From 20967627378194121bc48bf387838b8bd7682478 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 18 Mar 2003 16:48:14 +0000 Subject: Regenerate (This used to be commit 25db62e3101dbcae8e9daee3cb16430297afa223) --- docs/htmldocs/Samba-Developers-Guide.html | 953 +++-- docs/htmldocs/Samba-HOWTO-Collection.html | 5989 +++++++++++++++-------------- docs/htmldocs/ads.html | 56 +- docs/htmldocs/appendixes.html | 210 +- docs/htmldocs/browsing-quick.html | 98 +- docs/htmldocs/bugreport.html | 54 +- docs/htmldocs/compiling.html | 631 +++ docs/htmldocs/cvs-access.html | 307 -- docs/htmldocs/diagnosis.html | 100 +- docs/htmldocs/domain-security.html | 102 +- docs/htmldocs/findsmb.1.html | 22 +- docs/htmldocs/groupmapping.html | 14 +- docs/htmldocs/groupprofiles.html | 73 +- docs/htmldocs/improved-browsing.html | 152 +- docs/htmldocs/install.html | 648 +--- docs/htmldocs/integrate-ms-networks.html | 188 +- docs/htmldocs/introduction.html | 152 +- docs/htmldocs/lmhosts.5.html | 2 +- docs/htmldocs/msdfs.html | 84 +- docs/htmldocs/net.8.html | 18 +- docs/htmldocs/nmbd.8.html | 46 +- docs/htmldocs/nmblookup.1.html | 66 +- docs/htmldocs/oplocks.html | 208 - docs/htmldocs/optional.html | 332 +- docs/htmldocs/other-clients.html | 117 +- docs/htmldocs/p1346.html | 917 ----- docs/htmldocs/p18.html | 438 --- docs/htmldocs/p3106.html | 391 -- docs/htmldocs/p544.html | 388 -- docs/htmldocs/pam.html | 24 +- docs/htmldocs/passdb.html | 370 +- docs/htmldocs/pdb-mysql.html | 341 -- docs/htmldocs/pdb-xml.html | 189 - docs/htmldocs/pdbedit.8.html | 22 +- docs/htmldocs/portability.html | 47 +- docs/htmldocs/printing.html | 236 +- docs/htmldocs/pwencrypt.html | 445 --- docs/htmldocs/rpcclient.1.html | 108 +- docs/htmldocs/samba-bdc.html | 56 +- docs/htmldocs/samba-howto-collection.html | 424 +- docs/htmldocs/samba-ldap-howto.html | 1011 ----- docs/htmldocs/samba-pdc.html | 266 +- docs/htmldocs/samba.7.html | 2 +- docs/htmldocs/securing-samba.html | 307 ++ docs/htmldocs/securitylevels.html | 2 +- docs/htmldocs/smb.conf.5.html | 5797 ++++++++++------------------ docs/htmldocs/smbcacls.1.html | 38 +- docs/htmldocs/smbclient.1.html | 404 +- docs/htmldocs/smbcontrol.1.html | 102 +- docs/htmldocs/smbd.8.html | 64 +- docs/htmldocs/smbgroupedit.8.html | 22 +- docs/htmldocs/smbmnt.8.html | 4 +- docs/htmldocs/smbmount.8.html | 66 +- docs/htmldocs/smbpasswd.5.html | 12 +- docs/htmldocs/smbpasswd.8.html | 120 +- docs/htmldocs/smbsh.1.html | 92 +- docs/htmldocs/smbspool.8.html | 10 +- docs/htmldocs/smbstatus.1.html | 16 +- docs/htmldocs/smbtar.1.html | 26 +- docs/htmldocs/smbumount.8.html | 2 +- docs/htmldocs/speed.html | 68 +- docs/htmldocs/swat.8.html | 16 +- docs/htmldocs/testparm.1.html | 22 +- docs/htmldocs/testprns.1.html | 6 +- docs/htmldocs/type.html | 76 +- docs/htmldocs/unix-permissions.html | 290 +- docs/htmldocs/vfs.html | 60 +- docs/htmldocs/vfstest.1.html | 24 +- docs/htmldocs/wbinfo.1.html | 50 +- docs/htmldocs/winbind.html | 298 +- docs/htmldocs/winbindd.8.html | 104 +- 71 files changed, 9018 insertions(+), 15377 deletions(-) create mode 100644 docs/htmldocs/compiling.html delete mode 100644 docs/htmldocs/cvs-access.html delete mode 100644 docs/htmldocs/oplocks.html delete mode 100644 docs/htmldocs/p1346.html delete mode 100644 docs/htmldocs/p18.html delete mode 100644 docs/htmldocs/p3106.html delete mode 100644 docs/htmldocs/p544.html delete mode 100644 docs/htmldocs/pdb-mysql.html delete mode 100644 docs/htmldocs/pdb-xml.html delete mode 100644 docs/htmldocs/pwencrypt.html delete mode 100644 docs/htmldocs/samba-ldap-howto.html create mode 100644 docs/htmldocs/securing-samba.html (limited to 'docs/htmldocs') diff --git a/docs/htmldocs/Samba-Developers-Guide.html b/docs/htmldocs/Samba-Developers-Guide.html index 5d9702e49e..22cbcec3ee 100644 --- a/docs/htmldocs/Samba-Developers-Guide.html +++ b/docs/htmldocs/Samba-Developers-Guide.html @@ -5,7 +5,7 @@ >SAMBA Developers GuideSAMBA Developers GuideSAMBA Developers Guide

1.1. NETBIOS

1.1. NETBIOS

NetBIOS runs over the following tranports: TCP/IP; NetBEUI and IPX/SPX. Samba only uses NetBIOS over TCP/IP. For details on the TCP/IP NetBIOS @@ -904,8 +904,8 @@ CLASS="SECT1" CLASS="SECT1" >1.2. BROADCAST NetBIOS1.2. BROADCAST NetBIOS

Clients can claim names, and therefore offer services on successfully claimed @@ -927,14 +927,14 @@ CLASS="SECT1" CLASS="SECT1" >1.3. NBNS NetBIOS1.3. NBNS NetBIOS

rfc1001.txt describes, amongst other things, the implementation and use of, a 'NetBIOS Name Service'. NT/AS offers 'Windows Internet Name Service' which is fully rfc1001/2 compliant, but has had to take specific action with certain NetBIOS names in order to make it useful. (for example, it -deals with the registration of <1c> <1d> <1e> names all in different ways. +deals with the registration of <1c> <1d> <1e> names all in different ways. I recommend the reading of the Microsoft WINS Server Help files for full details).

2.1. Introduction2.1. Introduction

This document gives a general overview of how Samba works internally. The Samba Team has tried to come up with a model which is @@ -1022,8 +1022,8 @@ CLASS="SECT1" CLASS="SECT1" >2.2. Multithreading and Samba2.2. Multithreading and Samba

People sometimes tout threads as a uniformly good thing. They are very nice in their place but are quite inappropriate for smbd. nmbd is @@ -1048,8 +1048,8 @@ CLASS="SECT1" CLASS="SECT1" >2.3. Threading smbd2.3. Threading smbd

A few problems that would arise from a threaded smbd are:

2.4. Threading nmbd2.4. Threading nmbd

This would be ideal, but gets sunk by portability requirements.

2.5. nbmd Design2.5. nbmd Design

Originally Andrew used recursion to simulate a multi-threaded environment, which use the stack enormously and made for really @@ -1173,22 +1173,22 @@ CLASS="SECT1" CLASS="SECT1" >3.1. New Output Syntax3.1. New Output Syntax

The syntax of a debugging log file is represented as:

  >debugfile< :== { >debugmsg< }
+>  >debugfile< :== { >debugmsg< }
 
-  >debugmsg<  :== >debughdr< '\n' >debugtext<
+  >debugmsg<  :== >debughdr< '\n' >debugtext<
 
-  >debughdr<  :== '[' TIME ',' LEVEL ']' FILE ':' [FUNCTION] '(' LINE ')'
+  >debughdr<  :== '[' TIME ',' LEVEL ']' FILE ':' [FUNCTION] '(' LINE ')'
 
-  >debugtext< :== { >debugline< }
+  >debugtext< :== { >debugline< }
 
-  >debugline< :== TEXT '\n'

TEXT is a string of characters excluding the newline character.

3.2. The DEBUG() Macro3.2. The DEBUG() Macro

Use of the DEBUG() macro is unchanged. DEBUG() takes two parameters. The first is the message level, the second is the body of a function @@ -1338,8 +1338,8 @@ CLASS="SECT1" CLASS="SECT1" >3.3. The DEBUGADD() Macro3.3. The DEBUGADD() Macro

In addition to the kludgey solution to the broken line problem described above, there is a clean solution. The DEBUGADD() macro never @@ -1369,8 +1369,8 @@ CLASS="SECT1" CLASS="SECT1" >3.4. The DEBUGLVL() Macro3.4. The DEBUGLVL() Macro

One of the problems with the DEBUG() macro was that DEBUG() lines tended to get a bit long. Consider this example from @@ -1437,16 +1437,16 @@ CLASS="SECT1" CLASS="SECT1" >3.5. New Functions3.5. New Functions

3.5.1. dbgtext()

3.5.1. dbgtext()

This function prints debug message text to the debug file (and possibly to syslog) via the format buffer. The function uses a @@ -1463,8 +1463,8 @@ CLASS="SECT2" CLASS="SECT2" >3.5.2. dbghdr()3.5.2. dbghdr()

This is the function that writes a debug message header. Headers are not processed via the format buffer. Also note that @@ -1480,8 +1480,8 @@ CLASS="SECT2" CLASS="SECT2" >3.5.3. format_debug_text()3.5.3. format_debug_text()

This is a static function in debug.c. It stores the output text for the body of the message in a buffer until it encounters a @@ -1726,8 +1726,8 @@ CLASS="SECT1" CLASS="SECT1" >5.1. Character Handling5.1. Character Handling

This section describes character set handling in Samba, as implemented in Samba 3.0 and above

5.2. The new functions5.2. The new functions

The new system works like this:

5.3. Macros in byteorder.h5.3. Macros in byteorder.h

This section describes the macros defined in byteorder.h. These macros are used extensively in the Samba code.

5.3.1. CVAL(buf,pos)5.3.1. CVAL(buf,pos)

returns the byte at offset pos within buffer buf as an unsigned character.

5.3.2. PVAL(buf,pos)5.3.2. PVAL(buf,pos)

returns the value of CVAL(buf,pos) cast to type unsigned integer.

5.3.3. SCVAL(buf,pos,val)5.3.3. SCVAL(buf,pos,val)

sets the byte at offset pos within buffer buf to value val.

5.3.4. SVAL(buf,pos)5.3.4. SVAL(buf,pos)

returns the value of the unsigned short (16 bit) little-endian integer at offset pos within buffer buf. An integer of this type is sometimes @@ -1913,8 +1913,8 @@ CLASS="SECT2" CLASS="SECT2" >5.3.5. IVAL(buf,pos)5.3.5. IVAL(buf,pos)

returns the value of the unsigned 32 bit little-endian integer at offset pos within buffer buf.

5.3.6. SVALS(buf,pos)5.3.6. SVALS(buf,pos)

returns the value of the signed short (16 bit) little-endian integer at offset pos within buffer buf.

5.3.7. IVALS(buf,pos)5.3.7. IVALS(buf,pos)

returns the value of the signed 32 bit little-endian integer at offset pos within buffer buf.

5.3.8. SSVAL(buf,pos,val)5.3.8. SSVAL(buf,pos,val)

sets the unsigned short (16 bit) little-endian integer at offset pos within buffer buf to value val.

5.3.9. SIVAL(buf,pos,val)5.3.9. SIVAL(buf,pos,val)

sets the unsigned 32 bit little-endian integer at offset pos within buffer buf to the value val.

5.3.10. SSVALS(buf,pos,val)5.3.10. SSVALS(buf,pos,val)

sets the short (16 bit) signed little-endian integer at offset pos within buffer buf to the value val.

5.3.11. SIVALS(buf,pos,val)5.3.11. SIVALS(buf,pos,val)

sets the signed 32 bit little-endian integer at offset pos withing buffer buf to the value val.

5.3.12. RSVAL(buf,pos)5.3.12. RSVAL(buf,pos)

returns the value of the unsigned short (16 bit) big-endian integer at offset pos within buffer buf.

5.3.13. RIVAL(buf,pos)5.3.13. RIVAL(buf,pos)

returns the value of the unsigned 32 bit big-endian integer at offset pos within buffer buf.

5.3.14. RSSVAL(buf,pos,val)5.3.14. RSSVAL(buf,pos,val)

sets the value of the unsigned short (16 bit) big-endian integer at offset pos within buffer buf to value val. @@ -2034,8 +2034,8 @@ CLASS="SECT2" CLASS="SECT2" >5.3.15. RSIVAL(buf,pos,val)5.3.15. RSIVAL(buf,pos,val)

sets the value of the unsigned 32 bit big-endian integer at offset pos within buffer buf to value val.

5.4. LAN Manager Samba API5.4. LAN Manager Samba API

This section describes the functions need to make a LAN Manager RPC call. This information had been obtained by examining the Samba code and the LAN @@ -2069,8 +2069,8 @@ CLASS="SECT2" CLASS="SECT2" >5.4.1. Parameters5.4.1. Parameters

The parameters are as follows:

5.4.2. Return value5.4.2. Return value

The returned parameters (pointed to by rparam), in their order of appearance are:

5.5. Code character table5.5. Code character table

Certain data structures are described by means of ASCIIz strings containing code characters. These are the code characters:

6.1. Lexical Analysis6.1. Lexical Analysis

Basically, the file is processed on a line by line basis. There are four types of lines that are recognized by the lexical analyzer @@ -2340,8 +2340,8 @@ CLASS="SECT2" CLASS="SECT2" >6.1.1. Handling of Whitespace6.1.1. Handling of Whitespace

Whitespace is defined as all characters recognized by the isspace() function (see ctype(3C)) except for the newline character ('\n') @@ -2377,8 +2377,8 @@ CLASS="SECT2" CLASS="SECT2" >6.1.2. Handling of Line Continuation6.1.2. Handling of Line Continuation

Long section header and parameter lines may be extended across multiple lines by use of the backslash character ('\\'). Line @@ -2417,8 +2417,8 @@ CLASS="SECT2" CLASS="SECT2" >6.1.3. Line Continuation Quirks6.1.3. Line Continuation Quirks

Note the following example:

6.2. Syntax6.2. Syntax

The syntax of the smb.conf file is as follows:

  <file>            :==  { <section> } EOF
-  <section>         :==  <section header> { <parameter line> }
-  <section header>  :==  '[' NAME ']'
-  <parameter line>  :==  NAME '=' VALUE NL
<file> :== { <section> } EOF + <section> :== <section header> { <parameter line> } + <section header> :== '[' NAME ']' + <parameter line> :== NAME '=' VALUE NL

Basically, this means that

6.2.1. About params.c6.2.1. About params.c

The parsing of the config file is a bit unusual if you are used to lex, yacc, bison, etc. Both lexical analysis (scanning) and parsing @@ -2547,12 +2547,12 @@ CLASS="SECT1" CLASS="SECT1" >7.1. Introduction7.1. Introduction

This is a short document that describes some of the issues that confront a SMB implementation on unix, and how Samba copes with -them. They may help people who are looking at unix<->PC +them. They may help people who are looking at unix<->PC interoperability.

It was written to help out a person who was writing a paper on unix to @@ -2564,8 +2564,8 @@ CLASS="SECT1" CLASS="SECT1" >7.2. Usernames7.2. Usernames

The SMB protocol has only a loose username concept. Early SMB protocols (such as CORE and COREPLUS) have no username concept at @@ -2610,8 +2610,8 @@ CLASS="SECT1" CLASS="SECT1" >7.3. File Ownership7.3. File Ownership

The commonly used SMB protocols have no way of saying "you can't do that because you don't own the file". They have, in fact, no concept @@ -2637,8 +2637,8 @@ CLASS="SECT1" CLASS="SECT1" >7.4. Passwords7.4. Passwords

Many SMB clients uppercase passwords before sending them. I have no idea why they do this. Interestingly WfWg uppercases the password only @@ -2668,8 +2668,8 @@ CLASS="SECT1" CLASS="SECT1" >7.5. Locking7.5. Locking

Since samba 2.2, samba supports other types of locking as well. This section is outdated.

7.6. Deny Modes7.6. Deny Modes

When a SMB client opens a file it asks for a particular "deny mode" to be placed on the file. These modes (DENY_NONE, DENY_READ, DENY_WRITE, @@ -2731,8 +2731,8 @@ CLASS="SECT1" CLASS="SECT1" >7.7. Trapdoor UIDs7.7. Trapdoor UIDs

A SMB session can run with several uids on the one socket. This happens when a user connects to two shares with different @@ -2750,8 +2750,8 @@ CLASS="SECT1" CLASS="SECT1" >7.8. Port numbers7.8. Port numbers

There is a convention that clients on sockets use high "unprivilaged" port numbers (>1000) and connect to servers on low "privilaged" port @@ -2782,8 +2782,8 @@ CLASS="SECT1" CLASS="SECT1" >7.9. Protocol Complexity7.9. Protocol Complexity

There are many "protocol levels" in the SMB protocol. It seems that each time new functionality was added to a Microsoft operating system, @@ -2900,14 +2900,14 @@ example, if I'm using a csh style shell:

strace -f -p 3872 >& strace.outstrace -f -p 3872 >& strace.out

or with a sh style shell:

strace -f -p 3872 > strace.out 2>&1strace -f -p 3872 > strace.out 2>&1

Note the "-f" option. This is only available on some systems, and @@ -2963,8 +2963,8 @@ CLASS="SECT1" CLASS="SECT1" >9.1. Introduction9.1. Introduction

This document contains information to provide an NT workstation with login services, without the need for an NT server. It is the sgml version of 9.1.1. Sources9.1.1. Sources

9.1.2. Credits9.1.2. Credits

9.2. Notes and Structures9.2. Notes and Structures

9.2.1. Notes

9.2.1. Notes

    9.2.2. Enumerations9.2.2. Enumerations

    9.2.2.1. MSRPC Header type

    9.2.2.1. MSRPC Header type

    command number in the msrpc packet header

    9.2.2.2. MSRPC Packet info9.2.2.2. MSRPC Packet info

    The meaning of these flags is undocumented

    9.2.3. Structures9.2.3. Structures

    9.2.3.1. VOID *

    9.2.3.1. VOID *

    sizeof VOID* is 32 bits.

    9.2.3.2. char9.2.3.2. char

    sizeof char is 8 bits.

    9.2.3.3. UTIME9.2.3.3. UTIME

    UTIME is 32 bits, indicating time in seconds since 01jan1970. documented in cifs6.txt (section 3.5 page, page 30).

9.2.3.4. NTTIME9.2.3.4. NTTIME

NTTIME is 64 bits. documented in cifs6.txt (section 3.5 page, page 30).

9.2.3.5. DOM_SID (domain SID structure)9.2.3.5. DOM_SID (domain SID structure)

9.2.3.6. STR (string)9.2.3.6. STR (string)

STR (string) is a char[] : a null-terminated string of ascii characters.

9.2.3.7. UNIHDR (unicode string header)9.2.3.7. UNIHDR (unicode string header)

9.2.3.8. UNIHDR2 (unicode string header plus buffer pointer)9.2.3.8. UNIHDR2 (unicode string header plus buffer pointer)

9.2.3.9. UNISTR (unicode string)9.2.3.9. UNISTR (unicode string)

9.2.3.10. NAME (length-indicated unicode string)9.2.3.10. NAME (length-indicated unicode string)

9.2.3.11. UNISTR2 (aligned unicode string)9.2.3.11. UNISTR2 (aligned unicode string)

9.2.3.12. OBJ_ATTR (object attributes)9.2.3.12. OBJ_ATTR (object attributes)

9.2.3.13. POL_HND (LSA policy handle)9.2.3.13. POL_HND (LSA policy handle)

9.2.3.14. DOM_SID2 (domain SID structure, SIDS stored in unicode)9.2.3.14. DOM_SID2 (domain SID structure, SIDS stored in unicode)

9.2.3.15. DOM_RID (domain RID structure)9.2.3.15. DOM_RID (domain RID structure)

9.2.3.16. LOG_INFO (server, account, client structure)9.2.3.16. LOG_INFO (server, account, client structure)

9.2.3.17. CLNT_SRV (server, client names structure)9.2.3.17. CLNT_SRV (server, client names structure)

9.2.3.18. CREDS (credentials + time stamp)9.2.3.18. CREDS (credentials + time stamp)

9.2.3.19. CLNT_INFO2 (server, client structure, client credentials)9.2.3.19. CLNT_INFO2 (server, client structure, client credentials)

9.2.3.20. CLNT_INFO (server, account, client structure, client credentials)9.2.3.20. CLNT_INFO (server, account, client structure, client credentials)

9.2.3.21. ID_INFO_1 (id info structure, auth level 1)9.2.3.21. ID_INFO_1 (id info structure, auth level 1)

9.2.3.22. SAM_INFO (sam logon/logoff id info structure)9.2.3.22. SAM_INFO (sam logon/logoff id info structure)

9.2.3.23. GID (group id info)9.2.3.23. GID (group id info)

9.2.3.24. DOM_REF (domain reference info)9.2.3.24. DOM_REF (domain reference info)

9.2.3.25. DOM_INFO (domain info, levels 3 and 5 are the same))9.2.3.25. DOM_INFO (domain info, levels 3 and 5 are the same))

9.2.3.26. USER_INFO (user logon info)9.2.3.26. USER_INFO (user logon info)

9.2.3.27. SH_INFO_1_PTR (pointers to level 1 share info strings)9.2.3.27. SH_INFO_1_PTR (pointers to level 1 share info strings)

9.2.3.28. SH_INFO_1_STR (level 1 share info strings)9.2.3.28. SH_INFO_1_STR (level 1 share info strings)

9.2.3.29. SHARE_INFO_1_CTR9.2.3.29. SHARE_INFO_1_CTR

share container with 0 entries:

9.2.3.30. SERVER_INFO_1019.2.3.30. SERVER_INFO_101

9.3. MSRPC over Transact Named Pipe9.3. MSRPC over Transact Named Pipe

For details on the SMB Transact Named Pipe, see cifs6.txt

9.3.1. MSRPC Pipes9.3.1. MSRPC Pipes

The MSRPC is conducted over an SMB Transact Pipe with a name of 9.3.2. Header9.3.2. Header

[section to be rewritten, following receipt of work by Duncan Stansfield]

9.3.2.1. RPC_Packet for request, response, bind and bind acknowledgement9.3.2.1. RPC_Packet for request, response, bind and bind acknowledgement

9.3.2.2. Interface identification9.3.2.2. Interface identification

the interfaces are numbered. as yet I haven't seen more than one interface used on the same pipe name srvsvc

9.3.2.3. RPC_Iface RW9.3.2.3. RPC_Iface RW

9.3.2.4. RPC_ReqBind RW9.3.2.4. RPC_ReqBind RW

the remainder of the packet after the header if "type" was Bind in the response header, "type" should be BindAck

9.3.2.5. RPC_Address RW9.3.2.5. RPC_Address RW

9.3.2.6. RPC_ResBind RW9.3.2.6. RPC_ResBind RW

the response to place after the header in the reply packet

9.3.2.7. RPC_ReqNorm RW9.3.2.7. RPC_ReqNorm RW

the remainder of the packet after the header for every other other request

9.3.2.8. RPC_ResNorm RW9.3.2.8. RPC_ResNorm RW

9.3.3. Tail9.3.3. Tail

The end of each of the NTLSA and NETLOGON named pipes ends with:

9.3.4. RPC Bind / Bind Ack9.3.4. RPC Bind / Bind Ack

RPC Binds are the process of associating an RPC pipe (e.g \PIPE\lsarpc) with a "transfer syntax" (see RPC_Iface structure). The purpose for doing @@ -5736,8 +5736,8 @@ CLASS="SECT2" CLASS="SECT2" >9.3.5. NTLSA Transact Named Pipe9.3.5. NTLSA Transact Named Pipe

The sequence of actions taken on this pipe are:

9.3.6. LSA Open Policy9.3.6. LSA Open Policy

9.3.6.1. Request9.3.6.1. Request

9.3.6.2. Response9.3.6.2. Response

9.3.7. LSA Query Info Policy9.3.7. LSA Query Info Policy

9.3.7.1. Request9.3.7.1. Request

9.3.7.2. Response9.3.7.2. Response

9.3.8. LSA Enumerate Trusted Domains9.3.8. LSA Enumerate Trusted Domains

9.3.8.1. Request

9.3.8.1. Request

no extra data

9.3.8.2. Response9.3.8.2. Response

9.3.9. LSA Open Secret9.3.9. LSA Open Secret

9.3.9.1. Request

9.3.9.1. Request

no extra data

9.3.9.2. Response9.3.9.2. Response

9.3.10. LSA Close9.3.10. LSA Close

9.3.10.1. Request

9.3.10.1. Request

9.3.10.2. Response9.3.10.2. Response

9.3.11. LSA Lookup SIDS9.3.11. LSA Lookup SIDS

9.3.11.1. Request9.3.11.1. Request

9.3.11.2. Response9.3.11.2. Response

9.3.12. LSA Lookup Names9.3.12. LSA Lookup Names

9.3.12.1. Request9.3.12.1. Request

9.3.12.2. Response9.3.12.2. Response

9.4. NETLOGON rpc Transact Named Pipe9.4. NETLOGON rpc Transact Named Pipe

The sequence of actions taken on this pipe are:

9.4.1. LSA Request Challenge9.4.1. LSA Request Challenge

9.4.1.1. Request9.4.1.1. Request

9.4.1.2. Response9.4.1.2. Response

9.4.2. LSA Authenticate 29.4.2. LSA Authenticate 2

9.4.2.1. Request9.4.2.1. Request

9.4.2.2. Response9.4.2.2. Response

9.4.3. LSA Server Password Set9.4.3. LSA Server Password Set

9.4.3.1. Request9.4.3.1. Request

9.4.3.2. Response9.4.3.2. Response

9.4.4. LSA SAM Logon9.4.4. LSA SAM Logon

9.4.4.1. Request9.4.4.1. Request

9.4.4.2. Response9.4.4.2. Response

9.4.5. LSA SAM Logoff9.4.5. LSA SAM Logoff

9.4.5.1. Request9.4.5.1. Request

9.4.5.2. Response9.4.5.2. Response

9.5. \\MAILSLOT\NET\NTLOGON9.5. \\MAILSLOT\NET\NTLOGON

Note: mailslots will contain a response mailslot, to which the response - should be sent. the target NetBIOS name is REQUEST_NAME<20>, where + should be sent. the target NetBIOS name is REQUEST_NAME<20>, where REQUEST_NAME is the name of the machine that sent the request.

9.5.1. Query for PDC9.5.1. Query for PDC

9.5.1.1. Request9.5.1.1. Request

9.5.1.2. Response9.5.1.2. Response

9.5.2. SAM Logon9.5.2. SAM Logon

9.5.2.1. Request9.5.2.1. Request

9.5.2.2. Response9.5.2.2. Response

9.6. SRVSVC Transact Named Pipe9.6. SRVSVC Transact Named Pipe

Defines for this pipe, identifying the query are:

9.6.1. Net Share Enum9.6.1. Net Share Enum

9.6.1.1. Request9.6.1.1. Request

9.6.1.2. Response9.6.1.2. Response

9.6.2. Net Server Get Info9.6.2. Net Server Get Info

9.6.2.1. Request9.6.2.1. Request

9.6.2.2. Response9.6.2.2. Response

9.7. Cryptographic side of NT Domain Authentication9.7. Cryptographic side of NT Domain Authentication

9.7.1. Definitions

9.7.1. Definitions

9.7.2. Protocol

C->S ReqChal,Cc S->C Cs

C & S compute session key Ks = E(PW[9..15],E(PW[0..6],Add(Cc,Cs)))

C: Rc = Cred(Ks,Cc) C->S Authenticate,Rc S: Rs = Cred(Ks,Cs), -assert(Rc == Cred(Ks,Cc)) S->C Rs C: assert(Rs == Cred(Ks,Cs))

9.7.2. Protocol
C->S ReqChal,Cc
+S->C Cs
C & S compute session key Ks = E(PW[9..15],E(PW[0..6],Add(Cc,Cs)))
C: Rc = Cred(Ks,Cc)
+C->S Authenticate,Rc
+S: Rs = Cred(Ks,Cs), assert(Rc == Cred(Ks,Cc))
+S->C Rs
+C: assert(Rs == Cred(Ks,Cs))

On joining the domain the client will optionally attempt to change its password and the domain controller may refuse to update it depending on registry settings. This will also occur weekly afterwards.

