>You will need a pam module to use winbindd with these other services. This +module will be compiled in the ../source/nsswitch directory +by invoking the command

      root# make nsswitch/pam_winbind.so

      from the ../source directory. The /etc/pam.d/samba file from

      pam_winbind.so file should be copied to the location of +your other pam security modules. On my RedHat system, this was the +/lib/security directory.

      auth    required        /lib/security/pam_stack.so service=system-auth
-account required        /lib/security/pam_stack.so service=system-auth
      root# cp ../samba/source/nsswitch/pam_winbind.so /lib/security

      to

      The /etc/pam.d/samba file does not need to be changed. I +just left this fileas it was:

      winbind.so line to get rid of annoying double prompts for passwords.

      Finally, don't forget to copy the winbind pam modules from -the source directory in which you originally compiled the new -SAMBA up to the /lib/security directory so that pam can use it:

      root# cp ../samba/source/nsswitch/pam_winbind.so /lib/security

      9.6. Limitations

      9.7. Conclusion

      10.1. FAQs

      10.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?

      10.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?

      10.1.3. Are there any other issues when OS/2 (any version) is used as a client?

      10.1.4. How do I get printer driver download working for OS/2 clients?

      11.1. Introduction

      11.2. CVS Access to samba.org

      11.2.1. Access via CVSweb

      11.2.2. Access via cvs

      Index

      Primary Domain Controller, +>Primary Domain Controller, Background 
      auth    required        /lib/security/pam_winbind.so
-auth    required        /lib/security/pam_stack.so service=system-auth
-account required        /lib/security/pam_winbind.so
+>auth    required        /lib/security/pam_stack.so service=system-auth
 account required        /lib/security/pam_stack.so service=system-auth
      auth       sufficient   /lib/security/pam_winbind.so
-auth       required     /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
+>auth       required     /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
+auth       sufficient   /lib/security/pam_winbind.so
 auth       required     /lib/security/pam_stack.so service=system-auth
 auth       required     /lib/security/pam_shells.so
+account    sufficient   /lib/security/pam_winbind.so
 account    required     /lib/security/pam_stack.so service=system-auth
 session    required     /lib/security/pam_stack.so service=system-auth