C: Tc = Time(), Rc' = Cred(Ks,Rc+Tc) C->S ServerPasswordSet,Rc',Tc, -arc4(Ks[0..7,16],lmowf(randompassword()) C: Rc = Cred(Ks,Rc+Tc+1) S: -assert(Rc' == Cred(Ks,Rc+Tc)), Ts = Time() S: Rs' = Cred(Ks,Rs+Tc+1) -S->C Rs',Ts C: assert(Rs' == Cred(Ks,Rs+Tc+1)) S: Rs = Rs'

C: Tc = Time(), Rc' = Cred(Ks,Rc+Tc)
+C->S ServerPasswordSet,Rc',Tc,arc4(Ks[0..7,16],lmowf(randompassword())
+C: Rc = Cred(Ks,Rc+Tc+1)
+S: assert(Rc' == Cred(Ks,Rc+Tc)), Ts = Time()
+S: Rs' = Cred(Ks,Rs+Tc+1)
+S->C Rs',Ts
+C: assert(Rs' == Cred(Ks,Rs+Tc+1))
+S: Rs = Rs'

User: U with password P wishes to login to the domain (incidental data such as workstation and domain omitted)

C: Tc = Time(), Rc' = Cred(Ks,Rc+Tc) C->S NetLogonSamLogon,Rc',Tc,U, -arc4(Ks[0..7,16],16,ntowf(P),16), arc4(Ks[0..7,16],16,lmowf(P),16) S: -assert(Rc' == Cred(Ks,Rc+Tc)) assert(passwords match those in SAM) S: -Ts = Time()

S->C Cred(Ks,Cred(Ks,Rc+Tc+1)),userinfo(logon script,UID,SIDs,etc) C: -assert(Rs == Cred(Ks,Cred(Rc+Tc+1)) C: Rc = Cred(Ks,Rc+Tc+1)

C: Tc = Time(), Rc' = Cred(Ks,Rc+Tc)
+C->S NetLogonSamLogon,Rc',Tc,U,arc4(Ks[0..7,16],16,ntowf(P),16), arc4(Ks[0..7,16],16,lmowf(P),16)
+S: assert(Rc' == Cred(Ks,Rc+Tc)) assert(passwords match those in SAM)
+S: Ts = Time()
S->C Cred(Ks,Cred(Ks,Rc+Tc+1)),userinfo(logon script,UID,SIDs,etc)
+C: assert(Rs == Cred(Ks,Cred(Rc+Tc+1))
+C: Rc = Cred(Ks,Rc+Tc+1)
9.7.3. Comments9.7.3. Comments

On first joining the domain the session key could be computed by anyone listening in on the network as the machine password has a well @@ -7733,8 +7748,8 @@ CLASS="SECT1" CLASS="SECT1" >9.8. SIDs and RIDs9.8. SIDs and RIDs

SIDs and RIDs are well documented elsewhere.

9.8.1. Well-known SIDs9.8.1. Well-known SIDs

9.8.1.1. Universal well-known SIDs

9.8.1.1. Universal well-known SIDs

9.8.1.2. NT well-known SIDs9.8.1.2. NT well-known SIDs

9.8.2. Well-known RIDS9.8.2. Well-known RIDS

A RID is a sub-authority value, as part of either a SID, or in the case of Group RIDs, part of the DOM_GID structure, in the USER_INFO_1 @@ -7938,8 +7953,8 @@ CLASS="SECT3" CLASS="SECT3" >9.8.2.1. Well-known RID users9.8.2.1. Well-known RID users

Groupname: 9.8.2.2. Well-known RID groups9.8.2.2. Well-known RID groups

Groupname: 9.8.2.3. Well-known RID aliases9.8.2.3. Well-known RID aliases

Groupname: 10.1. Abstract10.1. Abstract

The purpose of this document is to provide some insight into Samba's printing functionality and also to describe the semantics @@ -8156,13 +8171,13 @@ CLASS="SECT1" CLASS="SECT1" >10.2. Printing Interface to Various Back ends10.2. Printing Interface to Various Back ends

Samba uses a table of function pointers to seven functions. The -function prototypes are defined in the printifprintif structure declared in 10.3. Print Queue TDB's10.3. Print Queue TDB's

Samba provides periodic caching of the output from the "lpq command" for performance reasons. This cache time is configurable in seconds. @@ -8274,7 +8289,7 @@ struct printjob { for the UNIX job id returned from the "lpq command" and a Windows job ID (32-bit bounded by PRINT_MAX_JOBID). When a print job is returned by the "lpq command" that does not match an existing job in the queue's -TDB, a 32-bit job ID above the <*vance doesn't know what word is missing here*> is generating by adding UNIX_JOB_START to +TDB, a 32-bit job ID above the <*vance doesn't know what word is missing here*> is generating by adding UNIX_JOB_START to the id reported by lpq.

In order to match a 32-bit Windows jobid onto a 16-bit lanman print job @@ -8294,14 +8309,12 @@ TYPE="1" >

Check to see if another smbd is currently in the process of updating the queue contents by checking the pid - stored in LOCK/LOCK/printer_nameprinter_name. If so, then do not update the TDB.

10.4. ChangeID and Client Caching of Printer Information10.4. ChangeID and Client Caching of Printer Information

[To be filled in later]

10.5. Windows NT/2K Printer Change Notify10.5. Windows NT/2K Printer Change Notify

When working with Windows NT+ clients, it is possible for a print server to use RPC to send asynchronous change notification @@ -8455,7 +8468,7 @@ C: Send a RFFPCN request with the previously obtained to monitor, or (b) a PRINTER_NOTIFY_OPTIONS structure containing the event information to monitor. The windows spooler has only been observed to use (b). -S: The <* another missing word*> opens a new TCP session to the client (thus requiring +S: The <* another missing word*> opens a new TCP session to the client (thus requiring all print clients to be CIFS servers as well) and sends a ReplyOpenPrinter() request to the client. C: The client responds with a printer handle that can be used to @@ -8533,9 +8546,9 @@ information

A A SPOOL_NOTIFY_INFOSPOOL_NOTIFY_INFO contains:

The The SPOOL_NOTIFY_INFO_DATASPOOL_NOTIFY_INFO_DATA entries contain:

11.1. WINS Failover11.1. WINS Failover

The current Samba codebase possesses the capability to use groups of WINS servers that share a common namespace for NetBIOS name registration and @@ -8620,7 +8633,7 @@ resolution. The formal parameter syntax is

	WINS_SERVER_PARAM 	= SERVER [ SEPARATOR SERVER_LIST ]
-	WINS_SERVER_PARAM 	= "wins server"
+	WINS_SERVER_PARAM 	= "wins server"
 	SERVER 			= ADDR[:TAG]
 	ADDR 			= ip_addr | fqdn
 	TAG 			= string
@@ -8637,7 +8650,7 @@ CLASS="PROGRAMLISTING"
 >
In the event that no TAG is defined in for a SERVER in the list, smbd assigns a default
-TAG of "*".  A TAG is used to group servers of a shared NetBIOS namespace together.  Upon
+TAG of "*".  A TAG is used to group servers of a shared NetBIOS namespace together.  Upon
 startup, nmbd will attempt to register the netbios name value with one server in each
 tagged group.
Using this configuration, nmbd would attempt to register the server's NetBIOS name 
-with one WINS server in each group.  Because the "eth0" group has two servers, the 
+with one WINS server in each group.  Because the "eth0" group has two servers, the 
 second server would only be used when a registration (or resolution) request to 
 the first server in that group timed out.
12.1. Security in the 'new SAM'12.1. Security in the 'new SAM'
One of the biggest problems with passdb is it's implementation of
 'security'.  Access control is on a 'are you root at the moment' basis,
@@ -8752,8 +8765,8 @@ CLASS="SECT1"
 CLASS="SECT1"
 >12.2. Standalone from UNIX12.2. Standalone from UNIX
One of the primary tenants of the 'new SAM' is that it would not attempt
 to deal with 'what unix id for that'.  This would be left to the 'SMS'
@@ -8771,8 +8784,8 @@ CLASS="SECT1"
 CLASS="SECT1"
 >12.3. Handles and Races in the new SAM12.3. Handles and Races in the new SAM
One of the things that the 'new SAM' work has tried to face is both
 compatibility with existing code, and a closer alignment to the SAMR
@@ -8814,16 +8827,16 @@ CLASS="SECT1"
 CLASS="SECT1"
 >12.4. Layers12.4. Layers
12.4.1. Application
12.4.1. Application
This is where smbd, samtest and whatever end-user replacement we have
 for pdbedit sits.  They use only the SAM interface, and do not get
@@ -8835,8 +8848,8 @@ CLASS="SECT2"
 CLASS="SECT2"
 >12.4.2. SAM Interface12.4.2. SAM Interface
This level 'owns' the various handle structures, the get/set routines on
 those structures and provides the public interface.  The application
@@ -8855,8 +8868,8 @@ CLASS="SECT2"
 CLASS="SECT2"
 >12.4.3. SAM Modules12.4.3. SAM Modules
These do not communicate with the application directly, only by setting
 values in the handles, and receiving requests from the interface.  These
@@ -8873,16 +8886,16 @@ CLASS="SECT1"
 CLASS="SECT1"
 >12.5. SAM Modules12.5. SAM Modules
12.5.1. Special Module: sam_passdb
12.5.1. Special Module: sam_passdb
In order for there to be a smooth transition, kai is writing a module
 that reads existing passdb backends, and translates them into SAM
@@ -8896,8 +8909,8 @@ CLASS="SECT2"
 CLASS="SECT2"
 >12.5.2. sam_ads12.5.2. sam_ads
This is the first of the SAM modules to be committed to the tree -
 mainly because I needed to coordinate work with metze (who authored most
@@ -8918,8 +8931,8 @@ CLASS="SECT1"
 CLASS="SECT1"
 >12.6. Memory Management12.6. Memory Management
 
 The 'new SAM' development effort also concerned itself with getting a
@@ -8974,8 +8987,8 @@ CLASS="SECT1"
 CLASS="SECT1"
 >12.7. Testing12.7. Testing
Testing is vital in any piece of software, and Samba is certainly no
 exception. In designing this new subsystem, we have taken care to ensure
@@ -8994,9 +9007,9 @@ it particularly valuable.
Example useage:
$$ bin/samtest13.1. Introduction13.1. Introduction
With the development of LanManager and Windows NT 
 	compatible password encryption for Samba, it is now able 
@@ -9051,8 +9064,8 @@ CLASS="SECT1"
 CLASS="SECT1"
 >13.2. How does it work?13.2. How does it work?
LanManager encryption is somewhat similar to UNIX 
 	password encryption. The server uses a file containing a 
@@ -9116,11 +9129,11 @@ CLASS="SECT1"
 CLASS="SECT1"
 >13.3. >The smbpasswd file>The smbpasswd file
In order for Samba to participate in the above protocol 
 	it must be able to look up the 16 byte hashed values given a user name.
@@ -9151,28 +9164,24 @@ CLASS="FILENAME"
 	 file use the following command:
$ $ cat /etc/passwd | mksmbpasswd.sh
-	> /usr/local/samba/private/smbpasswd
If you are running on a system that uses NIS, use
$ $ ypcat passwd | mksmbpasswd.sh
-	> /usr/local/samba/private/smbpasswd
The 
username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
-	[Account type]:LCT-<last-change-time>:Long name
+	[Account type]:LCT-<last-change-time>:Long name
 	
Although only the Although only the usernameusername, 
-	uid, uid, 	XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,
-	[Account type] and Account type] and 	last-change-time	last-change-time sections are significant 
 	and are looked at in the Samba code.
To set a user to have no password (not recommended), edit the file
 	using vi, and replace the first 11 characters with the ascii text
-	"NO PASSWORD""NO PASSWORD" (minus the quotes).
For example, to clear the password for user bob, his smbpasswd file 
@@ -9333,8 +9332,8 @@ CLASS="SECT1"
 CLASS="SECT1"
 >14.1. About14.1. About
This document describes how to make use the new RPC Pluggable Modules features
 of Samba 3.0.  This architecture was added to increase the maintainability of
@@ -9348,13 +9347,13 @@ CLASS="SECT1"
 CLASS="SECT1"
 >14.2. General Overview14.2. General Overview
When an RPC call is sent to smbd, smbd tries to load a shared library by the
 name librpc_<pipename>.solibrpc_<pipename>.so to handle the call if
 it doesn't know how to handle the call internally.  For instance, LSA calls
 are handled by ..
 These shared libraries should be located in the <sambaroot>/lib/rpc<sambaroot>/lib/rpc.  smbd then attempts to call the rpc_pipe_init function within
 the shared library.
SAMBA Project DocumentationSAMBA Project DocumentationSAMBA Project Documentation
1.1. Read the man pagesObtaining and installing samba
1.2. Building the BinariesConfiguring samba
1.3. The all important step
1.4. Create the smb configuration file.
1.5. Test your config file with 
-	testparm
1.6. Starting the smbd and nmbd
1.7. Try listing the shares available on your 
 	server
1.8. 1.4. Try connecting with the unix client
1.9. 1.5. Try connecting from a DOS, WfWg, Win9x, WinNT, 
 	Win2k, OS/2, etc... client
1.10. 1.6. What If Things Don't Work?
2.1. Discussion
2.2. Use of the "Remote Announce" parameter
2.3. Use of the "Remote Browse Sync" parameter
2.4. Use of WINS
2.5. Do NOT use more than one (1) protocol on MS Windows machines
2.6. Name Resolution Order
3.1. Introduction
3.2. Important Notes About Security
3.3. The smbpasswd Command
3.4. Plain text
3.5. TDB
3.6. LDAP
3.7. MySQL
3.8. Passdb XML plugin
5.1. Prerequisite Reading
5.2. Background
5.3. Configuring the Samba Domain Controller
5.4. Creating Machine Trust Accounts and Joining Clients to the
 Domain
5.5. Common Problems and Errors
5.6. System Policies and Profiles
5.7. What other help can I get?
5.8. Domain Control for Windows 9x/ME
5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & SambaDOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
6.1. Prerequisite Reading
6.2. Background
6.3. What qualifies a Domain Controller on the network?
6.4. Can Samba be a Backup Domain Controller to an NT PDC?
6.5. How do I set up a Samba BDC?
7.1. Installing the required packages for Debian
7.2. Installing the required packages for RedHat
7.3. Compile Samba
7.4. Setup your /etc/krb5.conf
7.5. Create the computer account
7.6. Test your server setup
7.7. Testing with smbclient
7.8. Notes
8.1. Joining an NT Domain with Samba 3.0
8.2. Samba and Windows 2000 Domains
8.3. Why is this better than security = server?
9.1. Agenda
9.2. Name Resolution in a pure Unix/Linux world
9.3. Name resolution as used within MS Windows networking
9.4. How browsing functions and how to deploy stable and 
 dependable browsing using Samba
9.5. MS Windows security options and how to configure 
 Samba for seemless integration
9.6. Conclusions
10.1. Viewing and changing UNIX permissions using the NT 
 	security dialogs
10.2. How to view file security on a Samba share
10.3. Viewing file ownership
10.4. Viewing file or directory permissions
10.5. Modifying file or directory permissions
10.6. Interaction with the standard Samba create mask 
 	parameters
10.7. Interaction with the standard Samba file attribute 
 	mapping
11.1. Samba and PAM
11.2. Distributed Authentication
11.3. PAM Configuration in smb.conf
12.1. Instructions
13.1. Introduction
13.2. Configuration
13.3. The Imprints Toolset
13.4. Diagnosis
14.1. Abstract
14.2. Introduction
14.3. What Winbind Provides
14.4. How Winbind Works
14.5. Installation and Configuration
14.6. Limitations
14.7. Conclusion
15.1. Overview of browsing
15.2. Browsing support in samba
15.3. Problem resolution
15.4. Browsing across subnets
15.5. Setting up a WINS server
15.6. Setting up Browsing in a WORKGROUP
15.7. Setting up Browsing in a DOMAIN
15.8. Forcing samba to be the master
15.9. Making samba the domain master
15.10. Note about broadcast addresses
15.11. Multiple interfaces
16.1. Introduction and configuration
16.2. Included modules
16.3. VFS modules available elsewhere
17. Access Samba source code via CVS
17.1. Introduction
17.2. CVS Access to samba.org
18. Group mapping HOWTO
19. 18. Samba performance issues
19.1. 18.1. Comparisons
19.2. 18.2. Socket options
19.3. 18.3. Read size
19.4. 18.4. Max xmit
19.5. 18.5. Log level
19.6. 18.6. Read raw
19.7. 18.7. Write raw
19.8. 18.8. Slow Clients
19.9. 18.9. Slow Logins
19.10. 18.10. Client tuning
20. 19. Creating Group ProfilesCreating Group Prolicy Files
20.1. 19.1. Windows '9x
20.2. 19.2. Windows NT 4
20.3. 19.3. Windows 2000/XP
20. Securing Samba
20.1. Introduction
20.2. Using host based protection
20.3. Using interface protection
20.4. Using a firewall
20.5. Using a IPC$ share deny
20.6. Upgrading Samba
21.1. HPUX
21.2. SCO Unix
21.3. DNIX
21.4. RedHat Linux Rembrandt-II
21.5. AIX
22.1. Macintosh clients?
22.2. OS2 Client
22.3. Windows for Workgroups
22.4. Windows '95/'98
22.5. Windows 2000 Service Pack 2
23. How to compile SAMBA
23.1. Access Samba source code via CVS
23.2. Accessing the samba sources via rsync and ftp
23.3. Building the Binaries
23.4. Starting the smbd and nmbd
24. Reporting Bugs
23.1. 24.1. Introduction
23.2. 24.2. General info
23.3. 24.3. Debug levels
23.4. 24.4. Internal errors
23.5. 24.5. Attaching to a running process
23.6. 24.6. Patches
24. 25. Diagnosing your samba serverThe samba checklist
24.1. 25.1. Introduction
24.2. 25.2. Assumptions
24.3. 25.3. Tests
24.4. 25.4. Still having troubles?
1.1. Read the man pagesObtaining and installing samba
1.2. Building the Binaries
1.3. The all important step
1.4. Create the smb configuration file.
1.5. Test your config file with 
-	testparm
1.6. Starting the smbd and nmbdConfiguring samba
1.6.1. Starting from inetd.conf1.2.1. Editing the smb.conf file
1.6.2. Alternative: starting it as a daemon1.2.2. SWAT
1.7. 1.3. Try listing the shares available on your 
 	server
1.8. 1.4. Try connecting with the unix client
1.9. 1.5. Try connecting from a DOS, WfWg, Win9x, WinNT, 
 	Win2k, OS/2, etc... client
1.10. 1.6. What If Things Don't Work?
1.10.1. Diagnosing Problems
1.10.2. 1.6.1. Scope IDs
1.10.3. Choosing the Protocol Level
1.10.4. Printing from UNIX to a Client PC
1.10.5. 1.6.2. Locking
1.10.6. Mapping Usernames
2.1. Discussion
2.2. Use of the "Remote Announce" parameter
2.3. Use of the "Remote Browse Sync" parameter
2.4. Use of WINS
2.5. Do NOT use more than one (1) protocol on MS Windows machines
2.6. Name Resolution Order
3.1. Introduction
3.2. Important Notes About Security
3.2.1. Advantages of SMB Encryption
3.2.2. Advantages of non-encrypted passwords
3.3. The smbpasswd Command
3.4. Plain text
3.5. TDB
3.6. LDAP
3.6.1. Introduction
3.6.2. Introduction
3.6.3. Supported LDAP Servers
3.6.4. Schema and Relationship to the RFC 2307 posixAccount
3.6.5. Configuring Samba with LDAP
3.6.6. Accounts and Groups management
3.6.7. Security and sambaAccount
3.6.8. LDAP specials attributes for sambaAccounts
3.6.9. Example LDIF Entries for a sambaAccount
3.7. MySQL
3.7.1. Building
3.7.2. Creating the database
3.7.3. Configuring
3.7.4. Using plaintext passwords or encrypted password
3.7.5. Getting non-column data from the table
3.8. Passdb XML plugin
3.8.1. Building
3.8.2. Usage
1.1. Read the man pages
The man pages distributed with SAMBA contain 
-	lots of useful info that will help to get you started. 
-	If you don't know how to read man pages then try 
-	something like:
1.1. Obtaining and installing samba
$ man smbd.8Binary packages of samba are included in almost any Linux or 
+	Unix distribution. There are also some packages available at 
+	the samba homepage
-	or 
-	$ nroff -man smbd.8 | more
-	 on older unixes.
Other sources of information are pointed to 
-	by the Samba web site,	http://www.samba.org
If you need to compile samba from source, check the 
+	appropriate appendix chapter.
1.2. Building the Binaries
1.2. Configuring samba
To do this, first run the program ./configure
-	 in the source directory. This should automatically 
-	configure Samba for your operating system. If you have unusual 
-	needs then you may wish to run
Samba's configuration is stored in the smb.conf file, 
+	that usually resides in /etc/samba/smb.conf 
+	or /usr/local/samba/lib/smb.conf. You can either 
+	edit this file yourself or do it using one of the many graphical 
+	tools that are available, such as the web-based interface swat, that 
+	is included with samba.
1.2.1. Editing the smb.conf file
root# ./configure --help
-	
There are sample configuration files in the examples 
+	subdirectory in the distribution. I suggest you read them 
+	carefully so you can see how the options go together in 
+	practice. See the man page for all the options.
first to see what special options you can enable.
-	Then executing
The simplest useful configuration file would be 
+	something like this:
root# make
	[global]
+	   workgroup = MYGROUP
+
+	   [homes]
+	      guest ok = no
+	      read only = no
+	
will create the binaries. Once it's successfully 
-	compiled you can use 
which would allow connections by anyone with an 
+	account on the server, using either their login name or 
+	"homes" as the service name. (Note that I also set the 
+	workgroup that Samba is part of. See BROWSING.txt for details)
root# make install
to install the binaries and manual pages. You can 
-	separately install the binaries and/or man pages using
root# make installbin
-	
and
root# make installman
-	
Note that if you are upgrading for a previous version 
-	of Samba you might like to know that the old versions of 
-	the binaries will be renamed with a ".old" extension. You 
-	can go back to the previous version with
root# make revert
-	
if you find this version a disaster!
1.3. The all important step
At this stage you must fetch yourself a 
-	coffee or other drink you find stimulating. Getting the rest 
-	of the install right can sometimes be tricky, so you will 
-	probably need it.
If you have installed samba before then you can skip 
-	this step.
1.4. Create the smb configuration file.
There are sample configuration files in the examples 
-	subdirectory in the distribution. I suggest you read them 
-	carefully so you can see how the options go together in 
-	practice. See the man page for all the options.
The simplest useful configuration file would be 
-	something like this:
	[global]
-	   workgroup = MYGROUP
-
-	   [homes]
-	      guest ok = no
-	      read only = no
-	
which would allow connections by anyone with an 
-	account on the server, using either their login name or 
-	"homes" as the service name. (Note that I also set the 
-	workgroup that Samba is part of. See BROWSING.txt for details)
Note that Note that make install will not install 
 	a 
For more information about security settings for the 
 	[homes] share please refer to the document UNIX_SECURITY.txt.
1.5. Test your config file with 
+NAME="AEN50"
+>1.2.1.1. Test your config file with 
 	testparm
It's important that you test the validity of your
 	smb.conf!
1.2.2. SWAT
	SWAT is a web-based interface that helps you configure samba. 
+	SWAT might not be available in the samba package on your platform, 
+	but in a seperate package. Please read the swat manpage 
+	on compiling, installing and configuring swat from source.
+	
To launch SWAT just run your favorite web browser and 
+	point it at "http://localhost:901/". Replace localhost with the name of the computer you are running samba on if you 
+	are running samba on a different computer then your browser.
Note that you can attach to SWAT from any IP connected 
+	machine but connecting from a remote machine leaves your 
+	connection open to password sniffing as passwords will be sent 
+	in the clear over the wire. 
1.6. Starting the smbd and nmbd
1.3. Try listing the shares available on your 
+	server
You must choose to start smbd and nmbd either
-	as daemons or from inetd. Don't try
-	to do both!  Either you can put them in 	inetd.conf and have them started on demand
-	by inetd, or you can start them as
-	daemons either from the command line or in 	/etc/rc.local. See the man pages for details
-	on the command line options. Take particular care to read
-	the bit about what user you need to be in order to start
-	Samba.  In many cases you must be root.
$ smbclient -L 
+	yourhostname
The main advantage of starting smbd
-	and You should get back a list of shares available on 
+	your server. If you don't then something is incorrectly setup. 
+	Note that this method can also be used to see what shares 
+	are available on other LanManager clients (such as WfWg).
If you choose user level security then you may find 
+	that Samba requests a password before it will list the shares. 
+	See the nmbd using the recommended daemon method
-	is that they will respond slightly more quickly to an initial connection
-	request.
smbclient man page for details. (you 
+	can force it to list the shares without a password by
+	adding the option -U% to the command line. This will not work 
+	with non-Samba servers)
1.6.1. Starting from inetd.conf
1.4. Try connecting with the unix client
NOTE; The following will be different if 
-		you use NIS or NIS+ to distributed services maps.
$ smbclient 	//yourhostname/aservice
Look at your Typically the yourhostname 
+	would be the name of the host where you installed 	smbd. The aservice is 
+	any service you have defined in the /etc/services. 
-		What is defined at port 139/tcp. If nothing is defined 
-		then add a line like this:
smb.conf 
+	file. Try your user name if you just have a [homes] section
+	in smb.conf.
For example if your unix host is bambi and your login 
+	name is fred you would type:
$ netbios-ssn     139/tcpsmbclient //bambi/fred
+	
1.5. Try connecting from a DOS, WfWg, Win9x, WinNT, 
+	Win2k, OS/2, etc... client
similarly for 137/udp you should have an entry like:
Try mounting disks. eg:
C:\WINDOWS\> netbios-ns	137/udpnet use d: \\servername\service
+	
Next edit your /etc/inetd.conf 
-		and add two lines something like this:
Try printing. eg:
		netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd 
-		netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd 
-		
C:\WINDOWS\> net use lpt1:
+	\\servername\spoolservice
The exact syntax of /etc/inetd.conf 
-		varies between unixes. Look at the other entries in inetd.conf 
-		for a guide.
C:\WINDOWS\> print filename
+	
NOTE: Some unixes already have entries like netbios_ns 
-		(note the underscore) in /etc/services. 
-		You must either edit /etc/services or
-		/etc/inetd.conf to make them consistent.
Celebrate, or send me a bug report!
1.6. What If Things Don't Work?
NOTE: On many systems you may need to use the 
-		"interfaces" option in smb.conf to specify the IP address 
-		and netmask of your interfaces. Run ifconfig 
-		as root if you don't know what the broadcast is for your
-		net. nmbd tries to determine it at run 
-		time, but fails on some unixes. See the section on "testing nmbd" 
-		for a method of finding if you need to do this.
Then you might read the file HOWTO chapter Diagnosis and the 
+	FAQ. If you are still stuck then try the mailing list or 
+	newsgroup (look in the README for details). Samba has been 
+	successfully installed at thousands of sites worldwide, so maybe 
+	someone else has hit your problem and has overcome it. You could 
+	also use the WWW site to scan back issues of the samba-digest.
!!!WARNING!!! Many unixes only accept around 5 
-		parameters on the command line in inetd.conf. 
-		This means you shouldn't use spaces between the options and 
-		arguments, or you should use a script, and start the script 
-		from inetd.
When you fix the problem please send some 
+	updates of the documentation (or source code) to one of 
+	the documentation maintainers or the list.
+	
1.6.1. Scope IDs
Restart inetd, perhaps just send 
-		it a HUP. If you have installed an earlier version of 		nmbd then you may need to kill nmbd as well.
By default Samba uses a blank scope ID. This means 
+		all your windows boxes must also have a blank scope ID. 
+		If you really want to use a non-blank scope ID then you will 
+		need to use the 'netbios scope' smb.conf option.
+        All your PCs will need to have the same setting for 
+		this to work. I do not recommend scope IDs.
1.6.2. Alternative: starting it as a daemon
1.6.2. Locking
To start the server as a daemon you should create 
-		a script something like this one, perhaps calling 
-		it startsmb.
One area which sometimes causes trouble is locking.
		#!/bin/sh
-		/usr/local/samba/bin/smbd -D 
-		/usr/local/samba/bin/nmbd -D 
-		
There are two types of locking which need to be 
+		performed by a SMB server. The first is "record locking" 
+		which allows a client to lock a range of bytes in a open file. 
+		The second is the "deny modes" that are specified when a file 
+		is open.
then make it executable with chmod 
-		+x startsmb
Record locking semantics under Unix is very
+		different from record locking under Windows. Versions
+		of Samba before 2.2 have tried to use the native
+		fcntl() unix system call to implement proper record
+		locking between different Samba clients. This can not
+		be fully correct due to several reasons. The simplest
+		is the fact that a Windows client is allowed to lock a
+		byte range up to 2^32 or 2^64, depending on the client
+		OS. The unix locking only supports byte ranges up to
+		2^31. So it is not possible to correctly satisfy a
+		lock request above 2^31. There are many more
+		differences, too many to be listed here.
You can then run startsmb by 
-		hand or execute it from /etc/rc.local
-		
Samba 2.2 and above implements record locking
+		completely independent of the underlying unix
+		system. If a byte range lock that the client requests
+		happens to fall into the range 0-2^31, Samba hands
+		this request down to the Unix system. All other locks
+		can not be seen by unix anyway.
To kill it send a kill signal to the processes 
-		nmbd and smbd.
Strictly a SMB server should check for locks before 
+		every read and write call on a file. Unfortunately with the 
+		way fcntl() works this can be slow and may overstress the 
+		rpc.lockd. It is also almost always unnecessary as clients 
+		are supposed to independently make locking calls before reads 
+		and writes anyway if locking is important to them. By default 
+		Samba only makes locking calls when explicitly asked
+		to by a client, but if you set "strict locking = yes" then it will
+		make lock checking calls on every read and write. 
NOTE: If you use the SVR4 style init system then 
-		you may like to look at the examples/svr4-startup
-		script to make Samba fit into that system.
You can also disable by range locking completely 
+		using "locking = no". This is useful for those shares that 
+		don't support locking or don't need it (such as cdroms). In 
+		this case Samba fakes the return codes of locking calls to 
+		tell clients that everything is OK.
The second class of locking is the "deny modes". These 
+		are set by an application when it opens a file to determine 
+		what types of access should be allowed simultaneously with 
+		its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE 
+		or DENY_ALL. There are also special compatibility modes called 
+		DENY_FCB and  DENY_DOS.

1.7. Try listing the shares available on your - server

$ smbclient -L - yourhostname

Chapter 2. Quick Cross Subnet Browsing / Cross Workgroup Browsing guide

You should get back a list of shares available on - your server. If you don't then something is incorrectly setup. - Note that this method can also be used to see what shares - are available on other LanManager clients (such as WfWg).

This document should be read in conjunction with Browsing and may +be taken as the fast track guide to implementing browsing across subnets +and / or across workgroups (or domains). WINS is the best tool for resolution +of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling +except by way of name to address mapping.

If you choose user level security then you may find - that Samba requests a password before it will list the shares. - See the smbclient man page for details. (you - can force it to list the shares without a password by - adding the option -U% to the command line. This will not work - with non-Samba servers)

Note: MS Windows 2000 and later can be configured to operate with NO NetBIOS +over TCP/IP. Samba-3 and later also supports this mode of operation.

1.8. Try connecting with the unix client

2.1. Discussion

$ smbclient //yourhostname/aservice

Firstly, all MS Windows networking is based on SMB (Server Message +Block) based messaging. SMB messaging may be implemented using NetBIOS or +without NetBIOS. Samba implements NetBIOS by encapsulating it over TCP/IP. +MS Windows products can do likewise. NetBIOS based networking uses broadcast +messaging to affect browse list management. When running NetBIOS over +TCP/IP this uses UDP based messaging. UDP messages can be broadcast or unicast.

Typically the yourhostname - would be the name of the host where you installed smbd. The aservice is - any service you have defined in the smb.conf - file. Try your user name if you just have a [homes] section - in smb.conf.

Normally, only unicast UDP messaging can be forwarded by routers. The +"remote announce" parameter to smb.conf helps to project browse announcements +to remote network segments via unicast UDP. Similarly, the "remote browse sync" +parameter of smb.conf implements browse list collation using unicast UDP.

For example if your unix host is bambi and your login - name is fred you would type:

Secondly, in those networks where Samba is the only SMB server technology +wherever possible nmbd should be configured on one (1) machine as the WINS +server. This makes it easy to manage the browsing environment. If each network +segment is configured with it's own Samba WINS server, then the only way to +get cross segment browsing to work is by using the "remote announce" and +the "remote browse sync" parameters to your smb.conf file.

$ smbclient //bambi/fred -

If only one WINS server is used for an entire multi-segment network then +the use of the "remote announce" and the "remote browse sync" parameters +should NOT be necessary.

As of Samba-3 WINS replication is being worked on. The bulk of the code has +been committed, but it still needs maturation.

Right now samba WINS does not support MS-WINS replication. This means that +when setting up Samba as a WINS server there must only be one nmbd configured +as a WINS server on the network. Some sites have used multiple Samba WINS +servers for redundancy (one server per subnet) and then used "remote browse +sync" and "remote announce" to affect browse list collation across all +segments. Note that this means clients will only resolve local names, +and must be configured to use DNS to resolve names on other subnets in +order to resolve the IP addresses of the servers they can see on other +subnets. This setup is not recommended, but is mentioned as a practical +consideration (ie: an 'if all else fails' scenario).

Lastly, take note that browse lists are a collection of unreliable broadcast +messages that are repeated at intervals of not more than 15 minutes. This means +that it will take time to establish a browse list and it can take up to 45 +minutes to stabilise, particularly across network segments.

1.9. Try connecting from a DOS, WfWg, Win9x, WinNT, - Win2k, OS/2, etc... client

Try mounting disks. eg:

C:\WINDOWS\> net use d: \\servername\service -

Try printing. eg:

C:\WINDOWS\> net use lpt1: - \\servername\spoolservice

C:\WINDOWS\> print filename -

Celebrate, or send me a bug report!

1.10. What If Things Don't Work?

If nothing works and you start to think "who wrote - this pile of trash" then I suggest you do step 2 again (and - again) till you calm down.

Then you might read the file DIAGNOSIS.txt and the - FAQ. If you are still stuck then try the mailing list or - newsgroup (look in the README for details). Samba has been - successfully installed at thousands of sites worldwide, so maybe - someone else has hit your problem and has overcome it. You could - also use the WWW site to scan back issues of the samba-digest.

When you fix the problem PLEASE send me some updates to the - documentation (or source code) so that the next person will find it - easier.

1.10.1. Diagnosing Problems

If you have installation problems then go to the - Diagnosis chapter to try to find the - problem.

1.10.2. Scope IDs

By default Samba uses a blank scope ID. This means - all your windows boxes must also have a blank scope ID. - If you really want to use a non-blank scope ID then you will - need to use the 'netbios scope' smb.conf option. - All your PCs will need to have the same setting for - this to work. I do not recommend scope IDs.

1.10.3. Choosing the Protocol Level

The SMB protocol has many dialects. Currently - Samba supports 5, called CORE, COREPLUS, LANMAN1, - LANMAN2 and NT1.

You can choose what maximum protocol to support - in the smb.conf file. The default is - NT1 and that is the best for the vast majority of sites.

In older versions of Samba you may have found it - necessary to use COREPLUS. The limitations that led to - this have mostly been fixed. It is now less likely that you - will want to use less than LANMAN1. The only remaining advantage - of COREPLUS is that for some obscure reason WfWg preserves - the case of passwords in this protocol, whereas under LANMAN1, - LANMAN2 or NT1 it uppercases all passwords before sending them, - forcing you to use the "password level=" option in some cases.

The main advantage of LANMAN2 and NT1 is support for - long filenames with some clients (eg: smbclient, Windows NT - or Win95).

See the smb.conf(5) manual page for more details.

Note: To support print queue reporting you may find - that you have to use TCP/IP as the default protocol under - WfWg. For some reason if you leave Netbeui as the default - it may break the print queue reporting on some systems. - It is presumably a WfWg bug.

1.10.4. Printing from UNIX to a Client PC

To use a printer that is available via a smb-based - server from a unix host with LPR you will need to compile the - smbclient program. You then need to install the script - "smbprint". Read the instruction in smbprint for more details. -

There is also a SYSV style script that does much - the same thing called smbprint.sysv. It contains instructions.

See the CUPS manual for information about setting up - printing from a unix host with CUPS to a smb-based server.

1.10.5. Locking

One area which sometimes causes trouble is locking.

There are two types of locking which need to be - performed by a SMB server. The first is "record locking" - which allows a client to lock a range of bytes in a open file. - The second is the "deny modes" that are specified when a file - is open.

Record locking semantics under Unix is very - different from record locking under Windows. Versions - of Samba before 2.2 have tried to use the native - fcntl() unix system call to implement proper record - locking between different Samba clients. This can not - be fully correct due to several reasons. The simplest - is the fact that a Windows client is allowed to lock a - byte range up to 2^32 or 2^64, depending on the client - OS. The unix locking only supports byte ranges up to - 2^31. So it is not possible to correctly satisfy a - lock request above 2^31. There are many more - differences, too many to be listed here.

Samba 2.2 and above implements record locking - completely independent of the underlying unix - system. If a byte range lock that the client requests - happens to fall into the range 0-2^31, Samba hands - this request down to the Unix system. All other locks - can not be seen by unix anyway.

Strictly a SMB server should check for locks before - every read and write call on a file. Unfortunately with the - way fcntl() works this can be slow and may overstress the - rpc.lockd. It is also almost always unnecessary as clients - are supposed to independently make locking calls before reads - and writes anyway if locking is important to them. By default - Samba only makes locking calls when explicitly asked - to by a client, but if you set "strict locking = yes" then it will - make lock checking calls on every read and write.

You can also disable by range locking completely - using "locking = no". This is useful for those shares that - don't support locking or don't need it (such as cdroms). In - this case Samba fakes the return codes of locking calls to - tell clients that everything is OK.

The second class of locking is the "deny modes". These - are set by an application when it opens a file to determine - what types of access should be allowed simultaneously with - its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE - or DENY_ALL. There are also special compatibility modes called - DENY_FCB and DENY_DOS.

1.10.6. Mapping Usernames

If you have different usernames on the PCs and - the unix server then take a look at the "username map" option. - See the smb.conf man page for details.

Chapter 2. Quick Cross Subnet Browsing / Cross Workgroup Browsing guide

This document should be read in conjunction with Browsing and may -be taken as the fast track guide to implementing browsing across subnets -and / or across workgroups (or domains). WINS is the best tool for resolution -of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling -except by way of name to address mapping.

2.1. Discussion

Firstly, all MS Windows networking is based on SMB (Server Message -Block) based messaging. SMB messaging is implemented using NetBIOS. Samba -implements NetBIOS by encapsulating it over TCP/IP. MS Windows products can -do likewise. NetBIOS based networking uses broadcast messaging to affect -browse list management. When running NetBIOS over TCP/IP this uses UDP -based messaging. UDP messages can be broadcast or unicast.

Normally, only unicast UDP messaging can be forwarded by routers. The -"remote announce" parameter to smb.conf helps to project browse announcements -to remote network segments via unicast UDP. Similarly, the "remote browse sync" -parameter of smb.conf implements browse list collation using unicast UDP.

Secondly, in those networks where Samba is the only SMB server technology -wherever possible nmbd should be configured on one (1) machine as the WINS -server. This makes it easy to manage the browsing environment. If each network -segment is configured with it's own Samba WINS server, then the only way to -get cross segment browsing to work is by using the "remote announce" and -the "remote browse sync" parameters to your smb.conf file.

If only one WINS server is used then the use of the "remote announce" and the -"remote browse sync" parameters should NOT be necessary.

Samba WINS does not support MS-WINS replication. This means that when setting up -Samba as a WINS server there must only be one nmbd configured as a WINS server -on the network. Some sites have used multiple Samba WINS servers for redundancy -(one server per subnet) and then used "remote browse sync" and "remote announce" -to affect browse list collation across all segments. Note that this means -clients will only resolve local names, and must be configured to use DNS to -resolve names on other subnets in order to resolve the IP addresses of the -servers they can see on other subnets. This setup is not recommended, but is -mentioned as a practical consideration (ie: an 'if all else fails' scenario).

Lastly, take note that browse lists are a collection of unreliable broadcast -messages that are repeated at intervals of not more than 15 minutes. This means -that it will take time to establish a browse list and it can take up to 45 -minutes to stabilise, particularly across network segments.

2.2. Use of the "Remote Announce" parameter

2.2. Use of the "Remote Announce" parameter

The "remote announce" parameter of smb.conf can be used to forcibly ensure that all the NetBIOS names on a network get announced to a remote network. @@ -2225,9 +1821,9 @@ CLASS="SECT1" >

2.3. Use of the "Remote Browse Sync" parameter

2.3. Use of the "Remote Browse Sync" parameter

The "remote browse sync" parameter of smb.conf is used to announce to another LMB that it must synchronise it's NetBIOS name list with our @@ -2248,9 +1844,9 @@ CLASS="SECT1" >

2.4. Use of WINS

2.4. Use of WINS

Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly recommended. Every NetBIOS machine registers it's name together with a @@ -2302,22 +1898,23 @@ CLASS="emphasis" CLASS="EMPHASIS" >DO NOT EVER use both "wins support = yes" together with "wins server = a.b.c.d" -particularly not using it's own IP address.

use both "wins support = yes" together +with "wins server = a.b.c.d" particularly not using it's own IP address. +Specifying both will cause nmbd to refuse to start!

2.5. Do NOT use more than one (1) protocol on MS Windows machines

2.5. Do NOT use more than one (1) protocol on MS Windows machines

A very common cause of browsing problems results from installing more than one protocol on an MS Windows machine.

Every NetBIOS machine take part in a process of electing the LMB (and DMB) +>Every NetBIOS machine takes part in a process of electing the LMB (and DMB) every 15 minutes. A set of election criteria is used to determine the order of precidence for winning this election process. A machine running Samba or Windows NT will be biased so that the most suitable machine will predictably @@ -2333,6 +1930,19 @@ interface over the IPX protocol. Samba will then lose the LMB role as Windows as an LMB and thus browse list operation on all TCP/IP only machines will fail.

Windows 95, 98, 98se, Me are referred to generically as Windows 9x. +The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly +referred to as the WinNT family, but it should be recognised that 2000 and +XP/2003 introduce new protocol extensions that cause them to behave +differently from MS Windows NT4. Generally, where a server does NOT support +the newer or extended protocol, these will fall back to the NT4 protocols.

The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!

2.6. Name Resolution Order

2.6. Name Resolution Order

Resolution of NetBIOS names to IP addresses can take place using a number of methods. The only ones that can provide NetBIOS name_type information @@ -2431,9 +2041,9 @@ CLASS="SECT1" >

3.1. Introduction

3.1. Introduction

Old windows clients send plain text passwords over the wire. Samba can check these passwords by crypting them and comparing them @@ -2472,9 +2082,9 @@ CLASS="SECT1" >

3.2. Important Notes About Security

3.2. Important Notes About Security

The unix and SMB password encryption techniques seem similar on the surface. This similarity is, however, only skin deep. The unix @@ -2580,9 +2190,9 @@ CLASS="SECT2" >

3.2.1. Advantages of SMB Encryption

3.2.1. Advantages of SMB Encryption

3.2.2. Advantages of non-encrypted passwords

3.2.2. Advantages of non-encrypted passwords

3.3. The smbpasswd Command

3.3. The smbpasswd Command

The smbpasswd utility is a utility similar to the

To run smbpasswd as a normal user just type :

$ $ smbpasswdsmbpasswd

Old SMB password: Old SMB password: <type old value here - - or hit return if there was no old password><type old value here - + or hit return if there was no old password>

New SMB Password: New SMB Password: <type new value> - <type new value> +

Repeat New SMB Password: Repeat New SMB Password: <re-type new value - <re-type new value +

If the old value does not match the current value stored for @@ -2762,9 +2364,9 @@ CLASS="SECT1" >

3.4. Plain text

3.4. Plain text

Older versions of samba retrieved user information from the unix user database and eventually some other fields from the file

3.5. TDB

3.5. TDB

Samba can also store the user data in a "TDB" (Trivial Database). Using this backend doesn't require any additional configuration. This backend is recommended for new installations who @@ -2795,17 +2397,17 @@ CLASS="SECT1" >

3.6. LDAP

3.6. LDAP

3.6.1. Introduction

3.6.1. Introduction

This document describes how to use an LDAP directory for storing Samba user account information traditionally stored in the smbpasswd(5) file. It is @@ -2871,9 +2473,9 @@ CLASS="SECT2" >

3.6.2. Introduction

3.6.2. Introduction

Traditionally, when configuring --with-ldapsam--with-ldapsam or ---with-tdbsam--with-tdbsam) requires compile time support.

When compiling Samba to include the When compiling Samba to include the --with-ldapsam--with-ldapsam autoconf option, smbd (and associated tools) will store and lookup user accounts in an LDAP directory. In reality, this is very easy to understand. If you are comfortable with using an smbpasswd file, simply replace "smbpasswd" with "LDAP directory" in all the documentation.

There are a few points to stress about what the There are a few points to stress about what the --with-ldapsam--with-ldapsam does not provide. The LDAP support referred to in the this documentation does not include:

3.6.3. Supported LDAP Servers

3.6.3. Supported LDAP Servers

The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP 2.0 server and client libraries. The same code should be able to work with @@ -3013,9 +2607,9 @@ CLASS="SECT2" >

3.6.4. Schema and Relationship to the RFC 2307 posixAccount

3.6.4. Schema and Relationship to the RFC 2307 posixAccount

Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in /etc/passwd entry, so is the sambaAccount object meant to supplement the UNIX user account information. A sambaAccount is a -STRUCTURALSTRUCTURAL objectclass so it can be stored individually in the directory. However, there are several fields (e.g. uid) which overlap with the posixAccount objectclass outlined in RFC2307. This is by design.

3.6.5. Configuring Samba with LDAP

3.6.5. Configuring Samba with LDAP

3.6.5.1. OpenLDAP configuration

3.6.5.1. OpenLDAP configuration

To include support for the sambaAccount object in an OpenLDAP directory server, first copy the samba.schema file to slapd's configuration directory.

root# root# cp samba.schema /etc/openldap/schema/

3.6.5.2. Configuring Samba

3.6.5.2. Configuring Samba

The following parameters are available in smb.conf only with The following parameters are available in smb.conf only with --with-ldapsam--with-ldapsam was included with compiling Samba.

secretpwsecretpw' to store the # passphrase in the secrets.tdb file. If the "ldap admin dn" values # changes, this password will need to be reset. @@ -3271,7 +2861,7 @@ CLASS="REPLACEABLE" ldap suffix = "ou=people,dc=samba,dc=org" # generally the default ldap search filter is ok - # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"

3.6.6. Accounts and Groups management

3.6.6. Accounts and Groups management

As users accounts are managed thru the sambaAccount objectclass, you should modify you existing administration tools to deal with sambaAccount attributes.

3.6.7. Security and sambaAccount

3.6.7. Security and sambaAccount

There are two important points to remember when discussing the security of sambaAccount entries in the directory.

3.6.8. LDAP specials attributes for sambaAccounts

3.6.8. LDAP specials attributes for sambaAccounts

The sambaAccount objectclass is composed of the following attributes:

  • lmPasswordlmPassword: the LANMAN password 16-byte hash stored as a character representation of a hexidecimal string.

  • ntPasswordntPassword: the NT password hash 16-byte stored as a character representation of a hexidecimal string.

  • pwdLastSetpwdLastSet: The integer time in seconds since 1970 when the - lmPassword and lmPassword and ntPasswordntPassword attributes were last set.

  • acctFlagsacctFlags: string of 11 characters surrounded by square brackets [] representing account flags such as U (user), W(workstation), X(no password expiration), and D(disabled).

  • logonTimelogonTime: Integer value currently unused

  • logoffTimelogoffTime: Integer value currently unused

  • kickoffTimekickoffTime: Integer value currently unused

  • pwdCanChangepwdCanChange: Integer value currently unused

  • pwdMustChangepwdMustChange: Integer value currently unused

  • homeDrivehomeDrive: specifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the form "X:" where X is the letter of the drive to map. Refer to the "logon drive" parameter in the @@ -3479,9 +3069,9 @@ CLASS="CONSTANT" >

  • scriptPathscriptPath: The scriptPath property specifies the path of the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path is relative to the netlogon share. Refer to the "logon script" parameter in the @@ -3489,18 +3079,18 @@ CLASS="CONSTANT" >

  • profilePathprofilePath: specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path. Refer to the "logon path" parameter in the smb.conf(5) man page for more information.

  • smbHomesmbHome: The homeDirectory property specifies the path of the home directory for the user. The string can be null. If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network @@ -3510,25 +3100,25 @@ CLASS="CONSTANT" >

  • userWorkstationuserWorkstation: character string value currently unused.

  • ridrid: the integer representation of the user's relative identifier (RID).

  • primaryGroupIDprimaryGroupID: the relative identifier (RID) of the primary group of the user.

    • smb.conf     file. When a user named "becky" logons to the domain, -the logon homelogon home string is expanded to \\TASHTEGO\becky. If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org", this value is used. However, if this attribute does not exist, then the value -of the logon homelogon home parameter is used in its place. Samba will only write the attribute value to the directory entry is the value is something other than the default (e.g. \\MOBY\becky).

    3.6.9. Example LDIF Entries for a sambaAccount

    3.6.9. Example LDIF Entries for a sambaAccount

    The following is a working LDIF with the inclusion of the posixAccount objectclass:

    3.7. MySQL

    3.7. MySQL

    3.7.1. Building

    3.7.1. Building

    To build the plugin, run

    3.7.2. Creating the database

    3.7.2. Creating the database

    You either can set up your own table and specify the field names to pdb_mysql (see below for the column names) or use the default table. The file mysql -umysql -uusername -husername -hhostname -phostname -ppassword password databasenamedatabasename < /path/to/samba/examples/pdb/mysql/mysql.dump

    3.7.3. Configuring

    3.7.3. Configuring

    This plugin lacks some good documentation, but here is some short info:

    3.7.4. Using plaintext passwords or encrypted password

    3.7.4. Using plaintext passwords or encrypted password

    I strongly discourage the use of plaintext passwords, however, you can use them:

    3.7.5. Getting non-column data from the table

    3.7.5. Getting non-column data from the table

    It is possible to have not all data in the database and making some 'constant'.

    3.8. Passdb XML plugin

    3.8. Passdb XML plugin

    3.8.1. Building

    3.8.1. Building

    This module requires libxml2 to be installed.

    3.8.2. Usage

    3.8.2. Usage

    The usage of pdb_xml is pretty straightforward. To export data, use: @@ -3944,7 +3522,7 @@ CLASS="TITLE" >

    Introduction

    5.1. Prerequisite Reading
    5.2. Background
    5.3. Configuring the Samba Domain Controller
    5.4. Creating Machine Trust Accounts and Joining Clients to the Domain
    5.4.1. Manual Creation of Machine Trust Accounts
    5.4.2. "On-the-Fly" Creation of Machine Trust Accounts
    5.4.3. Joining the Client to the Domain
    5.5. Common Problems and Errors
    5.6. System Policies and Profiles
    5.7. What other help can I get?
    5.8. Domain Control for Windows 9x/ME
    5.8.1. Configuration Instructions: Network Logons
    5.8.2. Configuration Instructions: Setting up Roaming User Profiles
    5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & SambaDOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
    6.1. Prerequisite Reading
    6.2. Background
    6.3. What qualifies a Domain Controller on the network?
    6.3.1. How does a Workstation find its domain controller?
    6.3.2. When is the PDC needed?
    6.4. Can Samba be a Backup Domain Controller to an NT PDC?
    6.5. How do I set up a Samba BDC?
    6.5.1. How do I replicate the smbpasswd file?
    6.5.2. Can I do this all with LDAP?
    7.1. Installing the required packages for Debian
    7.2. Installing the required packages for RedHat
    7.3. Compile Samba
    7.4. Setup your /etc/krb5.conf
    7.5. Create the computer account
    7.5.1. Possible errors
    7.6. Test your server setup
    7.7. Testing with smbclient
    7.8. Notes
    8.1. Joining an NT Domain with Samba 3.0
    8.2. Samba and Windows 2000 Domains
    8.3. Why is this better than security = server?

    5.1. Prerequisite Reading

    5.1. Prerequisite Reading

    Before you continue reading in this chapter, please make sure that you are comfortable with configuring basic files services @@ -4339,9 +3917,9 @@ CLASS="SECT1" >

    5.2. Background

    5.2. Background

    5.3. Configuring the Samba Domain Controller

    5.3. Configuring the Samba Domain Controller

    The first step in creating a working Samba PDC is to understand the parameters necessary in smb.conf. I will not @@ -4519,21 +4097,17 @@ CLASS="PROGRAMLISTING" HREF="smb.conf.5.html#NETBIOSNAME" TARGET="_top" >netbios name = = POGOPOGO workgroup = = NARNIANARNIA ; we should act as the domain and local master browser @@ -4623,11 +4197,9 @@ TARGET="_top" HREF="smb.conf.5.html#WRITELIST" TARGET="_top" >write list = = ntadminntadmin ; share for storing user profiles @@ -4703,10 +4275,10 @@ CLASS="SECT1" >

    5.4. Creating Machine Trust Accounts and Joining Clients to the -Domain

    A machine trust account is a Samba account that is used to authenticate a client machine (rather than a user) to the Samba @@ -4777,9 +4349,9 @@ CLASS="SECT2" >

    5.4.1. Manual Creation of Machine Trust Accounts

    5.4.1. Manual Creation of Machine Trust Accounts

    The first step in manually creating a machine trust account is to manually create the corresponding Unix account in @@ -4794,55 +4366,45 @@ CLASS="COMMAND" used to create new Unix accounts. The following is an example for a Linux based Samba server:

    root# root# /usr/sbin/useradd -g 100 -d /dev/null -c /usr/sbin/useradd -g 100 -d /dev/null -c "machine -nickname" -s /bin/false -s /bin/false machine_namemachine_name$

    root# root# passwd -l passwd -l machine_namemachine_name$

    On *BSD systems, this can be done using the 'chpass' utility:

    root# root# chpass -a "chpass -a "machine_name$:*:101:100::0:0:Workstation machine_name$:*:101:100::0:0:Workstation machine_namemachine_name:/dev/null:/sbin/nologin"

    doppy$:x:505:501:doppy$:x:505:501:machine_nicknamemachine_nickname:/dev/null:/bin/false

    Above, Above, machine_nicknamemachine_nickname can be any descriptive name for the client, i.e., BasementComputer. -machine_namemachine_name absolutely must be the NetBIOS name of the client to be joined to the domain. The "$" must be appended to the NetBIOS name of the client or Samba will not recognize @@ -4896,24 +4452,20 @@ CLASS="COMMAND" > command as shown here:

    root# root# smbpasswd -a -m smbpasswd -a -m machine_namemachine_name

    where where machine_namemachine_name is the machine's NetBIOS name. The RID of the new machine account is generated from the UID of the corresponding Unix account.

    5.4.2. "On-the-Fly" Creation of Machine Trust Accounts

    5.4.2. "On-the-Fly" Creation of Machine Trust Accounts

    The second (and recommended) way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the client @@ -4995,7 +4547,7 @@ be created manually.

    [global]
-   # <...remainder of parameters...>
+   # <...remainder of parameters...>
    add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

    5.4.3. Joining the Client to the Domain

    5.4.3. Joining the Client to the Domain

    The procedure for joining a client to the domain varies with the version of Windows.

    5.5. Common Problems and Errors

    5.5. Common Problems and Errors

    C:\WINNT\>C:\WINNT\> net use * /d

    This problem is caused by the PDC not having a suitable machine trust account. - If you are using the add user scriptadd user script method to create accounts then this would indicate that it has not worked. Ensure the domain admin user system is working. @@ -5241,11 +4791,9 @@ CLASS="COMMAND"

    In order to work around this problem in 2.2.0, configure the - accountaccount control flag in

    5.6. System Policies and Profiles

    5.6. System Policies and Profiles

    Much of the information necessary to implement System Policies and Roving User Profiles in a Samba domain is the same as that for @@ -5459,9 +5007,9 @@ CLASS="SECT1" >

    5.7. What other help can I get?

    5.7. What other help can I get?

    There are many sources of information available in the form of mailing lists, RFC's and documentation. The docs that come @@ -5879,9 +5427,9 @@ CLASS="SECT1" >

    5.8. Domain Control for Windows 9x/ME

    5.8. Domain Control for Windows 9x/ME

  • The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -6013,9 +5561,9 @@ CLASS="SECT2" >

    5.8.1. Configuration Instructions: Network Logons

    5.8.1. Configuration Instructions: Network Logons

    The main difference between a PDC and a Windows 9x logon server configuration is that

    There are a few comments to make in order to tie up some loose ends. There has been much debate over the issue of whether or not it is ok to configure Samba as a Domain Controller in security -modes other than USERUSER. The only security mode -which will not work due to technical reasons is SHARESHARE -mode security. DOMAIN and DOMAIN and SERVERSERVER mode security is really just a variation on SMB user level security.

    5.8.2. Configuration Instructions: Setting up Roaming User Profiles

    5.8.2. Configuration Instructions: Setting up Roaming User Profiles

    5.8.2.1. Windows NT Configuration

    5.8.2.1. Windows NT Configuration

    To support WinNT clients, in the [global] section of smb.conf set the following (for example):

    5.8.2.2. Windows 9X Configuration

    5.8.2.2. Windows 9X Configuration

    To support Win9X clients, you must use the "logon home" parameter. Samba has now been fixed so that "net use/home" now works as well, and it, too, relies @@ -6254,9 +5802,9 @@ CLASS="SECT3" >

    5.8.2.3. Win9X and WinNT Configuration

    5.8.2.3. Win9X and WinNT Configuration

    You can support profiles for both Win9X and WinNT clients by setting both the "logon home" and "logon path" parameters. For example:

    5.8.2.4. Windows 9X Profile Setup

    5.8.2.4. Windows 9X Profile Setup

    When a user first logs in on Windows 9X, the file user.DAT is created, as are folders "Start Menu", "Desktop", "Programs" and "Nethood". @@ -6459,9 +6007,9 @@ CLASS="SECT3" >

    5.8.2.5. Windows NT Workstation 4.0

    5.8.2.5. Windows NT Workstation 4.0

    When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile location can be now specified @@ -6573,9 +6121,9 @@ CLASS="SECT3" >

    5.8.2.6. Windows NT Server

    5.8.2.6. Windows NT Server

    There is nothing to stop you specifying any path that you like for the location of users' profiles. Therefore, you could specify that the @@ -6587,9 +6135,9 @@ CLASS="SECT3" >

    5.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0

    5.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0

    5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

    5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

    The registry files can be located on any Windows NT machine by opening a command prompt and typing:

    C:\WINNT\>C:\WINNT\> dir %SystemRoot%\System32\config

    The environment variable %SystemRoot% value can be obtained by typing:

    C:\WINNT>C:\WINNT>echo %SystemRoot%

    The active parts of the registry that you may want to be familiar with are @@ -6825,9 +6373,9 @@ CLASS="SECT1" >

    6.1. Prerequisite Reading

    6.1. Prerequisite Reading

    Before you continue reading in this chapter, please make sure that you are comfortable with configuring a Samba PDC @@ -6842,9 +6390,9 @@ CLASS="SECT1" >

    6.2. Background

    6.2. Background

    What is a Domain Controller? It is a machine that is able to answer logon requests from workstations in a Windows NT Domain. Whenever a @@ -6887,9 +6435,9 @@ CLASS="SECT1" >

    6.3. What qualifies a Domain Controller on the network?

    6.3. What qualifies a Domain Controller on the network?

    Every machine that is a Domain Controller for the domain SAMBA has to register the NetBIOS group name SAMBA#1c with the WINS server and/or @@ -6904,9 +6452,9 @@ CLASS="SECT2" >

    6.3.1. How does a Workstation find its domain controller?

    6.3.1. How does a Workstation find its domain controller?

    A NT workstation in the domain SAMBA that wants a local user to be authenticated has to find the domain controller for SAMBA. It does @@ -6923,9 +6471,9 @@ CLASS="SECT2" >

    6.3.2. When is the PDC needed?

    6.3.2. When is the PDC needed?

    Whenever a user wants to change his password, this has to be done on the PDC. To find the PDC, the workstation does a NetBIOS name query @@ -6939,9 +6487,9 @@ CLASS="SECT1" >

    6.4. Can Samba be a Backup Domain Controller to an NT PDC?

    6.4. Can Samba be a Backup Domain Controller to an NT PDC?

    With version 2.2, no. The native NT SAM replication protocols have not yet been fully implemented. The Samba Team is working on @@ -6962,9 +6510,9 @@ CLASS="SECT1" >

    6.5. How do I set up a Samba BDC?

    6.5. How do I set up a Samba BDC?

    Several things have to be done:

    6.5.1. How do I replicate the smbpasswd file?

    6.5.1. How do I replicate the smbpasswd file?

    Replication of the smbpasswd file is sensitive. It has to be done whenever changes to the SAM are made. Every user's password change is @@ -7050,9 +6598,9 @@ CLASS="SECT2" >

    6.5.2. Can I do this all with LDAP?

    6.5.2. Can I do this all with LDAP?

    The simple answer is YES. Samba's pdb_ldap code supports binding to a replica LDAP server, and will also follow referrals and @@ -7106,9 +6654,9 @@ CLASS="SECT1" >

    7.1. Installing the required packages for Debian

    7.1. Installing the required packages for Debian

    On Debian you need to install the following packages:

    7.2. Installing the required packages for RedHat

    7.2. Installing the required packages for RedHat

    On RedHat this means you should have at least:

    7.3. Compile Samba

    7.3. Compile Samba

    If your kerberos libraries are in a non-standard location then remember to add the configure option --with-krb5=DIR.

    7.4. Setup your /etc/krb5.conf

    7.4. Setup your /etc/krb5.conf

    The minimal configuration for krb5.conf is:

    7.5. Create the computer account

    7.5. Create the computer account

    As a user that has write permission on the Samba private directory (usually root) run: @@ -7285,9 +6833,9 @@ CLASS="SECT2" >

    7.5.1. Possible errors

    7.5.1. Possible errors

    7.6. Test your server setup

    7.6. Test your server setup

    On a Windows 2000 client try

    7.7. Testing with smbclient

    7.7. Testing with smbclient

    On your Samba server try to login to a Win2000 server or your Samba server using smbclient and kerberos. Use smbclient as usual, but @@ -7343,9 +6891,9 @@ CLASS="SECT1" >

    7.8. Notes

    7.8. Notes

    You must change administrator password at least once after DC install, to create the right encoding types

    8.1. Joining an NT Domain with Samba 3.0

    8.1. Joining an NT Domain with Samba 3.0

    Assume you have a Samba 3.0 server with a NetBIOS name of - SERV1SERV1 and are joining an or Win2k NT domain called - DOMDOM, which has a PDC with a NetBIOS name - of DOMPDCDOMPDC and two backup domain controllers - with NetBIOS names DOMBDC1 and DOMBDC1 and DOMBDC2 - .

    Firstly, you must edit your Change (or add) your security =security = line in the [global] section of your smb.conf to read:

    Next change the workgroup = workgroup = line in the [global] section to read:

    You must also have the parameter encrypt passwordsencrypt passwords set to set to yes - in order for your users to authenticate to the NT PDC.

    Finally, add (or modify) a password server =password server = line in the [global] section to read:

    In order to actually join the domain, you must run this command:

    root# root# net join -S DOMPDC - -UAdministrator%passwordAdministrator%password

    as we are joining the domain DOM and the PDC for that domain (the only machine that has write access to the domain SAM database) - is DOMPDC. The Administrator%passwordAdministrator%password is the login name and password for an account which has the necessary privilege to add machines to the domain. If this is successful you will see the message:

    Joined domain DOM.Joined domain DOM. - or Joined 'SERV1' to realm 'MYREALM'Joined 'SERV1' to realm 'MYREALM'

    8.2. Samba and Windows 2000 Domains

    8.2. Samba and Windows 2000 Domains

    Many people have asked regarding the state of Samba's ability to participate in a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows @@ -7582,16 +7116,16 @@ CLASS="SECT1" >

    8.3. Why is this better than security = server?

    8.3. Why is this better than security = server?

    Currently, domain security in Samba doesn't free you from having to create local Unix users to represent the users attaching - to your server. This means that if domain user DOM\fred - attaches to your domain security Samba server, there needs to be a local Unix user fred to represent that user in the Unix filesystem. This is very similar to the older Samba security mode @@ -7676,7 +7210,7 @@ CLASS="TITLE" >

    Introduction

    9.1. Agenda
    9.2. Name Resolution in a pure Unix/Linux world
    9.2.1. /etc/hosts
    9.2.2. /etc/resolv.conf
    9.2.3. /etc/host.conf
    9.2.4. /etc/nsswitch.conf
    9.3. Name resolution as used within MS Windows networking
    9.3.1. The NetBIOS Name Cache
    9.3.2. The LMHOSTS file
    9.3.3. HOSTS file
    9.3.4. DNS Lookup
    9.3.5. WINS Lookup
    9.4. How browsing functions and how to deploy stable and dependable browsing using Samba
    9.5. MS Windows security options and how to configure Samba for seemless integration
    9.5.1. Use MS Windows NT as an authentication server
    9.5.2. Make Samba a member of an MS Windows NT security domain
    9.5.3. Configure Samba as an authentication server
    • 9.6. Conclusions
    10.1. Viewing and changing UNIX permissions using the NT security dialogs
    10.2. How to view file security on a Samba share
    10.3. Viewing file ownership
    10.4. Viewing file or directory permissions
    10.4.1. File Permissions
    10.4.2. Directory Permissions
    10.5. Modifying file or directory permissions
    10.6. Interaction with the standard Samba create mask parameters
    10.7. Interaction with the standard Samba file attribute mapping
    11.1. Samba and PAM
    11.2. Distributed Authentication
    11.3. PAM Configuration in smb.conf
    12.1. Instructions
    12.1.1. Notes
    13.1. Introduction
    13.2. Configuration
    13.2.1. Creating [print$]
    13.2.2. Setting Drivers for Existing Printers
    13.2.3. Support a large number of printers
    13.2.4. Adding New Printers via the Windows NT APW
    13.2.5. Samba and Printer Ports
    13.3. The Imprints Toolset
    13.3.1. What is Imprints?
    13.3.2. Creating Printer Driver Packages
    13.3.3. The Imprints server
    13.3.4. The Installation Client
    13.4. Diagnosis
    13.4.1. Introduction
    13.4.2. Debugging printer problems
    13.4.3. What printers do I have?
    13.4.4. Setting up printcap and print servers
    13.4.5. Job sent, no output
    13.4.6. Job sent, strange output
    13.4.7. Raw PostScript printed
    13.4.8. Advanced Printing
    13.4.9. Real debugging
    14.1. Abstract
    14.2. Introduction
    14.3. What Winbind Provides
    14.3.1. Target Uses
    14.4. How Winbind Works
    14.4.1. Microsoft Remote Procedure Calls
    14.4.2. Microsoft Active Directory Services
    14.4.3. Name Service Switch
    14.4.4. Pluggable Authentication Modules
    14.4.5. User and Group ID Allocation
    14.4.6. Result Caching
    14.5. Installation and Configuration
    14.5.1. Introduction
    14.5.2. Requirements
    14.5.3. Testing Things Out
    14.6. Limitations
    14.7. Conclusion
    15.1. Overview of browsing
    15.2. Browsing support in samba
    15.3. Problem resolution
    15.4. Browsing across subnets
    15.4.1. How does cross subnet browsing work ?
    15.5. Setting up a WINS server
    15.6. Setting up Browsing in a WORKGROUP
    15.7. Setting up Browsing in a DOMAIN
    15.8. Forcing samba to be the master
    15.9. Making samba the domain master
    15.10. Note about broadcast addresses
    15.11. Multiple interfaces
    16.1. Introduction and configuration
    16.2. Included modules
    16.2.1. audit
    16.2.2. recycle
    16.2.3. netatalk
    16.3. VFS modules available elsewhere
    16.3.1. DatabaseFS
    16.3.2. vscan
    17. Access Samba source code via CVS
    17.1. Introduction
    17.2. CVS Access to samba.org
    17.2.1. Access via CVSweb
    17.2.2. Access via cvs
    18. Group mapping HOWTO
    19. 18. Samba performance issues
    19.1. 18.1. Comparisons
    19.2. 18.2. Socket options
    19.3. 18.3. Read size
    19.4. 18.4. Max xmit
    19.5. 18.5. Log level
    19.6. 18.6. Read raw
    19.7. 18.7. Write raw
    19.8. 18.8. Slow Clients
    19.9. 18.9. Slow Logins
    19.10. 18.10. Client tuning
    20. 19. Creating Group ProfilesCreating Group Prolicy Files
    20.1. 19.1. Windows '9x
    20.2. 19.2. Windows NT 4
    20.2.1. 19.2.1. Side bar Notes
    20.2.2. 19.2.2. Mandatory profiles
    20.2.3. 19.2.3. moveuser.exe
    20.2.4. 19.2.4. Get SID
    20.3. 19.3. Windows 2000/XP

    Chapter 9. Integrating MS Windows networks with Samba

    9.1. Agenda

    To identify the key functional mechanisms of MS Windows networking +>

    20. Securing Samba
    20.1. Introduction
    20.2. Using host based protection
    20.3. Using interface protection
    20.4. Using a firewall
    20.5. Using a IPC$ share deny
    20.6. Upgrading Samba

    Chapter 9. Integrating MS Windows networks with Samba

    9.1. Agenda

    To identify the key functional mechanisms of MS Windows networking to enable the deployment of Samba as a means of extending and/or replacing MS Windows NT/2000 technology.

    9.2. Name Resolution in a pure Unix/Linux world

    9.2. Name Resolution in a pure Unix/Linux world

    The key configuration files covered in this section are:

    9.2.1. /etc/hosts

    Contains a static list of IP Addresses and names. @@ -8642,11 +8182,11 @@ CLASS="SECT2" >

    9.2.2. /etc/resolv.conf

    This file tells the name resolution libraries:

    9.2.3. /etc/host.conf

    9.2.4. /etc/nsswitch.conf

    This file controls the actual name resolution targets. The @@ -8778,9 +8318,9 @@ CLASS="SECT1" >

    9.3. Name resolution as used within MS Windows networking

    9.3. Name resolution as used within MS Windows networking

    MS Windows networking is predicated about the name each machine is given. This name is known variously (and inconsistently) as @@ -8800,16 +8340,16 @@ the client/server.

    	Unique NetBIOS Names:
-		MACHINENAME<00>	= Server Service is running on MACHINENAME
-		MACHINENAME<03> = Generic Machine Name (NetBIOS name)
-		MACHINENAME<20> = LanMan Server service is running on MACHINENAME
-		WORKGROUP<1b> = Domain Master Browser
+		MACHINENAME<00>	= Server Service is running on MACHINENAME
+		MACHINENAME<03> = Generic Machine Name (NetBIOS name)
+		MACHINENAME<20> = LanMan Server service is running on MACHINENAME
+		WORKGROUP<1b> = Domain Master Browser
 
 	Group Names:
-		WORKGROUP<03> = Generic Name registered by all members of WORKGROUP
-		WORKGROUP<1c> = Domain Controllers / Netlogon Servers
-		WORKGROUP<1d> = Local Master Browsers
-		WORKGROUP<1e> = Internet Name Resolvers

    It should be noted that all NetBIOS machines register their own @@ -8828,7 +8368,7 @@ be needed. An example of this is what happens when an MS Windows client wants to locate a domain logon server. It find this service and the IP address of a server that provides it by performing a lookup (via a NetBIOS broadcast) for enumeration of all machines that have -registered the name type *<1c>. A logon request is then sent to each +registered the name type *<1c>. A logon request is then sent to each IP address that is returned in the enumerated list of IP addresses. Which ever machine first replies then ends up providing the logon services.

    9.3.1. The NetBIOS Name Cache

    9.3.1. The NetBIOS Name Cache

    All MS Windows machines employ an in memory buffer in which is stored the NetBIOS names and IP addresses for all external @@ -8890,9 +8430,9 @@ CLASS="SECT2" >

    9.3.2. The LMHOSTS file

    9.3.2. The LMHOSTS file

    This file is usually located in MS Windows NT 4.0 or 2000 in

    9.3.3. HOSTS file

    9.3.3. HOSTS file

    This file is usually located in MS Windows NT 4.0 or 2000 in

    9.3.4. DNS Lookup

    9.3.4. DNS Lookup

    This capability is configured in the TCP/IP setup area in the network configuration facility. If enabled an elaborate name resolution sequence @@ -9035,9 +8575,9 @@ CLASS="SECT2" >

    9.3.5. WINS Lookup

    9.3.5. WINS Lookup

    A WINS (Windows Internet Name Server) service is the equivaent of the rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores @@ -9064,11 +8604,9 @@ CLASS="PROGRAMLISTING" wins server = xxx.xxx.xxx.xxx

    where where xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx is the IP address of the WINS server.

    9.4. How browsing functions and how to deploy stable and -dependable browsing using Samba

    As stated above, MS Windows machines register their NetBIOS names (i.e.: the machine name for each service type in operation) on start @@ -9145,10 +8683,10 @@ CLASS="SECT1" >

    9.5. MS Windows security options and how to configure -Samba for seemless integration

    MS Windows clients may use encrypted passwords as part of a challenege/response authentication model (a.k.a. NTLMv1) or @@ -9217,43 +8755,35 @@ CLASS="PROGRAMLISTING" HREF="smb.conf.5.html#PASSWORDLEVEL" TARGET="_top" >passsword level = = integerinteger username level = = integerinteger

    By default Samba will lower case the username before attempting to lookup the user in the database of local system accounts. Because UNIX usernames conventionally only contain lower case -character, the username levelusername level parameter is rarely even needed.

    However, password on UNIX systems often make use of mixed case characters. This means that in order for a user on a Windows 9x client to connect to a Samba server using clear text authentication, -the password levelpassword level must be set to the maximum number of upper case letter which appear is a password. Note that is the server OS uses the traditional -DES version of crypt(), then a password levelpassword level of 8 will result in case insensitive passwords as seen from Windows users. This will also result in longer login times as Samba @@ -9282,9 +8810,9 @@ CLASS="SECT2" >

    9.5.1. Use MS Windows NT as an authentication server

    9.5.1. Use MS Windows NT as an authentication server

    This method involves the additions of the following parameters in the smb.conf file:

    9.5.2. Make Samba a member of an MS Windows NT security domain

    9.5.2. Make Samba a member of an MS Windows NT security domain

    This method involves additon of the following paramters in the smb.conf file:

    9.5.3. Configure Samba as an authentication server

    9.5.3. Configure Samba as an authentication server

    This mode of authentication demands that there be on the Unix/Linux system both a Unix style account as well as an @@ -9418,9 +8946,9 @@ CLASS="SECT3" >

    9.5.3.1. Users

    9.5.3.1. Users

    A user account that may provide a home directory should be created. The following Linux system commands are typical of @@ -9430,10 +8958,10 @@ the procedure for creating an account.

    # useradd -s /bin/bash -d /home/"userid" -m "userid" # passwd "userid" - Enter Password: <pw> + Enter Password: <pw> # smbpasswd -a "userid" - Enter Password: <pw>

    9.5.3.2. MS Windows NT Machine Accounts

    9.5.3.2. MS Windows NT Machine Accounts

    These are required only when Samba is used as a domain controller. Refer to the Samba-PDC-HOWTO for more details.

    9.6. Conclusions

    9.6. Conclusions

    Samba provides a flexible means to operate as...

    10.1. Viewing and changing UNIX permissions using the NT - security dialogs

    New in the Samba 2.0.4 release is the ability for Windows NT clients to use their native security settings dialog box to @@ -9525,9 +9053,9 @@ CLASS="SECT1" >

    10.2. How to view file security on a Samba share

    10.2. How to view file security on a Samba share

    From an NT 4.0 client, single-click with the right mouse button on any file or directory in a Samba mounted @@ -9595,9 +9123,9 @@ CLASS="SECT1" >

    10.3. Viewing file ownership

    10.3. Viewing file ownership

    Clicking on the "SERVER\user (Long name)"

    Where Where SERVERSERVER is the NetBIOS name of - the Samba server, useruser is the user name of - the UNIX user who owns the file, and (Long name)(Long name) is the descriptive string identifying the user (normally found in the GECOS field of the UNIX password database). Click on the button to remove this dialog.

    If the parameter If the parameter nt acl supportnt acl support - is set to falsefalse then the file owner will be shown as the NT user

    10.4. Viewing file or directory permissions

    10.4. Viewing file or directory permissions

    The third button is the "SERVER\user (Long name)"

    Where Where SERVERSERVER is the NetBIOS name of - the Samba server, useruser is the user name of - the UNIX user who owns the file, and (Long name)(Long name) is the descriptive string identifying the user (normally found in the GECOS field of the UNIX password database).

    If the parameter If the parameter nt acl supportnt acl support - is set to falsefalse then the file owner will be shown as the NT user

    10.4.1. File Permissions

    10.4.1. File Permissions

    The standard UNIX user/group/world triple and the corresponding "read", "write", "execute" permissions @@ -9813,9 +9325,9 @@ CLASS="SECT2" >

    10.4.2. Directory Permissions

    10.4.2. Directory Permissions

    Directories on an NT NTFS file system have two different sets of permissions. The first set of permissions @@ -9845,9 +9357,9 @@ CLASS="SECT1" >

    10.5. Modifying file or directory permissions

    10.5. Modifying file or directory permissions

    Modifying file and directory permissions is as simple as changing the displayed permissions in the dialog box, and @@ -9859,15 +9371,13 @@ CLASS="COMMAND" with the standard Samba permission masks and mapping of DOS attributes that need to also be taken into account.

    If the parameter If the parameter nt acl supportnt acl support - is set to falsefalse then any attempt to set security permissions will fail with an

    10.6. Interaction with the standard Samba create mask - parameters

    Note that with Samba 2.0.5 there are four new parameters to control this interaction. These are :

    security masksecurity mask

    force security modeforce security mode

    directory security maskdirectory security mask

    force directory security modeforce directory security mode

    Once a user clicks - security masksecurity mask parameter. Any bits that were changed that are not set to '1' in this parameter are left alone in the file permissions.

    Essentially, zero bits in the Essentially, zero bits in the security masksecurity mask mask may be treated as a set of bits the user is create mask - parameter to provide compatibility with Samba 2.0.4 where this permission change facility was introduced. To allow a user to @@ -10035,22 +9531,18 @@ CLASS="PARAMETER" the bits set in the force security modeforce security mode parameter. Any bits that were changed that correspond to bits set to '1' in this parameter are forced to be set.

    Essentially, bits set in the Essentially, bits set in the force security mode - parameter may be treated as a set of bits that, when modifying security on a file, the user has always set to be 'on'.

    force - create mode parameter to provide compatibility with Samba 2.0.4 where the permission change facility was introduced. To allow a user to modify all the user/group/world permissions on a file with no restrictions set this parameter to 000.

    The The security mask and security mask and force - security mode parameters are applied to the change request in that order.

    For a directory Samba will perform the same operations as - described above for a file except using the parameter directory security mask instead of directory security mask instead of security - mask, and , and force directory security mode - parameter instead of parameter instead of force security mode - .

    The The directory security maskdirectory security mask parameter - by default is set to the same value as the directory mask - parameter and the parameter and the force directory security - mode parameter by default is set to the same value as - the force directory modeforce directory mode parameter to provide compatibility with Samba 2.0.4 where the permission change facility was introduced.

    file in that share specific section :

    security mask = 0777security mask = 0777

    force security mode = 0force security mode = 0

    directory security mask = 0777directory security mask = 0777

    force directory security mode = 0force directory security mode = 0

    As described, in Samba 2.0.4 the parameters :

    create maskcreate mask

    force create modeforce create mode

    directory maskdirectory mask

    force directory modeforce directory mode

    were used instead of the parameters discussed here.

    10.7. Interaction with the standard Samba file attribute - mapping

    Samba maps some of the DOS attribute bits (such as "read only") into the UNIX permissions of a file. This means there can @@ -10276,9 +9730,9 @@ CLASS="SECT1" >

    11.1. Samba and PAM

    11.1. Samba and PAM

    A number of Unix systems (eg: Sun Solaris), as well as the xxxxBSD family and Linux, now utilize the Pluggable Authentication @@ -10490,9 +9944,9 @@ CLASS="SECT1" >

    11.2. Distributed Authentication

    11.2. Distributed Authentication

    The astute administrator will realize from this that the combination of

    11.3. PAM Configuration in smb.conf

    11.3. PAM Configuration in smb.conf

    There is an option in smb.conf called

    When Samba 2.2 is configure to enable PAM support (i.e. ---with-pam--with-pam), this parameter will control whether or not Samba should obey PAM's account and session management directives. The default behavior @@ -10571,9 +10025,9 @@ CLASS="SECT1" >

    12.1. Instructions

    12.1. Instructions

    The Distributed File System (or Dfs) provides a means of separating the logical view of files and directories that users @@ -10589,21 +10043,17 @@ TARGET="_top" machine (for Dfs-aware clients to browse) using Samba.

    To enable SMB-based DFS for Samba, configure it with the - --with-msdfs--with-msdfs option. Once built, a Samba server can be made a Dfs server by setting the global boolean host msdfs host msdfs parameter in the msdfs root msdfs root parameter. A Dfs root directory on Samba hosts Dfs links in the form of symbolic links that point to other servers. For example, a symbolic link junction->msdfs:storage1\share1junction->msdfs:storage1\share1 in the share directory acts as the Dfs junction. When Dfs-aware clients attempt to access the junction link, they are redirected @@ -10652,54 +10100,44 @@ CLASS="PROGRAMLISTING" >In the /export/dfsroot directory we set up our dfs links to other servers on the network.

    root# root# cd /export/dfsrootcd /export/dfsroot

    root# root# chown root /export/dfsrootchown root /export/dfsroot

    root# root# chmod 755 /export/dfsrootchmod 755 /export/dfsroot

    root# root# ln -s msdfs:storageA\\shareA linkaln -s msdfs:storageA\\shareA linka

    root# root# ln -s msdfs:serverB\\share,serverC\\share linkbln -s msdfs:serverB\\share,serverC\\share linkb

    You should set up the permissions and ownership of @@ -10719,9 +10157,9 @@ CLASS="SECT2" >

    12.1.1. Notes

    12.1.1. Notes

      13.1. Introduction

      13.1. Introduction

      Beginning with the 2.2.0 release, Samba supports the native Windows NT printing mechanisms implemented via @@ -10843,9 +10281,9 @@ CLASS="SECT1" >

      13.2. Configuration

      13.2. Configuration

      However, the initial implementation allowed for a -parameter named printer driver locationprinter driver location to be used on a per share basis to specify the location of the driver files associated with that printer. Another -parameter named printer driverprinter driver provided a means of defining the printer driver name to be sent to the client.

      13.2.1. Creating [print$]

      13.2.1. Creating [print$]

      In order to support the uploading of printer driver files, you must first configure a file share named [print$]. @@ -10950,11 +10384,9 @@ CLASS="PROGRAMLISTING" >The write listwrite list is used to allow administrative level user accounts to have write access in order to update files @@ -11094,12 +10526,10 @@ one of two conditions must hold true:

      printer - admin list.

      Once you have created the required [print$] service and associated subdirectories, simply log onto the Samba server using -a root (or printer adminprinter admin) account from a Windows NT 4.0/2k client. Open "Network Neighbourhood" or "My Network Places" and browse for the Samba host. Once you have located @@ -11132,9 +10560,9 @@ CLASS="SECT2" >

      13.2.2. Setting Drivers for Existing Printers

      13.2.2. Setting Drivers for Existing Printers

      The initial listing of printers in the Samba host's Printers folder will have no real printer driver assigned @@ -11204,9 +10632,9 @@ CLASS="SECT2" >

      13.2.3. Support a large number of printers

      13.2.3. Support a large number of printers

      One issue that has arisen during the development phase of Samba 2.2 is the need to support driver downloads for @@ -11227,9 +10655,9 @@ of how this could be accomplished:

       
-$ $ rpcclient pogo -U root%secret -c "enumdrivers"
 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
  
@@ -11243,9 +10671,9 @@ Printer Driver Info 1:
 Printer Driver Info 1:
      Driver Name: [HP LaserJet 4Si/4SiMX PS]
 				  
-$ $ rpcclient pogo -U root%secret -c "enumprinters"
 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
      flags:[0x800000]
@@ -11253,13 +10681,13 @@ Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
      description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
      comment:[]
 				  
-$ $ rpcclient pogo -U root%secret \
-> >  -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""
 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
 Successfully set hp-print to driver HP LaserJet 4000 Series PS.

      13.2.4. Adding New Printers via the Windows NT APW

      13.2.4. Adding New Printers via the Windows NT APW

      By default, Samba offers all printer shares defined in

      The connected user is able to successfully execute an OpenPrinterEx(\\server) with administrative - privileges (i.e. root or printer adminprinter admin).

      show - add printer wizard = yes (the default).

      add -printer command must have a defined value. The program hook must successfully add the printer to the system (i.e. @@ -11338,35 +10760,29 @@ CLASS="FILENAME" not exist, smbd will execute the will execute the add printer -command and reparse to the smb.conf to attempt to locate the new printer share. If the share is still not defined, an error of "Access Denied" is returned to the client. Note that the -add printer programadd printer program is executed under the context of the connected user, not necessarily a root account.

      There is a complementary delete -printer command for removing entries from the "Printers..." folder.

      The following is an example add printer commandadd printer command script. It adds the appropriate entries to

      13.2.5. Samba and Printer Ports

      13.2.5. Samba and Printer Ports

      Windows NT/2000 print servers associate a port with each printer. These normally take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the @@ -11460,12 +10874,10 @@ CLASS="FILENAME" > possesses a enumports -command which can be used to define an external program that generates a listing of ports on a system.

      13.3. The Imprints Toolset

      13.3. The Imprints Toolset

      The Imprints tool set provides a UNIX equivalent of the Windows NT Add Printer Wizard. For complete information, please @@ -11494,9 +10906,9 @@ CLASS="SECT2" >

      13.3.1. What is Imprints?

      13.3.1. What is Imprints?

      Imprints is a collection of tools for supporting the goals of

      13.3.2. Creating Printer Driver Packages

      13.3.2. Creating Printer Driver Packages

      The process of creating printer driver packages is beyond the scope of this document (refer to Imprints.txt also included @@ -11542,9 +10954,9 @@ CLASS="SECT2" >

      13.3.3. The Imprints server

      13.3.3. The Imprints server

      The Imprints server is really a database server that may be queried via standard HTTP mechanisms. Each printer @@ -11566,9 +10978,9 @@ CLASS="SECT2" >

      13.3.4. The Installation Client

      13.3.4. The Installation Client

      More information regarding the Imprints installation client is available in the

      13.4. Diagnosis

      13.4. Diagnosis

      13.4.1. Introduction

      13.4.1. Introduction

      This is a short description of how to debug printing problems with Samba. This describes how to debug problems with printing from a SMB @@ -11732,7 +11144,7 @@ and it should be periodically cleaned out. Samba used the lpq command to determine the "job number" assigned to your print job by the spooler.

      The %>letter< are "macros" that get dynamically replaced with appropriate +>The %>letter< are "macros" that get dynamically replaced with appropriate values when they are used. The %s gets replaced with the name of the spool file that Samba creates and the %p gets replaced with the name of the printer. The %j gets replaced with the "job number" which comes from @@ -11743,9 +11155,9 @@ CLASS="SECT2" >

      13.4.2. Debugging printer problems

      13.4.2. Debugging printer problems

      One way to debug printing problems is to start by replacing these command with shell scripts that record the arguments and the contents @@ -11761,7 +11173,7 @@ CLASS="PROGRAMLISTING" /usr/bin/id -p >/tmp/tmp.print # we run the command and save the error messages # replace the command with the one appropriate for your system - /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print

      Then you print a file and try removing it. You may find that the @@ -11800,9 +11212,9 @@ CLASS="SECT2" >

      13.4.3. What printers do I have?

      13.4.3. What printers do I have?

      You can use the 'testprns' program to check to see if the printer name you are using is recognized by Samba. For example, you can @@ -11829,9 +11241,9 @@ CLASS="SECT2" >

      13.4.4. Setting up printcap and print servers

      13.4.4. Setting up printcap and print servers

      You may need to set up some printcaps for your Samba system to use. It is strongly recommended that you use the facilities provided by @@ -11913,9 +11325,9 @@ CLASS="SECT2" >

      13.4.5. Job sent, no output

      13.4.5. Job sent, no output

      This is the most frustrating part of printing. You may have sent the job, verified that the job was forwarded, set up a wrapper around @@ -11958,9 +11370,9 @@ CLASS="SECT2" >

      13.4.6. Job sent, strange output

      13.4.6. Job sent, strange output

      Once you have the job printing, you can then start worrying about making it print nicely.

      13.4.7. Raw PostScript printed

      13.4.7. Raw PostScript printed

      This is a problem that is usually caused by either the print spooling system putting information at the start of the print job that makes @@ -12019,9 +11431,9 @@ CLASS="SECT2" >

      13.4.8. Advanced Printing

      13.4.8. Advanced Printing

      Note that you can do some pretty magic things by using your imagination with the "print command" option and some shell scripts. @@ -12035,9 +11447,9 @@ CLASS="SECT2" >

      13.4.9. Real debugging

      13.4.9. Real debugging

      If the above debug tips don't help, then maybe you need to bring in the bug guns, system tracing. See Tracing.txt in this directory.

      14.1. Abstract

      14.1. Abstract

      Integration of UNIX and Microsoft Windows NT through a unified logon has been considered a "holy grail" in heterogeneous @@ -12083,9 +11495,9 @@ CLASS="SECT1" >

      14.2. Introduction

      14.2. Introduction

      It is well known that UNIX and Microsoft Windows NT have different models for representing user and group information and @@ -12137,9 +11549,9 @@ CLASS="SECT1" >

      14.3. What Winbind Provides

      14.3. What Winbind Provides

      Winbind unifies UNIX and Windows NT account management by allowing a UNIX box to become a full member of a NT domain. Once @@ -12179,9 +11591,9 @@ CLASS="SECT2" >

      14.3.1. Target Uses

      14.3.1. Target Uses

      Winbind is targeted at organizations that have an existing NT based domain infrastructure into which they wish @@ -12203,9 +11615,9 @@ CLASS="SECT1" >

      14.4. How Winbind Works

      14.4. How Winbind Works

      The winbind system is designed around a client/server architecture. A long running

      14.4.1. Microsoft Remote Procedure Calls

      14.4.1. Microsoft Remote Procedure Calls

      Over the last few years, efforts have been underway by various Samba Team members to decode various aspects of @@ -12249,9 +11661,9 @@ CLASS="SECT2" >

      14.4.2. Microsoft Active Directory Services

      14.4.2. Microsoft Active Directory Services

      Since late 2001, Samba has gained the ability to interact with Microsoft Windows 2000 using its 'Native @@ -12268,9 +11680,9 @@ CLASS="SECT2" >

      14.4.3. Name Service Switch

      14.4.3. Name Service Switch

      The Name Service Switch, or NSS, is a feature that is present in many UNIX operating systems. It allows system @@ -12348,9 +11760,9 @@ CLASS="SECT2" >

      14.4.4. Pluggable Authentication Modules

      14.4.4. Pluggable Authentication Modules

      Pluggable Authentication Modules, also known as PAM, is a system for abstracting authentication and authorization @@ -12397,9 +11809,9 @@ CLASS="SECT2" >

      14.4.5. User and Group ID Allocation

      14.4.5. User and Group ID Allocation

      When a user or group is created under Windows NT is it allocated a numerical relative identifier (RID). This is @@ -12423,9 +11835,9 @@ CLASS="SECT2" >

      14.4.6. Result Caching

      14.4.6. Result Caching

      An active system can generate a lot of user and group name lookups. To reduce the network cost of these lookups winbind @@ -12446,9 +11858,9 @@ CLASS="SECT1" >

      14.5. Installation and Configuration

      14.5. Installation and Configuration

      Many thanks to John Trostel

      14.5.1. Introduction

      14.5.1. Introduction

      This HOWTO describes the procedures used to get winbind up and running on my RedHat 7.1 system. Winbind is capable of providing access @@ -12532,9 +11944,9 @@ CLASS="SECT2" >

      14.5.2. Requirements

      14.5.2. Requirements

      If you have a samba configuration file that you are currently using...

      14.5.3. Testing Things Out

      14.5.3. Testing Things Out

      Before starting, it is probably best to kill off all the SAMBA related daemons running on your server. Kill off all

      14.5.3.1. Configure and compile SAMBA

      14.5.3.1. Configure and compile SAMBA

      The configuration and compilation of SAMBA is pretty straightforward. The first three steps may not be necessary depending upon @@ -12657,44 +12069,44 @@ whether or not you have previously built the Samba binaries.

      root#root# autoconf
-root#root# make clean
-root#root# rm config.cache
-root#root# ./configure
-root#root# make
-root#root# make install
      14.5.3.2. Configure nsswitch.conf and the 
-winbind libraries
      The libraries needed to run the  daemon 
 through nsswitch need to be copied to their proper locations, so
      root#root# cp ../samba/source/nsswitch/libnss_winbind.so /lib
      I also found it necessary to make the following symbolic link:
      root#root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
      And, in the case of Sun solaris:
      root#root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1
-root#root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1
-root#root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2
      root#root# /sbin/ldconfig -v | grep winbind
      14.5.3.3. Configure smb.conf
      14.5.3.3. Configure smb.conf
      Several parameters are needed in the smb.conf file to control 
 the behavior of 
      [global]
-     <...>
+     <...>
      # separate domain and username with '+', like DOMAIN+username
      
      14.5.3.4. Join the SAMBA server to the PDC domain
      14.5.3.4. Join the SAMBA server to the PDC domain
      Enter the following command to make the SAMBA server join the 
-PDC domain, where DOMAINDOMAIN is the name of 
-your Windows domain and AdministratorAdministrator is 
 a domain user who has administrative privileges in the domain.
      root#root# /usr/local/samba/bin/net join -S PDC -U Administrator
      The proper response to the command should be: "Joined the domain 
-DOMAIN" where DOMAIN" where DOMAINDOMAIN 
 is your DOMAIN name.

      14.5.3.5. Start up the winbindd daemon and test it!

      14.5.3.5. Start up the winbindd daemon and test it!

      Eventually, you will want to modify your smb startup script to automatically invoke the winbindd daemon when the other parts of @@ -12949,9 +12353,9 @@ SAMBA start, but it is possible to test out just the winbind portion first. To start up winbind services, enter the following command as root:

      root#root# /usr/local/samba/bin/winbinddI'm always paranoid and like to make sure the daemon is really running...

      root#root# ps -ae | grep winbinddNow... for the real test, try to get some information about the users on your PDC

      root#root# /usr/local/samba/bin/wbinfo -u

      Obviously, I have named my domain 'CEO' and my Obviously, I have named my domain 'CEO' and my winbind -separator is '+'.

      You can do the same sort of thing to get group information from @@ -13010,9 +12412,9 @@ the PDC:

      root#root# /usr/local/samba/bin/wbinfo -g
      root#root# getent passwd
      The same thing can be done for groups with the command
      root#root# getent group
      14.5.3.6. Fix the init.d startup scripts
      14.5.3.6. Fix the init.d startup scripts
      14.5.3.6.1. Linux
      14.5.3.6.1. Linux
      The 
      14.5.3.6.2. Solaris
      14.5.3.6.2. Solaris
      On solaris, you need to modify the 
 
      14.5.3.6.3. Restarting
      14.5.3.6.3. Restarting
      If you restart the 
      14.5.3.7. Configure Winbind and PAM
      14.5.3.7. Configure Winbind and PAM
      If you have made it this far, you know that winbindd and samba are working
 together.  If you want to use winbind to provide authentication for other 
@@ -13281,9 +12683,9 @@ CLASS="FILENAME"
 > directory
 by invoking the command
      root#root# make nsswitch/pam_winbind.so/usr/lib/security.
      root#root# cp ../samba/source/nsswitch/pam_winbind.so /lib/security
      14.5.3.7.1. Linux/FreeBSD-specific PAM configuration
      14.5.3.7.1. Linux/FreeBSD-specific PAM configuration
      The 
      14.5.3.7.2. Solaris-specific configuration
      14.5.3.7.2. Solaris-specific configuration
      The /etc/pam.conf needs to be changed. I changed this file so that my Domain
 users can logon both locally as well as telnet.The following are the changes
@@ -13535,9 +12937,9 @@ CLASS="SECT1"
 >
      14.6. Limitations
      14.6. Limitations
      Winbind has a number of limitations in its current 
 	released version that we hope to overcome in future 
@@ -13577,9 +12979,9 @@ CLASS="SECT1"
 >
      14.7. Conclusion
      14.7. Conclusion
      The winbind system, through the use of the Name Service 
 	Switch, Pluggable Authentication Modules, and appropriate 
@@ -13601,9 +13003,9 @@ CLASS="SECT1"
 >
      15.1. Overview of browsing
      15.1. Overview of browsing
      SMB networking provides a mechanism by which clients can access a list
 of machines in a network, a so-called "browse list".  This list
@@ -13614,8 +13016,13 @@ list is heavily used by all SMB clients.  Configuration of SMB
 browsing has been problematic for some Samba users, hence this
 document.
      Browsing will NOT work if name resolution from NetBIOS names to IP
-addresses does not function correctly. Use of a WINS server is highly
+>MS Windows 2000 and later, as with Samba-3 and later, can be
+configured to not use NetBIOS over TCP/IP. When configured this way
+it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
+configured and operative. Browsing will NOT work if name resolution
+from SMB machine names to IP addresses does not function correctly.
      Where NetBIOS over TCP/IP is enabled use of a WINS server is highly
 recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
 WINS allows remote segment clients to obtain NetBIOS name_type information
 that can NOT be provided by any other means of name resolution.
      15.2. Browsing support in samba
      Samba now fully supports browsing.  The browsing is supported by nmbd
-and is also controlled by options in the smb.conf file (see smb.conf(5)).
      15.2. Browsing support in samba
      Samba can act as a local browse master for a workgroup and the ability
-for samba to support domain logons and scripts is now available.  See
-DOMAIN.txt for more information on domain logons.
      Samba facilitates browsing.  The browsing is supported by nmbd
+and is also controlled by options in the smb.conf file (see smb.conf(5)).
+Samba can act as a local browse master for a workgroup and the ability
+for samba to support domain logons and scripts is now available.
      Samba can also act as a domain master browser for a workgroup.  This
 means that it will collate lists from local browse masters into a
@@ -13649,12 +13054,12 @@ regardless of whether it is NT, Samba or any other type of domain master
 that is providing this service.
      [Note that nmbd can be configured as a WINS server, but it is not
-necessary to specifically use samba as your WINS server.  NTAS can
-be configured as your WINS server.  In a mixed NT server and
-samba environment on a Wide Area Network, it is recommended that
-you use the NT server's WINS server capabilities.  In a samba-only
-environment, it is recommended that you use one and only one nmbd
-as your WINS server].
      To get browsing to work you need to run nmbd as usual, but will need
 to use the "workgroup" option in smb.conf to control what workgroup
@@ -13670,9 +13075,9 @@ CLASS="SECT1"
 >
      15.3. Problem resolution
      15.3. Problem resolution
      If something doesn't work then hopefully the log.nmb file will help
 you track down the problem.  Try a debug level of 2 or 3 for finding
@@ -13688,6 +13093,19 @@ filemanager should display the list of available shares.
      MS Windows 2000 and upwards (as with Samba) can be configured to disallow
+anonymous (ie: Guest account) access to the IPC$ share. In that case, the
+MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the
+name of the currently logged in user to query the IPC$ share. MS Windows
+9X clients are not able to do this and thus will NOT be able to browse
+server resources.
      Also, a lot of people are getting bitten by the problem of too many
 parameters on the command line of nmbd in inetd.conf.  This trick is to
 not use spaces between the option and the parameter (eg: -d2 instead
@@ -13704,11 +13122,11 @@ CLASS="SECT1"
 >
      15.4. Browsing across subnets
      15.4. Browsing across subnets
      With the release of Samba 1.9.17(alpha1 and above) Samba has been
+>Since the release of Samba 1.9.17(alpha1) Samba has been
 updated to enable it to support the replication of browse lists
 across subnet boundaries.  New code and options have been added to
 achieve this.  This section describes how to set this feature up
@@ -13735,15 +13153,14 @@ CLASS="SECT2"
 >
      15.4.1. How does cross subnet browsing work ?
      15.4.1. How does cross subnet browsing work ?
      Cross subnet browsing is a complicated dance, containing multiple
 moving parts.  It has taken Microsoft several years to get the code
 that achieves this correct, and Samba lags behind in some areas.
-However, with the 1.9.17 release, Samba is capable of cross subnet
-browsing when configured correctly.
      Consider a network set up as follows :
      Once N2_B knows the address of the Domain master browser it
@@ -13947,9 +13364,9 @@ CLASS="SECT1"
 >
      15.5. Setting up a WINS server
      15.5. Setting up a WINS server
      Either a Samba machine or a Windows NT Server machine may be set up
 as a WINS server.  To set a Samba machine to be a WINS server you must
@@ -13961,9 +13378,9 @@ CLASS="COMMAND"
 >		wins support = yes
      Versions of Samba previous to 1.9.17 had this parameter default to
+>Versions of Samba prior to 1.9.17 had this parameter default to
 yes.  If you have any older versions of Samba on your network it is
-strongly suggested you upgrade to 1.9.17 or above, or at the very
+strongly suggested you upgrade to a recent version, or at the very
 least set the parameter to 'no' on all these machines.
      Machines with "
      wins server = >name or IP address<wins server = >name or IP address<
      where >name or IP address< is either the DNS name of the WINS server
+>where >name or IP address< is either the DNS name of the WINS server
 machine or its IP address.
      Note that this line MUST NOT BE SET in the smb.conf file of the Samba
@@ -14015,7 +13432,7 @@ CLASS="COMMAND"
 >" option and the 
 "wins server = >name<wins server = <name>" option then
 nmbd will fail to start.
      15.6. Setting up Browsing in a WORKGROUP
      15.6. Setting up Browsing in a WORKGROUP
      To set up cross subnet browsing on a network containing machines
 in up to be in a WORKGROUP, not an NT Domain you need to set up one
@@ -14073,11 +13490,12 @@ server, if you require.
      Next, you should ensure that each of the subnets contains a
 machine that can act as a local master browser for the
-workgroup.  Any NT machine should be able to do this, as will
-Windows 95 machines (although these tend to get rebooted more
-often, so it's not such a good idea to use these).  To make a 
-Samba server a local master browser set the following
-options in the [global] section of the smb.conf file :
      15.7. Setting up Browsing in a DOMAIN
      15.7. Setting up Browsing in a DOMAIN
      If you are adding Samba servers to a Windows NT Domain then
 you must not set up a Samba server as a domain master browser.
 By default, a Windows NT Primary Domain Controller for a Domain
 name is also the Domain master browser for that name, and many
 things will break if a Samba server registers the Domain master
-browser NetBIOS name (DOMAIN>1B<) with WINS instead of the PDC.
      For subnets other than the one containing the Windows NT PDC
 you may set up Samba servers as local master browsers as
@@ -14165,9 +13583,9 @@ CLASS="SECT1"
 >
      15.8. Forcing samba to be the master
      15.8. Forcing samba to be the master
      Who becomes the "master browser" is determined by an election process
 using broadcasts.  Each election packet contains a number of parameters
@@ -14180,8 +13598,8 @@ option in smb.conf to a higher number.  It defaults to 0.  Using 34
 would make it win all elections over every other system (except other
 samba systems!)
      A "os level" of 2 would make it beat WfWg and Win95, but not NTAS.  A
-NTAS domain controller uses level 32.
      A "os level" of 2 would make it beat WfWg and Win95, but not MS Windows
+NT/2K Server.  A MS Windows NT/2K Server domain controller uses level 32.
      The maximum os level is 255
      15.9. Making samba the domain master
      15.9. Making samba the domain master
      The domain master is responsible for collating the browse lists of
 multiple subnets so that browsing can occur between subnets.  You can
@@ -14286,9 +13704,9 @@ CLASS="SECT1"
 >
      15.10. Note about broadcast addresses
      15.10. Note about broadcast addresses
      If your network uses a "0" based broadcast address (for example if it
 ends in a 0) then you will strike problems.  Windows for Workgroups
@@ -14300,9 +13718,9 @@ CLASS="SECT1"
 >
      15.11. Multiple interfaces
      15.11. Multiple interfaces
      Samba now supports machines with multiple network interfaces.  If you
 have multiple interfaces then you will need to use the "interfaces"
@@ -14321,9 +13739,9 @@ CLASS="SECT1"
 >
      16.1. Introduction and configuration
      16.1. Introduction and configuration
      Since samba 3.0, samba supports stackable VFS(Virtual File System) modules.  
 Samba passes each request to access the unix file system thru the loaded VFS modules. 
@@ -14362,17 +13780,17 @@ CLASS="SECT1"
 >
      16.2. Included modules
      16.2. Included modules
      16.2.1. audit
      16.2.1. audit
      A simple module to audit file access to the syslog
 facility.  The following operations are logged:
@@ -14408,9 +13826,9 @@ CLASS="SECT2"
 >
      16.2.2. recycle
      16.2.2. recycle
      A recycle-bin like modules. When used any unlink call
 will be intercepted and files moved to the recycle
@@ -14479,9 +13897,9 @@ CLASS="SECT2"
 >
      16.2.3. netatalk
      16.2.3. netatalk
      A netatalk module, that will ease co-existence of samba and
 netatalk file sharing services.
      16.3. VFS modules available elsewhere
      16.3. VFS modules available elsewhere
      This section contains a listing of various other VFS modules that 
 have been posted but don't currently reside in the Samba CVS 
@@ -14528,9 +13946,9 @@ CLASS="SECT2"
 >
      16.3.1. DatabaseFS
      16.3.1. DatabaseFS
      URL: 
      16.3.2. vscan
      16.3.2. vscan
      URL: 
      Chapter 17. Access Samba source code via CVS
      17.1. Introduction
      Chapter 17. Group mapping HOWTO
      Samba is developed in an open environment.  Developers use CVS
-(Concurrent Versioning System) to "checkin" (also known as 
-"commit") new source code.  Samba's various CVS branches can
-be accessed via anonymous CVS using the instructions
-detailed in this chapter.
       
+Starting with Samba 3.0 alpha 2, a new group mapping function is available. The
+current method (likely to change) to manage the groups is a new command called
+smbgroupedit.
      This document is a modified version of the instructions found at
-http://samba.org/samba/cvs.html
      17.2. CVS Access to samba.org
      The first immediate reason to use the group mapping on a PDC, is that
+the domain admin group of smb.conf is 
+now gone. This parameter was used to give the listed users local admin rights 
+on their workstations. It was some magic stuff that simply worked but didn't
+scale very well for complex setups.
      The machine samba.org runs a publicly accessible CVS 
-repository for access to the source code of several packages, 
-including samba, rsync and jitterbug. There are two main ways of 
-accessing the CVS server on this host.
      17.2.1. Access via CVSweb
      Let me explain how it works on NT/W2K, to have this magic fade away.
+When installing NT/W2K on a computer, the installer program creates some users
+and groups. Notably the 'Administrators' group, and gives to that group some
+privileges like the ability to change the date and time or to kill any process
+(or close too) running on the local machine. The 'Administrator' user is a
+member of the 'Administrators' group, and thus 'inherit' the 'Administrators'
+group privileges. If a 'joe' user is created and become a member of the
+'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.
      You can access the source code via your 
-favourite WWW browser. This allows you to access the contents of 
-individual files in the repository and also to look at the revision 
-history and commit logs of individual files. You can also ask for a diff 
-listing between any two versions on the repository.
      When a NT/W2K machine is joined to a domain, during that phase, the "Domain
+Administrators' group of the PDC is added to the 'Administrators' group of the
+workstation. Every members of the 'Domain Administrators' group 'inherit' the
+rights of the 'Administrators' group when logging on the workstation.
      You are now wondering how to make some of your samba PDC users members of the
+'Domain Administrators' ? That's really easy.
      Use the URL : http://samba.org/cgi-bin/cvsweb
      17.2.2. Access via cvs
      1. You can also access the source code via a 
-normal cvs client.  This gives you much more control over you can 
-do with the repository and allows you to checkout whole source trees 
-and keep them up to date via normal cvs commands. This is the 
-preferred method of access if you are a developer and not
-just a casual browser.
        To download the latest cvs source code, point your
-browser at the URL : http://www.cyclic.com/.
-and click on the 'How to get cvs' link. CVS is free software under 
-the GNU GPL (as is Samba).  Note that there are several graphical CVS clients
-which provide a graphical interface to the sometimes mundane CVS commands.
-Links to theses clients are also available from http://www.cyclic.com.
        To gain access via anonymous cvs use the following steps. 
-For this example it is assumed that you want a copy of the 
-samba source code. For the other source code repositories 
-on this system just substitute the correct package name
        1. 	Install a recent copy of cvs. All you really need is a 
-	copy of the cvs client binary. 
-	
        2. 	Run the command 
-	
          	cvs -d :pserver:cvs@samba.org:/cvsroot login
-	
          	When it asks you for a password type cvs.
-	
        3. 	Run the command 
-	
          	cvs -d :pserver:cvs@samba.org:/cvsroot co samba
-	
          	This will create a directory called samba containing the 
-	latest samba source code (i.e. the HEAD tagged cvs branch). This 
-	currently corresponds to the 3.0 development tree. 
-	
          	CVS branches other HEAD can be obtained by using the -r
-	and defining a tag name.  A list of branch tag names can be found on the
-	"Development" page of the samba web site.  A common request is to obtain the
-	latest 2.2 release code.  This could be done by using the following command.
-	
          	cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba
-	
        4. 	Whenever you want to merge in the latest code changes use 
-	the following command from within the samba directory: 
-	
          	cvs update -d -P
-	
      Chapter 18. Group mapping HOWTO
       
-Starting with Samba 3.0 alpha 2, a new group mapping function is available. The
-current method (likely to change) to manage the groups is a new command called
-smbgroupedit.
      The first immediate reason to use the group mapping on a PDC, is that
-the domain admin group of smb.conf is 
-now gone. This parameter was used to give the listed users local admin rights 
-on their workstations. It was some magic stuff that simply worked but didn't
-scale very well for complex setups.
      Let me explain how it works on NT/W2K, to have this magic fade away.
-When installing NT/W2K on a computer, the installer program creates some users
-and groups. Notably the 'Administrators' group, and gives to that group some
-privileges like the ability to change the date and time or to kill any process
-(or close too) running on the local machine. The 'Administrator' user is a
-member of the 'Administrators' group, and thus 'inherit' the 'Administrators'
-group privileges. If a 'joe' user is created and become a member of the
-'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.
      When a NT/W2K machine is joined to a domain, during that phase, the "Domain
-Administrators' group of the PDC is added to the 'Administrators' group of the
-workstation. Every members of the 'Domain Administrators' group 'inherit' the
-rights of the 'Administrators' group when logging on the workstation.
      You are now wondering how to make some of your samba PDC users members of the
-'Domain Administrators' ? That's really easy.
      1. create a unix group (usually in /etc/group), let's call it domadm
      2. create a unix group (usually in /etc/group), let's call it domadm
      3. add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in Chapter 19. Samba performance issuesChapter 18. Samba performance issues
        19.1. Comparisons
        18.1. Comparisons
        The Samba server uses TCP to talk to the client. Thus if you are
 trying to see if it performs well you should really compare it to
@@ -14896,9 +14142,9 @@ CLASS="SECT1"
 >
        19.2. Socket options
        18.2. Socket options
        There are a number of socket options that can greatly affect the
 performance of a TCP based server like Samba.
        19.3. Read size
        18.3. Read size
        The option "read size" affects the overlap of disk reads/writes with
 network reads/writes. If the amount of data being transferred in
@@ -14950,9 +14196,9 @@ CLASS="SECT1"
 >
        19.4. Max xmit
        18.4. Max xmit
        At startup the client and server negotiate a "maximum transmit" size,
 which limits the size of nearly all SMB commands. You can set the
@@ -14973,9 +14219,9 @@ CLASS="SECT1"
 >
        19.5. Log level
        18.5. Log level
        If you set the log level (also known as "debug level") higher than 2
 then you may suffer a large drop in performance. This is because the
@@ -14987,9 +14233,9 @@ CLASS="SECT1"
 >
        19.6. Read raw
        18.6. Read raw
        The "read raw" operation is designed to be an optimised, low-latency
 file read operation. A server may choose to not support it,
@@ -15009,9 +14255,9 @@ CLASS="SECT1"
 >
        19.7. Write raw
        18.7. Write raw
        The "write raw" operation is designed to be an optimised, low-latency
 file write operation. A server may choose to not support it,
@@ -15026,9 +14272,9 @@ CLASS="SECT1"
 >
        19.8. Slow Clients
        18.8. Slow Clients
        One person has reported that setting the protocol to COREPLUS rather
 than LANMAN2 gave a dramatic speed improvement (from 10k/s to 150k/s).
        19.9. Slow Logins
        18.9. Slow Logins
        Slow logins are almost always due to the password checking time. Using
 the lowest practical "password level" will improve things a lot. You
@@ -15056,9 +14302,9 @@ CLASS="SECT1"
 >
        19.10. Client tuning
        18.10. Client tuning
        Often a speed problem can be traced to the client. The client (for
 example Windows for Workgroups) can often be tuned for better TCP
@@ -15164,15 +14410,15 @@ CLASS="CHAPTER"
 >Chapter 20. Creating Group ProfilesChapter 19. Creating Group Prolicy Files
        20.1. Windows '9x
        19.1. Windows '9x
        You need the Win98 Group Policy Editor to
 set Group Profiles up under Windows '9x. It can be found on the Original
@@ -15196,25 +14442,28 @@ CLASS="FILENAME"
 > that needs to be placed in
 the root of the [NETLOGON] share. If your Win98 is configured to log onto
 the Samba Domain, it will automatically read this file and update the
-Win98 registry of the machine that is logging on.
        All of this is covered in the Win98 Resource Kit documentation.
        If you do not do it this way, then every so often Win98 will check the
+>If you do not do it this way, then every so often Win9x/Me will check the
 integrity of the registry and will restore it's settings from the back-up
-copy of the registry it stores on each Win98 machine. Hence, you will notice
-things changing back to the original settings.
        The following all refers to Windows NT/200x profile migration - not to policies.
+We need a separate section on policies (NTConfig.Pol) for NT4/200x.
        20.2. Windows NT 4
        19.2. Windows NT 4
        Unfortunately, the Resource Kit info is Win NT4/2K version specific.
        Unfortunately, the Resource Kit info is Win NT4 or 200x specific.
        Here is a quick guide:
        I am using the term "migrate" lossely. You can copy a profile to
+>I am using the term "migrate" lossely. You can copy a profile to
 create a group profile. You can give the user 'Everyone' rights to the
 profile you copy this to. That is what you need to do, since your samba
 domain is not a member of a trust relationship with your NT4 PDC.
        20.2.1. Side bar Notes
        19.2.1. Side bar Notes
        You should obtain the SID of your NT4 domain. You can use smbpasswd to do
 this. Read the man page.
        20.2.2. Mandatory profiles
        19.2.2. Mandatory profiles
        The above method can be used to create mandatory profiles also. To convert
 a group profile into a mandatory profile simply locate the NTUser.DAT file
@@ -15320,9 +14569,9 @@ CLASS="SECT2"
 >
        20.2.3. moveuser.exe
        19.2.3. moveuser.exe
        The W2K professional resource kit has moveuser.exe. moveuser.exe changes
 the security of a profile from one user to another.  This allows the account 
@@ -15333,9 +14582,9 @@ CLASS="SECT2"
 >
        20.2.4. Get SID
        19.2.4. Get SID
        You can identify the SID by using GetSID.exe from the Windows NT Server 4.0
 Resource Kit.
        20.3. Windows 2000/XP
        19.3. Windows 2000/XP
        You must first convert the profile from a local profile to a domain
 profile on the MS Windows workstation as follows:
      Chapter 20. Securing Samba
      20.1. Introduction
      This note was attached to the Samba 2.2.8 release notes as it contained an
+important security fix.  The information contained here applies to Samba
+installations in general.
      20.2. Using host based protection
      In many installations of Samba the greatest threat comes for outside
+your immediate network. By default Samba will accept connections from
+any host, which means that if you run an insecure version of Samba on
+a host that is directly connected to the Internet you can be
+especially vulnerable.
      One of the simplest fixes in this case is to use the 'hosts allow' and
+'hosts deny' options in the Samba smb.conf configuration file to only
+allow access to your server from a specific range of hosts. An example
+might be:
        hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
+  hosts deny = 0.0.0.0/0
      The above will only allow SMB connections from 'localhost' (your own
+computer) and from the two private networks 192.168.2 and
+192.168.3. All other connections will be refused connections as soon
+as the client sends its first packet. The refusal will be marked as a
+'not listening on called name' error.
      20.3. Using interface protection
      By default Samba will accept connections on any network interface that
+it finds on your system. That means if you have a ISDN line or a PPP
+connection to the Internet then Samba will accept connections on those
+links. This may not be what you want.
      You can change this behaviour using options like the following:
        interfaces = eth* lo
+  bind interfaces only = yes
      This tells Samba to only listen for connections on interfaces with a
+name starting with 'eth' such as eth0, eth1, plus on the loopback
+interface called 'lo'. The name you will need to use depends on what
+OS you are using, in the above I used the common name for Ethernet
+adapters on Linux.
      If you use the above and someone tries to make a SMB connection to
+your host over a PPP interface called 'ppp0' then they will get a TCP
+connection refused reply. In that case no Samba code is run at all as
+the operating system has been told not to pass connections from that
+interface to any process.
      20.4. Using a firewall
      Many people use a firewall to deny access to services that they don't
+want exposed outside their network. This can be a very good idea,
+although I would recommend using it in conjunction with the above
+methods so that you are protected even if your firewall is not active
+for some reason.
      If you are setting up a firewall then you need to know what TCP and
+UDP ports to allow and block. Samba uses the following:
      UDP/137    - used by nmbd
+UDP/138    - used by nmbd
+TCP/139    - used by smbd
+TCP/445    - used by smbd
      The last one is important as many older firewall setups may not be
+aware of it, given that this port was only added to the protocol in
+recent years. 
      20.5. Using a IPC$ share deny
      If the above methods are not suitable, then you could also place a
+more specific deny on the IPC$ share that is used in the recently
+discovered security hole. This allows you to offer access to other
+shares while denying access to IPC$ from potentially untrustworthy
+hosts.
      To do that you could use:
        [ipc$]
+     hosts allow = 192.168.115.0/24 127.0.0.1
+     hosts deny = 0.0.0.0/0
      this would tell Samba that IPC$ connections are not allowed from
+anywhere but the two listed places (localhost and a local
+subnet). Connections to other shares would still be allowed. As the
+IPC$ share is the only share that is always accessible anonymously
+this provides some level of protection against attackers that do not
+know a username/password for your host.
      If you use this method then clients will be given a 'access denied'
+reply when they try to access the IPC$ share. That means that those
+clients will not be able to browse shares, and may also be unable to
+access some other resources. 
      This is not recommended unless you cannot use one of the other
+methods listed above for some reason.
      20.6. Upgrading Samba
      Please check regularly on http://www.samba.org/ for updates and
+important announcements.  Occasionally security releases are made and 
+it is highly recommended to upgrade Samba when a security vulnerability
+is discovered.
      21.1. HPUX
      21.2. SCO Unix
      21.3. DNIX
      21.4. RedHat Linux Rembrandt-II
      21.5. AIX
      21.5.1. Sequential Read Ahead
      22.1. Macintosh clients?
      22.2. OS2 Client
      22.2.1. How can I configure OS/2 Warp Connect or 
 		OS/2 Warp 4 as a client for Samba?
      22.2.2. How can I configure OS/2 Warp 3 (not Connect), 
 		OS/2 1.2, 1.3 or 2.x for Samba?
      22.2.3. Are there any other issues when OS/2 (any version) 
 		is used as a client?
      22.2.4. How do I get printer driver download working 
 		for OS/2 clients?
      22.3. Windows for Workgroups
      22.3.1. Use latest TCP/IP stack from Microsoft
      22.3.2. Delete .pwl files after password change
      22.3.3. Configure WfW password handling
      22.3.4. Case handling of passwords
      22.3.5. Use TCP/IP as default protocol
      22.4. Windows '95/'98
      22.5. Windows 2000 Service Pack 2
      23. Reporting BugsHow to compile SAMBA
      23.1. Access Samba source code via CVS
      23.1.1. Introduction
      23.1.2. CVS Access to samba.org
      23.2. General infoAccessing the samba sources via rsync and ftp
      23.3. Debug levelsBuilding the Binaries
      23.4. Starting the smbd and nmbd
      23.4.1. Starting from inetd.conf
      23.4.2. Alternative: starting it as a daemon
      24. Reporting Bugs
      24.1. Introduction
      24.2. General info
      24.3. Debug levels
      24.4. Internal errors
      23.5. 24.5. Attaching to a running process
      23.6. 24.6. Patches
      24. 25. Diagnosing your samba serverThe samba checklist
      24.1. 25.1. Introduction
      24.2. 25.2. Assumptions
      24.3. 25.3. Tests
      24.3.1. 25.3.1. Test 1
      24.3.2. 25.3.2. Test 2
      24.3.3. 25.3.3. Test 3
      24.3.4. 25.3.4. Test 4
      24.3.5. 25.3.5. Test 5
      24.3.6. 25.3.6. Test 6
      24.3.7. 25.3.7. Test 7
      24.3.8. 25.3.8. Test 8
      24.3.9. 25.3.9. Test 9
      24.3.10. 25.3.10. Test 10
      24.3.11. 25.3.11. Test 11
      24.4. 25.4. Still having troubles?
      21.1. HPUX
      21.1. HPUX
      HP's implementation of supplementary groups is, er, non-standard (for
 hysterical reasons).  There are two group files, /etc/group and
@@ -15897,9 +15394,9 @@ CLASS="SECT1"
 >
      21.2. SCO Unix
      21.2. SCO Unix
       
 If you run an old version of  SCO Unix then you may need to get important 
@@ -15914,9 +15411,9 @@ CLASS="SECT1"
 >
      21.3. DNIX
      21.3. DNIX
      DNIX has a problem with seteuid() and setegid(). These routines are
 needed for Samba to work correctly, but they were left out of the DNIX
@@ -16021,9 +15518,9 @@ CLASS="SECT1"
 >
      21.4. RedHat Linux Rembrandt-II
      21.4. RedHat Linux Rembrandt-II
      By default RedHat Rembrandt-II during installation adds an
 entry to /etc/hosts as follows:
@@ -16040,6 +15537,27 @@ is the master browse list holder and who is the master browser.
      Corrective Action:	Delete the entry after the word loopback
 	in the line starting 127.0.0.1
      21.5. AIX
      21.5.1. Sequential Read Ahead
      Disabling Sequential Read Ahead using "vmtune -r 0" improves 
+samba performance significally.

      22.1. Macintosh clients?

      22.1. Macintosh clients?

      Yes.

      22.2. OS2 Client

      22.2. OS2 Client

      22.2.1. How can I configure OS/2 Warp Connect or - OS/2 Warp 4 as a client for Samba?

      A more complete answer to this question can be found on

      22.2.2. How can I configure OS/2 Warp 3 (not Connect), - OS/2 1.2, 1.3 or 2.x for Samba?

      You can use the free Microsoft LAN Manager 2.2c Client for OS/2 from @@ -16212,10 +15730,10 @@ CLASS="SECT2" >

      22.2.3. Are there any other issues when OS/2 (any version) - is used as a client?

      When you do a NET VIEW or use the "File and Print Client Resource Browser", no Samba servers show up. This can @@ -16234,10 +15752,10 @@ CLASS="SECT2" >

      22.2.4. How do I get printer driver download working - for OS/2 clients?

      First, create a share called [PRINTDRV] that is world-readable. Copy your OS/2 driver files there. Note @@ -16247,17 +15765,13 @@ NAME="AEN3350" >

      Install the NT driver first for that printer. Then, add to your smb.conf a parameter, os2 driver map = - filenamefilename". Then, in the file - specified by filenamefilename, map the name of the NT driver name to the OS/2 driver name as follows:

      22.3. Windows for Workgroups

      22.3. Windows for Workgroups

      22.3.1. Use latest TCP/IP stack from Microsoft

      22.3.1. Use latest TCP/IP stack from Microsoft

      Use the latest TCP/IP stack from microsoft if you use Windows for workgroups.

      22.3.2. Delete .pwl files after password change

      22.3.2. Delete .pwl files after password change

      WfWg does a lousy job with passwords. I find that if I change my password on either the unix box or the PC the safest thing to do is to @@ -16335,9 +15849,9 @@ CLASS="SECT2" >

      22.3.3. Configure WfW password handling

      22.3.3. Configure WfW password handling

      There is a program call admincfg.exe on the last disk (disk 8) of the WFW 3.11 disk set. To install it @@ -16354,9 +15868,9 @@ CLASS="SECT2" >

      22.3.4. Case handling of passwords

      22.3.4. Case handling of passwords

      Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the password level to specify what characters samba should try to uppercase when checking.

      22.3.5. Use TCP/IP as default protocol

      To support print queue reporting you may find +that you have to use TCP/IP as the default protocol under +WfWg. For some reason if you leave Netbeui as the default +it may break the print queue reporting on some systems. +It is presumably a WfWg bug.

      22.4. Windows '95/'98

      When using Windows 95 OEM SR2 the following updates are recommended where Samba +is being used. Please NOTE that the above change will affect you once these +updates have been installed.

      +There are more updates than the ones mentioned here. You are referred to the +Microsoft Web site for all currently available updates to your specific version +of Windows 95.

      1. Kernel Update: KRNLUPD.EXE

      2. Ping Fix: PINGUPD.EXE

      3. RPC Update: RPCRTUPD.EXE

      4. TCP/IP Update: VIPUPD.EXE

      5. Redirector Update: VRDRUPD.EXE

      Also, if using MS OutLook it is desirable to install the OLEUPD.EXE fix. This +fix may stop your machine from hanging for an extended period when exiting +OutLook and you may also notice a significant speedup when accessing network +neighborhood services.

      22.4. Windows '95/'98

      22.5. Windows 2000 Service Pack 2

      +There are several annoyances with Windows 2000 SP2. One of which +only appears when using a Samba server to host user profiles +to Windows 2000 SP2 clients in a Windows domain. This assumes +that Samba is a member of the domain, but the problem will +likely occur if it is not.

      +In order to server profiles successfully to Windows 2000 SP2 +clients (when not operating as a PDC), Samba must have +nt acl support = no +added to the file share which houses the roaming profiles. +If this is not done, then the Windows 2000 SP2 client will +complain about not being able to access the profile (Access +Denied) and create multiple copies of it on disk (DOMAIN.user.001, +DOMAIN.user.002, etc...). See the +smb.conf(5) man page +for more details on this option. Also note that the +nt acl support parameter was formally a global parameter in +releases prior to Samba 2.2.2.

      +The following is a minimal profile share:

      	[profile]
+		path = /export/profile
+		create mask = 0600
+		directory mask = 0700
+		nt acl support = no
+		read only = no

      The reason for this bug is that the Win2k SP2 client copies +the security descriptor for the profile which contains +the Samba server's SID, and not the domain SID. The client +compares the SID for SAMBA\user and realizes it is +different that the one assigned to DOMAIN\user. Hence the reason +for the "access denied" message.

      By disabling the nt acl support parameter, Samba will send +the Win2k client a response to the QuerySecurityDescriptor +trans2 call which causes the client to set a default ACL +for the profile. This default ACL includes

      DOMAIN\user "Full Control"

      NOTE : This bug does not occur when using winbind to +create accounts on the Samba host for Domain users.

      Chapter 23. How to compile SAMBA

      You can obtain the samba source from the samba website. To obtain a development version, +you can download samba from CVS or using rsync.

      23.1. Access Samba source code via CVS

      23.1.1. Introduction

      Samba is developed in an open environment. Developers use CVS +(Concurrent Versioning System) to "checkin" (also known as +"commit") new source code. Samba's various CVS branches can +be accessed via anonymous CVS using the instructions +detailed in this chapter.

      This chapter is a modified version of the instructions found at +http://samba.org/samba/cvs.html

      23.1.2. CVS Access to samba.org

      The machine samba.org runs a publicly accessible CVS +repository for access to the source code of several packages, +including samba, rsync and jitterbug. There are two main ways of +accessing the CVS server on this host.

      23.1.2.1. Access via CVSweb

      You can access the source code via your +favourite WWW browser. This allows you to access the contents of +individual files in the repository and also to look at the revision +history and commit logs of individual files. You can also ask for a diff +listing between any two versions on the repository.

      Use the URL : http://samba.org/cgi-bin/cvsweb

      23.1.2.2. Access via cvs

      You can also access the source code via a +normal cvs client. This gives you much more control over you can +do with the repository and allows you to checkout whole source trees +and keep them up to date via normal cvs commands. This is the +preferred method of access if you are a developer and not +just a casual browser.

      To download the latest cvs source code, point your +browser at the URL : http://www.cyclic.com/. +and click on the 'How to get cvs' link. CVS is free software under +the GNU GPL (as is Samba). Note that there are several graphical CVS clients +which provide a graphical interface to the sometimes mundane CVS commands. +Links to theses clients are also available from http://www.cyclic.com.

      To gain access via anonymous cvs use the following steps. +For this example it is assumed that you want a copy of the +samba source code. For the other source code repositories +on this system just substitute the correct package name

      1. Install a recent copy of cvs. All you really need is a + copy of the cvs client binary. +

      2. Run the command +

        cvs -d :pserver:cvs@samba.org:/cvsroot login +

        When it asks you for a password type cvs. +

      3. Run the command +

        cvs -d :pserver:cvs@samba.org:/cvsroot co samba +

        This will create a directory called samba containing the + latest samba source code (i.e. the HEAD tagged cvs branch). This + currently corresponds to the 3.0 development tree. +

        CVS branches other HEAD can be obtained by using the -r + and defining a tag name. A list of branch tag names can be found on the + "Development" page of the samba web site. A common request is to obtain the + latest 2.2 release code. This could be done by using the following command. +

        cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba +

      4. Whenever you want to merge in the latest code changes use + the following command from within the samba directory: +

        cvs update -d -P +

      23.2. Accessing the samba sources via rsync and ftp

      pserver.samba.org also exports unpacked copies of most parts of the CVS tree at ftp://pserver.samba.org/pub/unpacked and also via anonymous rsync at rsync://pserver.samba.org/ftp/unpacked/. I recommend using rsync rather than ftp. + See the rsync homepage for more info on rsync. +

      The disadvantage of the unpacked trees + is that they do not support automatic + merging of local changes like CVS does. + rsync access is most convenient for an + initial install. +

      23.3. Building the Binaries

      To do this, first run the program ./configure + in the source directory. This should automatically + configure Samba for your operating system. If you have unusual + needs then you may wish to run

      root# ./configure --help +

      first to see what special options you can enable. + Then executing

      root# make

      will create the binaries. Once it's successfully + compiled you can use

      root# make install

      to install the binaries and manual pages. You can + separately install the binaries and/or man pages using

      root# make installbin +

      and

      root# make installman +

      Note that if you are upgrading for a previous version + of Samba you might like to know that the old versions of + the binaries will be renamed with a ".old" extension. You + can go back to the previous version with

      root# make revert +

      if you find this version a disaster!

      23.4. Starting the smbd and nmbd

      You must choose to start smbd and nmbd either + as daemons or from inetd. Don't try + to do both! Either you can put them in inetd.conf and have them started on demand + by inetd, or you can start them as + daemons either from the command line or in /etc/rc.local. See the man pages for details + on the command line options. Take particular care to read + the bit about what user you need to be in order to start + Samba. In many cases you must be root.

      The main advantage of starting smbd + and nmbd using the recommended daemon method + is that they will respond slightly more quickly to an initial connection + request.

      23.4.1. Starting from inetd.conf

      When using Windows 95 OEM SR2 the following updates are recommended where Samba -is being used. Please NOTE that the above change will affect you once these -updates have been installed.

      NOTE; The following will be different if + you use NIS, NIS+ or LDAP to distribute services maps.

      -There are more updates than the ones mentioned here. You are referred to the -Microsoft Web site for all currently available updates to your specific version -of Windows 95.

      Look at your /etc/services. + What is defined at port 139/tcp. If nothing is defined + then add a line like this:

      netbios-ssn 139/tcp

      1. Kernel Update: KRNLUPD.EXE

      2. similarly for 137/udp you should have an entry like:

        Ping Fix: PINGUPD.EXE

      3. netbios-ns 137/udp

        RPC Update: RPCRTUPD.EXE

      4. Next edit your /etc/inetd.conf + and add two lines something like this:

        TCP/IP Update: VIPUPD.EXE

      5. 		netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd 
+		netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd 
+

        Redirector Update: VRDRUPD.EXE

      The exact syntax of /etc/inetd.conf + varies between unixes. Look at the other entries in inetd.conf + for a guide.

      Also, if using MS OutLook it is desirable to install the OLEUPD.EXE fix. This -fix may stop your machine from hanging for an extended period when exiting -OutLook and you may also notice a significant speedup when accessing network -neighborhood services.

      22.5. Windows 2000 Service Pack 2

      NOTE: Some unixes already have entries like netbios_ns + (note the underscore) in /etc/services. + You must either edit /etc/services or + /etc/inetd.conf to make them consistent.

      NOTE: On many systems you may need to use the + "interfaces" option in smb.conf to specify the IP address + and netmask of your interfaces. Run ifconfig -There are several annoyances with Windows 2000 SP2. One of which -only appears when using a Samba server to host user profiles -to Windows 2000 SP2 clients in a Windows domain. This assumes -that Samba is a member of the domain, but the problem will -likely occur if it is not.

      nmbd       tries to determine it at run + time, but fails on some unixes. See the section on "testing nmbd" + for a method of finding if you need to do this.

      -In order to server profiles successfully to Windows 2000 SP2 -clients (when not operating as a PDC), Samba must have -!!!WARNING!!! Many unixes only accept around 5 + parameters on the command line in inetd.conf. + This means you shouldn't use spaces between the options and + arguments, or you should use a script, and start the script + from nt acl support = no -added to the file share which houses the roaming profiles. -If this is not done, then the Windows 2000 SP2 client will -complain about not being able to access the profile (Access -Denied) and create multiple copies of it on disk (DOMAIN.user.001, -DOMAIN.user.002, etc...). See the -smb.conf(5) man page -for more details on this option. Also note that the -inetd.

      Restart nt acl support parameter was formally a global parameter in -releases prior to Samba 2.2.2.

      inetd, perhaps just send + it a HUP. If you have installed an earlier version of nmbd then you may need to kill nmbd as well.

      23.4.2. Alternative: starting it as a daemon

      -The following is a minimal profile share:

      To start the server as a daemon you should create + a script something like this one, perhaps calling + it startsmb.

      	[profile]
-		path = /export/profile
-		create mask = 0600
-		directory mask = 0700
-		nt acl support = no
-		read only = no
      #!/bin/sh + /usr/local/samba/bin/smbd -D + /usr/local/samba/bin/nmbd -D +

      The reason for this bug is that the Win2k SP2 client copies -the security descriptor for the profile which contains -the Samba server's SID, and not the domain SID. The client -compares the SID for SAMBA\user and realizes it is -different that the one assigned to DOMAIN\user. Hence the reason -for the "access denied" message.

      then make it executable with chmod + +x startsmb

      By disabling the You can then run nt acl support parameter, Samba will send -the Win2k client a response to the QuerySecurityDescriptor -trans2 call which causes the client to set a default ACL -for the profile. This default ACL includes

      startsmb by + hand or execute it from /etc/rc.local +

      To kill it send a kill signal to the processes + DOMAIN\user "Full Control"

      nmbd and smbd.

      NOTE : This bug does not occur when using winbind to -create accounts on the Samba host for Domain users.

      NOTE: If you use the SVR4 style init system then + you may like to look at the examples/svr4-startup + script to make Samba fit into that system.

      Chapter 23. Reporting BugsChapter 24. Reporting Bugs

      23.1. Introduction

      24.1. Introduction

      The email address for bug reports for stable releases is

      23.2. General info

      24.2. General info

      Before submitting a bug report check your config for silly errors. Look in your log files for obvious messages that tell you that @@ -16581,9 +16606,9 @@ CLASS="SECT1" >

      23.3. Debug levels

      24.3. Debug levels

      If the bug has anything to do with Samba behaving incorrectly as a server (like refusing to open a file) then the log files will probably @@ -16651,9 +16676,9 @@ CLASS="SECT1" >

      23.4. Internal errors

      24.4. Internal errors

      If you get a "INTERNAL ERROR" message in your log files it means that Samba got an unexpected signal while running. It is probably a @@ -16695,9 +16720,9 @@ CLASS="SECT1" >

      23.5. Attaching to a running process

      24.5. Attaching to a running process

      Unfortunately some unixes (in particular some recent linux kernels) refuse to dump a core file if the task has changed uid (which smbd @@ -16712,9 +16737,9 @@ CLASS="SECT1" >

      23.6. Patches

      24.6. Patches

      The best sort of bug report is one that includes a fix! If you send us patches please use Chapter 24. Diagnosing your samba serverChapter 25. The samba checklist

      24.1. Introduction

      25.1. Introduction

      This file contains a list of tests you can perform to validate your Samba server. It also tells you what the likely cause of the problem @@ -16763,9 +16788,9 @@ CLASS="SECT1" >

      24.2. Assumptions

      25.2. Assumptions

      In all of the tests it is assumed you have a Samba server called BIGSERVER and a PC called ACLIENT both in workgroup TESTGROUP.

      24.3. Tests

      25.3. Tests

      24.3.1. Test 1

      25.3.1. Test 1

      In the directory in which you store your smb.conf file, run the command "testparm smb.conf". If it reports any errors then your smb.conf @@ -16831,9 +16856,9 @@ CLASS="SECT2" >

      24.3.2. Test 2

      25.3.2. Test 2

      Run the command "ping BIGSERVER" from the PC and "ping ACLIENT" from the unix box. If you don't get a valid response then your TCP/IP @@ -16857,9 +16882,9 @@ CLASS="SECT2" >

      24.3.3. Test 3

      25.3.3. Test 3

      Run the command "smbclient -L BIGSERVER" on the unix box. You should get a list of available shares back.

      24.3.4. Test 4

      25.3.4. Test 4

      Run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the IP address of your Samba server back.

      24.3.5. Test 5

      25.3.5. Test 5

      run the command

      24.3.6. Test 6

      25.3.6. Test 6

      Run the command

      24.3.7. Test 7

      25.3.7. Test 7

      Run the command . You should then be prompted for a password. You should use the password of the account you are logged into the unix box with. If you want to test with -another account then add the -U >accountname< option to the end of +another account then add the -U >accountname< option to the end of the command line. eg: etc. Type help >command<help >command< for instructions. You should especially check that the amount of free disk space shown is correct when you type

      24.3.8. Test 8

      25.3.8. Test 8

      On the PC type the command

      24.3.9. Test 9

      25.3.9. Test 9

      Run the command

      24.3.10. Test 10

      25.3.10. Test 10

      Run the command

      24.3.11. Test 11

      25.3.11. Test 11

      From file manager try to browse the server. Your samba server should appear in the browse list of your local workgroup (or the one you @@ -17241,9 +17266,9 @@ CLASS="SECT1" >

      24.4. Still having troubles?

      25.4. Still having troubles?

      Try the mailing list or newsgroup, or use the ethereal utility to sniff the problem. The official samba mailing list can be reached at diff --git a/docs/htmldocs/ads.html b/docs/htmldocs/ads.html index 2c556b61f3..6fc44d9170 100644 --- a/docs/htmldocs/ads.html +++ b/docs/htmldocs/ads.html @@ -5,7 +5,7 @@ >Samba as a ADS domain member

      7.1. Installing the required packages for Debian

      7.1. Installing the required packages for Debian

      On Debian you need to install the following packages:

      7.2. Installing the required packages for RedHat

      7.2. Installing the required packages for RedHat

      On RedHat this means you should have at least:

      7.3. Compile Samba

      7.3. Compile Samba

      If your kerberos libraries are in a non-standard location then remember to add the configure option --with-krb5=DIR.

      7.4. Setup your /etc/krb5.conf

      7.4. Setup your /etc/krb5.conf

      The minimal configuration for krb5.conf is:

      7.5. Create the computer account

      7.5. Create the computer account

      As a user that has write permission on the Samba private directory (usually root) run: @@ -291,9 +291,9 @@ CLASS="SECT2" >

      7.5.1. Possible errors

      7.5.1. Possible errors

      7.6. Test your server setup

      7.6. Test your server setup

      On a Windows 2000 client try

      7.7. Testing with smbclient

      7.7. Testing with smbclient

      On your Samba server try to login to a Win2000 server or your Samba server using smbclient and kerberos. Use smbclient as usual, but @@ -349,9 +349,9 @@ CLASS="SECT1" >

      7.8. Notes

      7.8. Notes

      You must change administrator password at least once after DC install, to create the right encoding types

      AppendixesPrev
      21.1. HPUX
      21.2. SCO Unix
      21.3. DNIX
      21.4. RedHat Linux Rembrandt-II
      21.5. AIX
      21.5.1. Sequential Read Ahead
      22.1. Macintosh clients?
      22.2. OS2 Client
      22.2.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?
      22.2.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?
      22.2.3. Are there any other issues when OS/2 (any version) is used as a client?
      22.2.4. How do I get printer driver download working for OS/2 clients?
      22.3. Windows for Workgroups
      22.3.1. Use latest TCP/IP stack from Microsoft
      22.3.2. Delete .pwl files after password change
      22.3.3. Configure WfW password handling
      22.3.4. Case handling of passwords
      22.3.5. Use TCP/IP as default protocol
      22.4. Windows '95/'98
      22.5. Windows 2000 Service Pack 2
      23. Reporting BugsHow to compile SAMBA
      23.1. Access Samba source code via CVS
      23.1.1. Introduction
      23.1.2. CVS Access to samba.org
      23.2. General infoAccessing the samba sources via rsync and ftp
      23.3. Debug levelsBuilding the Binaries
      23.4. Starting the smbd and nmbd
      23.4.1. Starting from inetd.conf
      23.4.2. Alternative: starting it as a daemon
      24. Reporting Bugs
      24.1. Introduction
      24.2. General info
      24.3. Debug levels
      24.4. Internal errors
      23.5. 24.5. Attaching to a running process
      23.6. 24.6. Patches
      24. 25. Diagnosing your samba serverThe samba checklist
      24.1. 25.1. Introduction
      24.2. 25.2. Assumptions
      24.3. 25.3. Tests
      24.3.1. 25.3.1. Test 1
      24.3.2. 25.3.2. Test 2
      24.3.3. 25.3.3. Test 3
      24.3.4. 25.3.4. Test 4
      24.3.5. 25.3.5. Test 5
      24.3.6. 25.3.6. Test 6
      24.3.7. 25.3.7. Test 7
      24.3.8. 25.3.8. Test 8
      24.3.9. 25.3.9. Test 9
      24.3.10. 25.3.10. Test 10
      24.3.11. 25.3.11. Test 11
      24.4. 25.4. Still having troubles?
      PrevCreating Group ProfilesSecuring Samba
Chapter 23. Reporting BugsChapter 24. Reporting Bugs

23.1. Introduction

24.1. Introduction

The email address for bug reports for stable releases is

23.2. General info

24.2. General info

Before submitting a bug report check your config for silly errors. Look in your log files for obvious messages that tell you that @@ -150,9 +150,9 @@ CLASS="SECT1" >

23.3. Debug levels

24.3. Debug levels

If the bug has anything to do with Samba behaving incorrectly as a server (like refusing to open a file) then the log files will probably @@ -220,9 +220,9 @@ CLASS="SECT1" >

23.4. Internal errors

24.4. Internal errors

If you get a "INTERNAL ERROR" message in your log files it means that Samba got an unexpected signal while running. It is probably a @@ -264,9 +264,9 @@ CLASS="SECT1" >

23.5. Attaching to a running process

24.5. Attaching to a running process

Unfortunately some unixes (in particular some recent linux kernels) refuse to dump a core file if the task has changed uid (which smbd @@ -281,9 +281,9 @@ CLASS="SECT1" >

23.6. Patches

24.6. Patches

The best sort of bug report is one that includes a fix! If you send us patches please use PrevSamba and other CIFS clientsHow to compile SAMBA

The samba checklist
Quick Cross Subnet Browsing / Cross Workgroup Browsing guide

Note: MS Windows 2000 and later can be configured to operate with NO NetBIOS +over TCP/IP. Samba-3 and later also supports this mode of operation.

2.1. Discussion

2.1. Discussion

Firstly, all MS Windows networking is based on SMB (Server Message -Block) based messaging. SMB messaging is implemented using NetBIOS. Samba -implements NetBIOS by encapsulating it over TCP/IP. MS Windows products can -do likewise. NetBIOS based networking uses broadcast messaging to affect -browse list management. When running NetBIOS over TCP/IP this uses UDP -based messaging. UDP messages can be broadcast or unicast.

Normally, only unicast UDP messaging can be forwarded by routers. The "remote announce" parameter to smb.conf helps to project browse announcements @@ -109,18 +112,23 @@ segment is configured with it's own Samba WINS server, then the only way to get cross segment browsing to work is by using the "remote announce" and the "remote browse sync" parameters to your smb.conf file.

If only one WINS server is used then the use of the "remote announce" and the -"remote browse sync" parameters should NOT be necessary.

If only one WINS server is used for an entire multi-segment network then +the use of the "remote announce" and the "remote browse sync" parameters +should NOT be necessary.

Samba WINS does not support MS-WINS replication. This means that when setting up -Samba as a WINS server there must only be one nmbd configured as a WINS server -on the network. Some sites have used multiple Samba WINS servers for redundancy -(one server per subnet) and then used "remote browse sync" and "remote announce" -to affect browse list collation across all segments. Note that this means -clients will only resolve local names, and must be configured to use DNS to -resolve names on other subnets in order to resolve the IP addresses of the -servers they can see on other subnets. This setup is not recommended, but is -mentioned as a practical consideration (ie: an 'if all else fails' scenario).

As of Samba-3 WINS replication is being worked on. The bulk of the code has +been committed, but it still needs maturation.

Right now samba WINS does not support MS-WINS replication. This means that +when setting up Samba as a WINS server there must only be one nmbd configured +as a WINS server on the network. Some sites have used multiple Samba WINS +servers for redundancy (one server per subnet) and then used "remote browse +sync" and "remote announce" to affect browse list collation across all +segments. Note that this means clients will only resolve local names, +and must be configured to use DNS to resolve names on other subnets in +order to resolve the IP addresses of the servers they can see on other +subnets. This setup is not recommended, but is mentioned as a practical +consideration (ie: an 'if all else fails' scenario).

Lastly, take note that browse lists are a collection of unreliable broadcast messages that are repeated at intervals of not more than 15 minutes. This means @@ -132,9 +140,9 @@ CLASS="SECT1" >

2.2. Use of the "Remote Announce" parameter

2.2. Use of the "Remote Announce" parameter

The "remote announce" parameter of smb.conf can be used to forcibly ensure that all the NetBIOS names on a network get announced to a remote network. @@ -190,9 +198,9 @@ CLASS="SECT1" >

2.3. Use of the "Remote Browse Sync" parameter

2.3. Use of the "Remote Browse Sync" parameter

The "remote browse sync" parameter of smb.conf is used to announce to another LMB that it must synchronise it's NetBIOS name list with our @@ -213,9 +221,9 @@ CLASS="SECT1" >

2.4. Use of WINS

2.4. Use of WINS

Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly recommended. Every NetBIOS machine registers it's name together with a @@ -267,22 +275,23 @@ CLASS="emphasis" CLASS="EMPHASIS" >DO NOT EVER use both "wins support = yes" together with "wins server = a.b.c.d" -particularly not using it's own IP address.

use both "wins support = yes" together +with "wins server = a.b.c.d" particularly not using it's own IP address. +Specifying both will cause nmbd to refuse to start!

2.5. Do NOT use more than one (1) protocol on MS Windows machines

2.5. Do NOT use more than one (1) protocol on MS Windows machines

A very common cause of browsing problems results from installing more than one protocol on an MS Windows machine.

Every NetBIOS machine take part in a process of electing the LMB (and DMB) +>Every NetBIOS machine takes part in a process of electing the LMB (and DMB) every 15 minutes. A set of election criteria is used to determine the order of precidence for winning this election process. A machine running Samba or Windows NT will be biased so that the most suitable machine will predictably @@ -298,6 +307,19 @@ interface over the IPX protocol. Samba will then lose the LMB role as Windows as an LMB and thus browse list operation on all TCP/IP only machines will fail.

Windows 95, 98, 98se, Me are referred to generically as Windows 9x. +The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly +referred to as the WinNT family, but it should be recognised that 2000 and +XP/2003 introduce new protocol extensions that cause them to behave +differently from MS Windows NT4. Generally, where a server does NOT support +the newer or extended protocol, these will fall back to the NT4 protocols.

The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!

2.6. Name Resolution Order

2.6. Name Resolution Order

Resolution of NetBIOS names to IP addresses can take place using a number of methods. The only ones that can provide NetBIOS name_type information diff --git a/docs/htmldocs/bugreport.html b/docs/htmldocs/bugreport.html index 813d0055cc..cc4fc83df6 100644 --- a/docs/htmldocs/bugreport.html +++ b/docs/htmldocs/bugreport.html @@ -5,7 +5,7 @@ >Reporting BugsPrev

Diagnosing your samba server
+How to compile SAMBA
SAMBA Project Documentation
PrevNext

Chapter 23. How to compile SAMBA

You can obtain the samba source from the samba website. To obtain a development version, +you can download samba from CVS or using rsync.

23.1. Access Samba source code via CVS

23.1.1. Introduction

Samba is developed in an open environment. Developers use CVS +(Concurrent Versioning System) to "checkin" (also known as +"commit") new source code. Samba's various CVS branches can +be accessed via anonymous CVS using the instructions +detailed in this chapter.

This chapter is a modified version of the instructions found at +http://samba.org/samba/cvs.html

23.1.2. CVS Access to samba.org

The machine samba.org runs a publicly accessible CVS +repository for access to the source code of several packages, +including samba, rsync and jitterbug. There are two main ways of +accessing the CVS server on this host.

23.1.2.1. Access via CVSweb

You can access the source code via your +favourite WWW browser. This allows you to access the contents of +individual files in the repository and also to look at the revision +history and commit logs of individual files. You can also ask for a diff +listing between any two versions on the repository.

Use the URL : http://samba.org/cgi-bin/cvsweb

23.1.2.2. Access via cvs

You can also access the source code via a +normal cvs client. This gives you much more control over you can +do with the repository and allows you to checkout whole source trees +and keep them up to date via normal cvs commands. This is the +preferred method of access if you are a developer and not +just a casual browser.

To download the latest cvs source code, point your +browser at the URL : http://www.cyclic.com/. +and click on the 'How to get cvs' link. CVS is free software under +the GNU GPL (as is Samba). Note that there are several graphical CVS clients +which provide a graphical interface to the sometimes mundane CVS commands. +Links to theses clients are also available from http://www.cyclic.com.

To gain access via anonymous cvs use the following steps. +For this example it is assumed that you want a copy of the +samba source code. For the other source code repositories +on this system just substitute the correct package name

  1. Install a recent copy of cvs. All you really need is a + copy of the cvs client binary. +

  2. Run the command +

    cvs -d :pserver:cvs@samba.org:/cvsroot login +

    When it asks you for a password type cvs. +

  3. Run the command +

    cvs -d :pserver:cvs@samba.org:/cvsroot co samba +

    This will create a directory called samba containing the + latest samba source code (i.e. the HEAD tagged cvs branch). This + currently corresponds to the 3.0 development tree. +

    CVS branches other HEAD can be obtained by using the -r + and defining a tag name. A list of branch tag names can be found on the + "Development" page of the samba web site. A common request is to obtain the + latest 2.2 release code. This could be done by using the following command. +

    cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba +

  4. Whenever you want to merge in the latest code changes use + the following command from within the samba directory: +

    cvs update -d -P +

23.2. Accessing the samba sources via rsync and ftp

pserver.samba.org also exports unpacked copies of most parts of the CVS tree at ftp://pserver.samba.org/pub/unpacked and also via anonymous rsync at rsync://pserver.samba.org/ftp/unpacked/. I recommend using rsync rather than ftp. + See the rsync homepage for more info on rsync. +

The disadvantage of the unpacked trees + is that they do not support automatic + merging of local changes like CVS does. + rsync access is most convenient for an + initial install. +

23.3. Building the Binaries

To do this, first run the program ./configure + in the source directory. This should automatically + configure Samba for your operating system. If you have unusual + needs then you may wish to run

root# ./configure --help +

first to see what special options you can enable. + Then executing

root# make

will create the binaries. Once it's successfully + compiled you can use

root# make install

to install the binaries and manual pages. You can + separately install the binaries and/or man pages using

root# make installbin +

and

root# make installman +

Note that if you are upgrading for a previous version + of Samba you might like to know that the old versions of + the binaries will be renamed with a ".old" extension. You + can go back to the previous version with

root# make revert +

if you find this version a disaster!

23.4. Starting the smbd and nmbd

You must choose to start smbd and nmbd either + as daemons or from inetd. Don't try + to do both! Either you can put them in inetd.conf and have them started on demand + by inetd, or you can start them as + daemons either from the command line or in /etc/rc.local. See the man pages for details + on the command line options. Take particular care to read + the bit about what user you need to be in order to start + Samba. In many cases you must be root.

The main advantage of starting smbd + and nmbd using the recommended daemon method + is that they will respond slightly more quickly to an initial connection + request.

23.4.1. Starting from inetd.conf

NOTE; The following will be different if + you use NIS, NIS+ or LDAP to distribute services maps.

Look at your /etc/services. + What is defined at port 139/tcp. If nothing is defined + then add a line like this:

netbios-ssn 139/tcp

similarly for 137/udp you should have an entry like:

netbios-ns 137/udp

Next edit your /etc/inetd.conf + and add two lines something like this:

		netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd 
+		netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd 
+

The exact syntax of /etc/inetd.conf + varies between unixes. Look at the other entries in inetd.conf + for a guide.

NOTE: Some unixes already have entries like netbios_ns + (note the underscore) in /etc/services. + You must either edit /etc/services or + /etc/inetd.conf to make them consistent.

NOTE: On many systems you may need to use the + "interfaces" option in smb.conf to specify the IP address + and netmask of your interfaces. Run ifconfig + as root if you don't know what the broadcast is for your + net. nmbd tries to determine it at run + time, but fails on some unixes. See the section on "testing nmbd" + for a method of finding if you need to do this.

!!!WARNING!!! Many unixes only accept around 5 + parameters on the command line in inetd.conf. + This means you shouldn't use spaces between the options and + arguments, or you should use a script, and start the script + from inetd.

Restart inetd, perhaps just send + it a HUP. If you have installed an earlier version of nmbd then you may need to kill nmbd as well.

23.4.2. Alternative: starting it as a daemon

To start the server as a daemon you should create + a script something like this one, perhaps calling + it startsmb.

		#!/bin/sh
+		/usr/local/samba/bin/smbd -D 
+		/usr/local/samba/bin/nmbd -D 
+

then make it executable with chmod + +x startsmb

You can then run startsmb by + hand or execute it from /etc/rc.local +

To kill it send a kill signal to the processes + nmbd and smbd.

NOTE: If you use the SVR4 style init system then + you may like to look at the examples/svr4-startup + script to make Samba fit into that system.

PrevHomeNext
Samba and other CIFS clientsUpReporting Bugs
\ No newline at end of file diff --git a/docs/htmldocs/cvs-access.html b/docs/htmldocs/cvs-access.html deleted file mode 100644 index 4e088faf70..0000000000 --- a/docs/htmldocs/cvs-access.html +++ /dev/null @@ -1,307 +0,0 @@ - -Access Samba source code via CVS
SAMBA Project Documentation
PrevNext

Chapter 17. Access Samba source code via CVS

17.1. Introduction

Samba is developed in an open environment. Developers use CVS -(Concurrent Versioning System) to "checkin" (also known as -"commit") new source code. Samba's various CVS branches can -be accessed via anonymous CVS using the instructions -detailed in this chapter.

This document is a modified version of the instructions found at -http://samba.org/samba/cvs.html

17.2. CVS Access to samba.org

The machine samba.org runs a publicly accessible CVS -repository for access to the source code of several packages, -including samba, rsync and jitterbug. There are two main ways of -accessing the CVS server on this host.

17.2.1. Access via CVSweb

You can access the source code via your -favourite WWW browser. This allows you to access the contents of -individual files in the repository and also to look at the revision -history and commit logs of individual files. You can also ask for a diff -listing between any two versions on the repository.

Use the URL : http://samba.org/cgi-bin/cvsweb

17.2.2. Access via cvs

You can also access the source code via a -normal cvs client. This gives you much more control over you can -do with the repository and allows you to checkout whole source trees -and keep them up to date via normal cvs commands. This is the -preferred method of access if you are a developer and not -just a casual browser.

To download the latest cvs source code, point your -browser at the URL : http://www.cyclic.com/. -and click on the 'How to get cvs' link. CVS is free software under -the GNU GPL (as is Samba). Note that there are several graphical CVS clients -which provide a graphical interface to the sometimes mundane CVS commands. -Links to theses clients are also available from http://www.cyclic.com.

To gain access via anonymous cvs use the following steps. -For this example it is assumed that you want a copy of the -samba source code. For the other source code repositories -on this system just substitute the correct package name

  1. Install a recent copy of cvs. All you really need is a - copy of the cvs client binary. -

  2. Run the command -

    cvs -d :pserver:cvs@samba.org:/cvsroot login -

    When it asks you for a password type cvs. -

  3. Run the command -

    cvs -d :pserver:cvs@samba.org:/cvsroot co samba -

    This will create a directory called samba containing the - latest samba source code (i.e. the HEAD tagged cvs branch). This - currently corresponds to the 3.0 development tree. -

    CVS branches other HEAD can be obtained by using the -r - and defining a tag name. A list of branch tag names can be found on the - "Development" page of the samba web site. A common request is to obtain the - latest 2.2 release code. This could be done by using the following command. -

    cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba -

  4. Whenever you want to merge in the latest code changes use - the following command from within the samba directory: -

    cvs update -d -P -

PrevHomeNext
Stackable VFS modulesUpGroup mapping HOWTO
\ No newline at end of file diff --git a/docs/htmldocs/diagnosis.html b/docs/htmldocs/diagnosis.html index 0c71043074..e91ac21f03 100644 --- a/docs/htmldocs/diagnosis.html +++ b/docs/htmldocs/diagnosis.html @@ -2,10 +2,10 @@ Diagnosing your samba serverThe samba checklistChapter 24. Diagnosing your samba serverChapter 25. The samba checklist

24.1. Introduction

25.1. Introduction

This file contains a list of tests you can perform to validate your Samba server. It also tells you what the likely cause of the problem @@ -95,9 +95,9 @@ CLASS="SECT1" >

24.2. Assumptions

25.2. Assumptions

In all of the tests it is assumed you have a Samba server called BIGSERVER and a PC called ACLIENT both in workgroup TESTGROUP.

24.3. Tests

25.3. Tests

24.3.1. Test 1

25.3.1. Test 1

In the directory in which you store your smb.conf file, run the command "testparm smb.conf". If it reports any errors then your smb.conf @@ -163,9 +163,9 @@ CLASS="SECT2" >

24.3.2. Test 2

25.3.2. Test 2

Run the command "ping BIGSERVER" from the PC and "ping ACLIENT" from the unix box. If you don't get a valid response then your TCP/IP @@ -189,9 +189,9 @@ CLASS="SECT2" >

24.3.3. Test 3

25.3.3. Test 3

Run the command "smbclient -L BIGSERVER" on the unix box. You should get a list of available shares back.

24.3.4. Test 4

25.3.4. Test 4

Run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the IP address of your Samba server back.

24.3.5. Test 5

25.3.5. Test 5

run the command

24.3.6. Test 6

25.3.6. Test 6

Run the command

24.3.7. Test 7

25.3.7. Test 7

Run the command . You should then be prompted for a password. You should use the password of the account you are logged into the unix box with. If you want to test with -another account then add the -U >accountname< option to the end of +another account then add the -U >accountname< option to the end of the command line. eg: etc. Type help >command<help >command< for instructions. You should especially check that the amount of free disk space shown is correct when you type

24.3.8. Test 8

25.3.8. Test 8

On the PC type the command

24.3.9. Test 9

25.3.9. Test 9

Run the command

24.3.10. Test 10

25.3.10. Test 10

Run the command

24.3.11. Test 11

25.3.11. Test 11

From file manager try to browse the server. Your samba server should appear in the browse list of your local workgroup (or the one you @@ -573,9 +573,9 @@ CLASS="SECT1" >

24.4. Still having troubles?

25.4. Still having troubles?

Try the mailing list or newsgroup, or use the ethereal utility to sniff the problem. The official samba mailing list can be reached at diff --git a/docs/htmldocs/domain-security.html b/docs/htmldocs/domain-security.html index fcb40641e4..d47138d791 100644 --- a/docs/htmldocs/domain-security.html +++ b/docs/htmldocs/domain-security.html @@ -5,7 +5,7 @@ >Samba as a NT4 or Win2k domain member

8.1. Joining an NT Domain with Samba 3.0

8.1. Joining an NT Domain with Samba 3.0

Assume you have a Samba 3.0 server with a NetBIOS name of - SERV1SERV1 and are joining an or Win2k NT domain called - DOMDOM, which has a PDC with a NetBIOS name - of DOMPDCDOMPDC and two backup domain controllers - with NetBIOS names DOMBDC1 and DOMBDC1 and DOMBDC2 - .

Firstly, you must edit your Change (or add) your security =security = line in the [global] section of your smb.conf to read:

Next change the workgroup = workgroup = line in the [global] section to read:

You must also have the parameter encrypt passwordsencrypt passwords set to set to yes - in order for your users to authenticate to the NT PDC.

Finally, add (or modify) a password server =password server = line in the [global] section to read:

In order to actually join the domain, you must run this command:

root# root# net join -S DOMPDC - -UAdministrator%passwordAdministrator%password

as we are joining the domain DOM and the PDC for that domain (the only machine that has write access to the domain SAM database) - is DOMPDC. The Administrator%passwordAdministrator%password is the login name and password for an account which has the necessary privilege to add machines to the domain. If this is successful you will see the message:

Joined domain DOM.Joined domain DOM. - or Joined 'SERV1' to realm 'MYREALM'Joined 'SERV1' to realm 'MYREALM'

8.2. Samba and Windows 2000 Domains

8.2. Samba and Windows 2000 Domains

Many people have asked regarding the state of Samba's ability to participate in a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows @@ -296,16 +282,16 @@ CLASS="SECT1" >

8.3. Why is this better than security = server?

8.3. Why is this better than security = server?

Currently, domain security in Samba doesn't free you from having to create local Unix users to represent the users attaching - to your server. This means that if domain user DOM\fred - attaches to your domain security Samba server, there needs to be a local Unix user fred to represent that user in the Unix filesystem. This is very similar to the older Samba security mode diff --git a/docs/htmldocs/findsmb.1.html b/docs/htmldocs/findsmb.1.html index bf63db867c..bc0aec55c0 100644 --- a/docs/htmldocs/findsmb.1.html +++ b/docs/htmldocs/findsmb.1.html @@ -5,7 +5,7 @@ >findsmbnmblookup(1) - will be called with -B-B option.

nmblookup(1) - as part of the -B-B option.

The command with The command with -r-r option must be run on a system without is running on the system, you will only get the IP address and the DNS name of the machine. To get proper responses from Windows 95 and Windows 98 machines, - the command must be run as root and with -r-r option on a machine without findsmb - without -r-r option set would yield output similar to the following

Group mapping HOWTOPrevChapter 18. Group mapping HOWTOChapter 17. Group mapping HOWTO
 
 Starting with Samba 3.0 alpha 2, a new group mapping function is available. The
@@ -185,7 +185,7 @@ WIDTH="33%"
 ALIGN="left"
 VALIGN="top"
 >PrevAccess Samba source code via CVSStackable VFS modulesCreating Group ProfilesCreating Group Prolicy FilesNextChapter 20. Creating Group ProfilesChapter 19. Creating Group Prolicy Files
20.1. Windows '9x
19.1. Windows '9x
You need the Win98 Group Policy Editor to
 set Group Profiles up under Windows '9x. It can be found on the Original
@@ -106,25 +106,28 @@ CLASS="FILENAME"
 > that needs to be placed in
 the root of the [NETLOGON] share. If your Win98 is configured to log onto
 the Samba Domain, it will automatically read this file and update the
-Win98 registry of the machine that is logging on.
All of this is covered in the Win98 Resource Kit documentation.
If you do not do it this way, then every so often Win98 will check the
+>If you do not do it this way, then every so often Win9x/Me will check the
 integrity of the registry and will restore it's settings from the back-up
-copy of the registry it stores on each Win98 machine. Hence, you will notice
-things changing back to the original settings.
The following all refers to Windows NT/200x profile migration - not to policies.
+We need a separate section on policies (NTConfig.Pol) for NT4/200x.
20.2. Windows NT 4
19.2. Windows NT 4
Unfortunately, the Resource Kit info is Win NT4/2K version specific.
Unfortunately, the Resource Kit info is Win NT4 or 200x specific.
Here is a quick guide:
I am using the term "migrate" lossely. You can copy a profile to
+>I am using the term "migrate" lossely. You can copy a profile to
 create a group profile. You can give the user 'Everyone' rights to the
 profile you copy this to. That is what you need to do, since your samba
 domain is not a member of a trust relationship with your NT4 PDC.
20.2.1. Side bar Notes
19.2.1. Side bar Notes
You should obtain the SID of your NT4 domain. You can use smbpasswd to do
 this. Read the man page.
20.2.2. Mandatory profiles
19.2.2. Mandatory profiles
The above method can be used to create mandatory profiles also. To convert
 a group profile into a mandatory profile simply locate the NTUser.DAT file
@@ -230,9 +233,9 @@ CLASS="SECT2"
 >
20.2.3. moveuser.exe
19.2.3. moveuser.exe
The W2K professional resource kit has moveuser.exe. moveuser.exe changes
 the security of a profile from one user to another.  This allows the account 
@@ -243,9 +246,9 @@ CLASS="SECT2"
 >
20.2.4. Get SID
19.2.4. Get SID
You can identify the SID by using GetSID.exe from the Windows NT Server 4.0
 Resource Kit.
20.3. Windows 2000/XP
19.3. Windows 2000/XP
You must first convert the profile from a local profile to a domain
 profile on the MS Windows workstation as follows:
NextAppendixesSecuring Samba
Improved browsing in samba
15.1. Overview of browsing
15.1. Overview of browsing
SMB networking provides a mechanism by which clients can access a list
 of machines in a network, a so-called "browse list".  This list
@@ -93,8 +93,13 @@ list is heavily used by all SMB clients.  Configuration of SMB
 browsing has been problematic for some Samba users, hence this
 document.
Browsing will NOT work if name resolution from NetBIOS names to IP
-addresses does not function correctly. Use of a WINS server is highly
+>MS Windows 2000 and later, as with Samba-3 and later, can be
+configured to not use NetBIOS over TCP/IP. When configured this way
+it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
+configured and operative. Browsing will NOT work if name resolution
+from SMB machine names to IP addresses does not function correctly.
Where NetBIOS over TCP/IP is enabled use of a WINS server is highly
 recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
 WINS allows remote segment clients to obtain NetBIOS name_type information
 that can NOT be provided by any other means of name resolution.
15.2. Browsing support in samba
15.2. Browsing support in samba
Samba now fully supports browsing.  The browsing is supported by nmbd
-and is also controlled by options in the smb.conf file (see smb.conf(5)).
Samba can act as a local browse master for a workgroup and the ability
-for samba to support domain logons and scripts is now available.  See
-DOMAIN.txt for more information on domain logons.
Samba facilitates browsing.  The browsing is supported by nmbd
+and is also controlled by options in the smb.conf file (see smb.conf(5)).
+Samba can act as a local browse master for a workgroup and the ability
+for samba to support domain logons and scripts is now available.
Samba can also act as a domain master browser for a workgroup.  This
 means that it will collate lists from local browse masters into a
@@ -128,12 +131,12 @@ regardless of whether it is NT, Samba or any other type of domain master
 that is providing this service.
[Note that nmbd can be configured as a WINS server, but it is not
-necessary to specifically use samba as your WINS server.  NTAS can
-be configured as your WINS server.  In a mixed NT server and
-samba environment on a Wide Area Network, it is recommended that
-you use the NT server's WINS server capabilities.  In a samba-only
-environment, it is recommended that you use one and only one nmbd
-as your WINS server].
To get browsing to work you need to run nmbd as usual, but will need
 to use the "workgroup" option in smb.conf to control what workgroup
@@ -149,9 +152,9 @@ CLASS="SECT1"
 >
15.3. Problem resolution
15.3. Problem resolution
If something doesn't work then hopefully the log.nmb file will help
 you track down the problem.  Try a debug level of 2 or 3 for finding
@@ -167,6 +170,19 @@ filemanager should display the list of available shares.
MS Windows 2000 and upwards (as with Samba) can be configured to disallow
+anonymous (ie: Guest account) access to the IPC$ share. In that case, the
+MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the
+name of the currently logged in user to query the IPC$ share. MS Windows
+9X clients are not able to do this and thus will NOT be able to browse
+server resources.
Also, a lot of people are getting bitten by the problem of too many
 parameters on the command line of nmbd in inetd.conf.  This trick is to
 not use spaces between the option and the parameter (eg: -d2 instead
@@ -183,11 +199,11 @@ CLASS="SECT1"
 >
15.4. Browsing across subnets
15.4. Browsing across subnets
With the release of Samba 1.9.17(alpha1 and above) Samba has been
+>Since the release of Samba 1.9.17(alpha1) Samba has been
 updated to enable it to support the replication of browse lists
 across subnet boundaries.  New code and options have been added to
 achieve this.  This section describes how to set this feature up
@@ -214,15 +230,14 @@ CLASS="SECT2"
 >
15.4.1. How does cross subnet browsing work ?
15.4.1. How does cross subnet browsing work ?
Cross subnet browsing is a complicated dance, containing multiple
 moving parts.  It has taken Microsoft several years to get the code
 that achieves this correct, and Samba lags behind in some areas.
-However, with the 1.9.17 release, Samba is capable of cross subnet
-browsing when configured correctly.
Consider a network set up as follows :
Once N2_B knows the address of the Domain master browser it
@@ -426,9 +441,9 @@ CLASS="SECT1"
 >
15.5. Setting up a WINS server
15.5. Setting up a WINS server
Either a Samba machine or a Windows NT Server machine may be set up
 as a WINS server.  To set a Samba machine to be a WINS server you must
@@ -440,9 +455,9 @@ CLASS="COMMAND"
 >		wins support = yes
Versions of Samba previous to 1.9.17 had this parameter default to
+>Versions of Samba prior to 1.9.17 had this parameter default to
 yes.  If you have any older versions of Samba on your network it is
-strongly suggested you upgrade to 1.9.17 or above, or at the very
+strongly suggested you upgrade to a recent version, or at the very
 least set the parameter to 'no' on all these machines.
Machines with "
wins server = >name or IP address<wins server = >name or IP address<
where >name or IP address< is either the DNS name of the WINS server
+>where >name or IP address< is either the DNS name of the WINS server
 machine or its IP address.
Note that this line MUST NOT BE SET in the smb.conf file of the Samba
@@ -494,7 +509,7 @@ CLASS="COMMAND"
 >" option and the 
 "wins server = >name<wins server = <name>" option then
 nmbd will fail to start.
15.6. Setting up Browsing in a WORKGROUP
15.6. Setting up Browsing in a WORKGROUP
To set up cross subnet browsing on a network containing machines
 in up to be in a WORKGROUP, not an NT Domain you need to set up one
@@ -552,11 +567,12 @@ server, if you require.
Next, you should ensure that each of the subnets contains a
 machine that can act as a local master browser for the
-workgroup.  Any NT machine should be able to do this, as will
-Windows 95 machines (although these tend to get rebooted more
-often, so it's not such a good idea to use these).  To make a 
-Samba server a local master browser set the following
-options in the [global] section of the smb.conf file :
15.7. Setting up Browsing in a DOMAIN
15.7. Setting up Browsing in a DOMAIN
If you are adding Samba servers to a Windows NT Domain then
 you must not set up a Samba server as a domain master browser.
 By default, a Windows NT Primary Domain Controller for a Domain
 name is also the Domain master browser for that name, and many
 things will break if a Samba server registers the Domain master
-browser NetBIOS name (DOMAIN>1B<) with WINS instead of the PDC.
For subnets other than the one containing the Windows NT PDC
 you may set up Samba servers as local master browsers as
@@ -644,9 +660,9 @@ CLASS="SECT1"
 >
15.8. Forcing samba to be the master
15.8. Forcing samba to be the master
Who becomes the "master browser" is determined by an election process
 using broadcasts.  Each election packet contains a number of parameters
@@ -659,8 +675,8 @@ option in smb.conf to a higher number.  It defaults to 0.  Using 34
 would make it win all elections over every other system (except other
 samba systems!)
A "os level" of 2 would make it beat WfWg and Win95, but not NTAS.  A
-NTAS domain controller uses level 32.
A "os level" of 2 would make it beat WfWg and Win95, but not MS Windows
+NT/2K Server.  A MS Windows NT/2K Server domain controller uses level 32.
The maximum os level is 255
15.9. Making samba the domain master
15.9. Making samba the domain master
The domain master is responsible for collating the browse lists of
 multiple subnets so that browsing can occur between subnets.  You can
@@ -765,9 +781,9 @@ CLASS="SECT1"
 >
15.10. Note about broadcast addresses
15.10. Note about broadcast addresses
If your network uses a "0" based broadcast address (for example if it
 ends in a 0) then you will strike problems.  Windows for Workgroups
@@ -779,9 +795,9 @@ CLASS="SECT1"
 >
15.11. Multiple interfaces
15.11. Multiple interfaces
Samba now supports machines with multiple network interfaces.  If you
 have multiple interfaces then you will need to use the "interfaces"
diff --git a/docs/htmldocs/install.html b/docs/htmldocs/install.html
index e518e270bf..d596ba4fd9 100644
--- a/docs/htmldocs/install.html
+++ b/docs/htmldocs/install.html
@@ -5,7 +5,7 @@
 >How to Install and Test SAMBA1.1. Read the man pages
The man pages distributed with SAMBA contain 
-	lots of useful info that will help to get you started. 
-	If you don't know how to read man pages then try 
-	something like:
1.1. Obtaining and installing samba
$ man smbd.8
-	or 
-	$ nroff -man smbd.8 | more
-	 on older unixes.
Other sources of information are pointed to 
-	by the Samba web site,Binary packages of samba are included in almost any Linux or 
+	Unix distribution. There are also some packages available at 
+		http://www.samba.org

1.2. Building the Binaries

To do this, first run the program ./configure - in the source directory. This should automatically - configure Samba for your operating system. If you have unusual - needs then you may wish to run

root# ./configure --help -

first to see what special options you can enable. - Then executing

root# make

will create the binaries. Once it's successfully - compiled you can use

root# make install

to install the binaries and manual pages. You can - separately install the binaries and/or man pages using

root# make installbin -

and

root# make installman -

Note that if you are upgrading for a previous version - of Samba you might like to know that the old versions of - the binaries will be renamed with a ".old" extension. You - can go back to the previous version with

root# make revert -

the samba homepage +

if you find this version a disaster!

If you need to compile samba from source, check the + appropriate appendix chapter.

1.3. The all important step

At this stage you must fetch yourself a - coffee or other drink you find stimulating. Getting the rest - of the install right can sometimes be tricky, so you will - probably need it.

1.2. Configuring samba

If you have installed samba before then you can skip - this step.

Samba's configuration is stored in the smb.conf file, + that usually resides in /etc/samba/smb.conf + or /usr/local/samba/lib/smb.conf. You can either + edit this file yourself or do it using one of the many graphical + tools that are available, such as the web-based interface swat, that + is included with samba.

1.4. Create the smb configuration file.

1.2.1. Editing the smb.conf file

There are sample configuration files in the examples subdirectory in the distribution. I suggest you read them @@ -288,19 +172,18 @@ CLASS="FILENAME" >

For more information about security settings for the [homes] share please refer to the document UNIX_SECURITY.txt.

1.5. Test your config file with +NAME="AEN50" +>1.2.1.1. Test your config file with testparm

It's important that you test the validity of your smb.conf!

1.6. Starting the smbd and nmbd

You must choose to start smbd and nmbd either - as daemons or from inetd. Don't try - to do both! Either you can put them in inetd.conf and have them started on demand - by inetd, or you can start them as - daemons either from the command line or in /etc/rc.local. See the man pages for details - on the command line options. Take particular care to read - the bit about what user you need to be in order to start - Samba. In many cases you must be root.

The main advantage of starting smbd - and nmbd using the recommended daemon method - is that they will respond slightly more quickly to an initial connection - request.

1.6.1. Starting from inetd.conf

NOTE; The following will be different if - you use NIS or NIS+ to distributed services maps.

Look at your /etc/services. - What is defined at port 139/tcp. If nothing is defined - then add a line like this:

netbios-ssn 139/tcp

similarly for 137/udp you should have an entry like:

netbios-ns 137/udp

Next edit your /etc/inetd.conf - and add two lines something like this:

		netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd 
-		netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd 
-

The exact syntax of /etc/inetd.conf - varies between unixes. Look at the other entries in inetd.conf - for a guide.

NOTE: Some unixes already have entries like netbios_ns - (note the underscore) in /etc/services. - You must either edit /etc/services or - /etc/inetd.conf to make them consistent.

NOTE: On many systems you may need to use the - "interfaces" option in smb.conf to specify the IP address - and netmask of your interfaces. Run ifconfig - as root if you don't know what the broadcast is for your - net. nmbd tries to determine it at run - time, but fails on some unixes. See the section on "testing nmbd" - for a method of finding if you need to do this.

!!!WARNING!!! Many unixes only accept around 5 - parameters on the command line in inetd.conf. - This means you shouldn't use spaces between the options and - arguments, or you should use a script, and start the script - from inetd.

Restart inetd, perhaps just send - it a HUP. If you have installed an earlier version of nmbd then you may need to kill nmbd as well.

1.6.2. Alternative: starting it as a daemon

To start the server as a daemon you should create - a script something like this one, perhaps calling - it startsmb.

		#!/bin/sh
-		/usr/local/samba/bin/smbd -D 
-		/usr/local/samba/bin/nmbd -D 
-

then make it executable with chmod - +x startsmb

You can then run startsmb by - hand or execute it from /etc/rc.local -

To kill it send a kill signal to the processes - nmbd and smbd.

NOTE: If you use the SVR4 style init system then - you may like to look at the examples/svr4-startup - script to make Samba fit into that system.

1.2.2. SWAT

SWAT is a web-based interface that helps you configure samba. + SWAT might not be available in the samba package on your platform, + but in a seperate package. Please read the swat manpage + on compiling, installing and configuring swat from source. +

To launch SWAT just run your favorite web browser and + point it at "http://localhost:901/". Replace localhost with the name of the computer you are running samba on if you + are running samba on a different computer then your browser.

Note that you can attach to SWAT from any IP connected + machine but connecting from a remote machine leaves your + connection open to password sniffing as passwords will be sent + in the clear over the wire.

1.7. Try listing the shares available on your - server

1.3. Try listing the shares available on your + server

$ $ smbclient -L - yourhostnameyourhostname

You should get back a list of shares available on @@ -566,39 +273,31 @@ CLASS="SECT1" >

1.8. Try connecting with the unix client

1.4. Try connecting with the unix client

$ $ smbclient smbclient //yourhostname/aservice //yourhostname/aservice

Typically the Typically the yourhostnameyourhostname would be the name of the host where you installed smbd. The . The aserviceaservice is any service you have defined in the For example if your unix host is bambi and your login name is fred you would type:

$ $ smbclient //bambi/fred -

1.9. Try connecting from a DOS, WfWg, Win9x, WinNT, - Win2k, OS/2, etc... client

1.5. Try connecting from a DOS, WfWg, Win9x, WinNT, + Win2k, OS/2, etc... client

Try mounting disks. eg:

C:\WINDOWS\> C:\WINDOWS\> net use d: \\servername\service -

Try printing. eg:

C:\WINDOWS\> C:\WINDOWS\> net use lpt1: - \\servername\spoolservice

C:\WINDOWS\> C:\WINDOWS\> print filename -

Celebrate, or send me a bug report!

1.10. What If Things Don't Work?

If nothing works and you start to think "who wrote - this pile of trash" then I suggest you do step 2 again (and - again) till you calm down.

1.6. What If Things Don't Work?

Then you might read the file DIAGNOSIS.txt and the +>Then you might read the file HOWTO chapter Diagnosis and the FAQ. If you are still stuck then try the mailing list or newsgroup (look in the README for details). Samba has been successfully installed at thousands of sites worldwide, so maybe someone else has hit your problem and has overcome it. You could also use the WWW site to scan back issues of the samba-digest.

When you fix the problem PLEASE send me some updates to the - documentation (or source code) so that the next person will find it - easier.

1.10.1. Diagnosing Problems

If you have installation problems then go to the - Diagnosis chapter to try to find the - problem.

When you fix the problem please send some + updates of the documentation (or source code) to one of + the documentation maintainers or the list. +

1.10.2. Scope IDs

1.6.1. Scope IDs

By default Samba uses a blank scope ID. This means all your windows boxes must also have a blank scope ID. If you really want to use a non-blank scope ID then you will need to use the 'netbios scope' smb.conf option. - All your PCs will need to have the same setting for + All your PCs will need to have the same setting for this to work. I do not recommend scope IDs.

1.10.3. Choosing the Protocol Level

The SMB protocol has many dialects. Currently - Samba supports 5, called CORE, COREPLUS, LANMAN1, - LANMAN2 and NT1.

You can choose what maximum protocol to support - in the smb.conf file. The default is - NT1 and that is the best for the vast majority of sites.

In older versions of Samba you may have found it - necessary to use COREPLUS. The limitations that led to - this have mostly been fixed. It is now less likely that you - will want to use less than LANMAN1. The only remaining advantage - of COREPLUS is that for some obscure reason WfWg preserves - the case of passwords in this protocol, whereas under LANMAN1, - LANMAN2 or NT1 it uppercases all passwords before sending them, - forcing you to use the "password level=" option in some cases.

The main advantage of LANMAN2 and NT1 is support for - long filenames with some clients (eg: smbclient, Windows NT - or Win95).

See the smb.conf(5) manual page for more details.

Note: To support print queue reporting you may find - that you have to use TCP/IP as the default protocol under - WfWg. For some reason if you leave Netbeui as the default - it may break the print queue reporting on some systems. - It is presumably a WfWg bug.

1.10.4. Printing from UNIX to a Client PC

To use a printer that is available via a smb-based - server from a unix host with LPR you will need to compile the - smbclient program. You then need to install the script - "smbprint". Read the instruction in smbprint for more details. -

There is also a SYSV style script that does much - the same thing called smbprint.sysv. It contains instructions.

See the CUPS manual for information about setting up - printing from a unix host with CUPS to a smb-based server.

1.10.5. Locking

1.6.2. Locking

One area which sometimes causes trouble is locking.

1.10.6. Mapping Usernames

If you have different usernames on the PCs and - the unix server then take a look at the "username map" option. - See the smb.conf man page for details.

Integrating MS Windows networks with Samba

9.1. Agenda

9.1. Agenda

To identify the key functional mechanisms of MS Windows networking to enable the deployment of Samba as a means of extending and/or @@ -147,9 +147,9 @@ CLASS="SECT1" >

9.2. Name Resolution in a pure Unix/Linux world

9.2. Name Resolution in a pure Unix/Linux world

The key configuration files covered in this section are:

9.2.1. /etc/hosts

Contains a static list of IP Addresses and names. @@ -270,11 +270,11 @@ CLASS="SECT2" >

9.2.2. /etc/resolv.conf

This file tells the name resolution libraries:

9.2.3. /etc/host.conf

9.2.4. /etc/nsswitch.conf

This file controls the actual name resolution targets. The @@ -406,9 +406,9 @@ CLASS="SECT1" >

9.3. Name resolution as used within MS Windows networking

9.3. Name resolution as used within MS Windows networking

MS Windows networking is predicated about the name each machine is given. This name is known variously (and inconsistently) as @@ -428,16 +428,16 @@ the client/server.

	Unique NetBIOS Names:
-		MACHINENAME<00>	= Server Service is running on MACHINENAME
-		MACHINENAME<03> = Generic Machine Name (NetBIOS name)
-		MACHINENAME<20> = LanMan Server service is running on MACHINENAME
-		WORKGROUP<1b> = Domain Master Browser
+		MACHINENAME<00>	= Server Service is running on MACHINENAME
+		MACHINENAME<03> = Generic Machine Name (NetBIOS name)
+		MACHINENAME<20> = LanMan Server service is running on MACHINENAME
+		WORKGROUP<1b> = Domain Master Browser
 
 	Group Names:
-		WORKGROUP<03> = Generic Name registered by all members of WORKGROUP
-		WORKGROUP<1c> = Domain Controllers / Netlogon Servers
-		WORKGROUP<1d> = Local Master Browsers
-		WORKGROUP<1e> = Internet Name Resolvers

It should be noted that all NetBIOS machines register their own @@ -456,7 +456,7 @@ be needed. An example of this is what happens when an MS Windows client wants to locate a domain logon server. It find this service and the IP address of a server that provides it by performing a lookup (via a NetBIOS broadcast) for enumeration of all machines that have -registered the name type *<1c>. A logon request is then sent to each +registered the name type *<1c>. A logon request is then sent to each IP address that is returned in the enumerated list of IP addresses. Which ever machine first replies then ends up providing the logon services.

9.3.1. The NetBIOS Name Cache

9.3.1. The NetBIOS Name Cache

All MS Windows machines employ an in memory buffer in which is stored the NetBIOS names and IP addresses for all external @@ -518,9 +518,9 @@ CLASS="SECT2" >

9.3.2. The LMHOSTS file

9.3.2. The LMHOSTS file

This file is usually located in MS Windows NT 4.0 or 2000 in

9.3.3. HOSTS file

9.3.3. HOSTS file

This file is usually located in MS Windows NT 4.0 or 2000 in

9.3.4. DNS Lookup

9.3.4. DNS Lookup

This capability is configured in the TCP/IP setup area in the network configuration facility. If enabled an elaborate name resolution sequence @@ -663,9 +663,9 @@ CLASS="SECT2" >

9.3.5. WINS Lookup

9.3.5. WINS Lookup

A WINS (Windows Internet Name Server) service is the equivaent of the rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores @@ -692,11 +692,9 @@ CLASS="PROGRAMLISTING" wins server = xxx.xxx.xxx.xxx

where where xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx is the IP address of the WINS server.

9.4. How browsing functions and how to deploy stable and -dependable browsing using Samba

As stated above, MS Windows machines register their NetBIOS names (i.e.: the machine name for each service type in operation) on start @@ -773,10 +771,10 @@ CLASS="SECT1" >

9.5. MS Windows security options and how to configure -Samba for seemless integration

MS Windows clients may use encrypted passwords as part of a challenege/response authentication model (a.k.a. NTLMv1) or @@ -845,43 +843,35 @@ CLASS="PROGRAMLISTING" HREF="smb.conf.5.html#PASSWORDLEVEL" TARGET="_top" >passsword level = = integerinteger username level = = integerinteger

By default Samba will lower case the username before attempting to lookup the user in the database of local system accounts. Because UNIX usernames conventionally only contain lower case -character, the username levelusername level parameter is rarely even needed.

However, password on UNIX systems often make use of mixed case characters. This means that in order for a user on a Windows 9x client to connect to a Samba server using clear text authentication, -the password levelpassword level must be set to the maximum number of upper case letter which appear is a password. Note that is the server OS uses the traditional -DES version of crypt(), then a password levelpassword level of 8 will result in case insensitive passwords as seen from Windows users. This will also result in longer login times as Samba @@ -910,9 +898,9 @@ CLASS="SECT2" >

9.5.1. Use MS Windows NT as an authentication server

9.5.1. Use MS Windows NT as an authentication server

This method involves the additions of the following parameters in the smb.conf file:

9.5.2. Make Samba a member of an MS Windows NT security domain

9.5.2. Make Samba a member of an MS Windows NT security domain

This method involves additon of the following paramters in the smb.conf file:

9.5.3. Configure Samba as an authentication server

9.5.3. Configure Samba as an authentication server

This mode of authentication demands that there be on the Unix/Linux system both a Unix style account as well as an @@ -1046,9 +1034,9 @@ CLASS="SECT3" >

9.5.3.1. Users

9.5.3.1. Users

A user account that may provide a home directory should be created. The following Linux system commands are typical of @@ -1058,10 +1046,10 @@ the procedure for creating an account.

# useradd -s /bin/bash -d /home/"userid" -m "userid" # passwd "userid" - Enter Password: <pw> + Enter Password: <pw> # smbpasswd -a "userid" - Enter Password: <pw>

9.5.3.2. MS Windows NT Machine Accounts

9.5.3.2. MS Windows NT Machine Accounts

These are required only when Samba is used as a domain controller. Refer to the Samba-PDC-HOWTO for more details.

9.6. Conclusions

9.6. Conclusions

Samba provides a flexible means to operate as...

General installation

1.1. Read the man pagesObtaining and installing samba
1.2. Building the Binaries
1.3. The all important step
1.4. Create the smb configuration file.
1.5. Test your config file with - testparm
1.6. Starting the smbd and nmbdConfiguring samba
1.6.1. Starting from inetd.conf1.2.1. Editing the smb.conf file
1.6.2. Alternative: starting it as a daemon1.2.2. SWAT
1.7. 1.3. Try listing the shares available on your server
1.8. 1.4. Try connecting with the unix client
1.9. 1.5. Try connecting from a DOS, WfWg, Win9x, WinNT, Win2k, OS/2, etc... client
1.10. 1.6. What If Things Don't Work?
1.10.1. Diagnosing Problems
1.10.2. 1.6.1. Scope IDs
1.10.3. Choosing the Protocol Level
1.10.4. Printing from UNIX to a Client PC
1.10.5. 1.6.2. Locking
1.10.6. Mapping Usernames
2.1. Discussion
2.2. Use of the "Remote Announce" parameter
2.3. Use of the "Remote Browse Sync" parameter
2.4. Use of WINS
2.5. Do NOT use more than one (1) protocol on MS Windows machines
2.6. Name Resolution Order
3.1. Introduction
3.2. Important Notes About Security
3.2.1. Advantages of SMB Encryption
3.2.2. Advantages of non-encrypted passwords
3.3. The smbpasswd Command
3.4. Plain text
3.5. TDB
3.6. LDAP
3.6.1. Introduction
3.6.2. Introduction
3.6.3. Supported LDAP Servers
3.6.4. Schema and Relationship to the RFC 2307 posixAccount
3.6.5. Configuring Samba with LDAP
3.6.6. Accounts and Groups management
3.6.7. Security and sambaAccount
3.6.8. LDAP specials attributes for sambaAccounts
3.6.9. Example LDIF Entries for a sambaAccount
3.7. MySQL
3.7.1. Building
3.7.2. Creating the database
3.7.3. Configuring
3.7.4. Using plaintext passwords or encrypted password
3.7.5. Getting non-column data from the table
3.8. Passdb XML plugin
3.8.1. Building
3.8.2. Usage
lmhostsHosting a Microsoft Distributed File System tree on Samba

12.1. Instructions

12.1. Instructions

The Distributed File System (or Dfs) provides a means of separating the logical view of files and directories that users @@ -99,21 +99,17 @@ TARGET="_top" machine (for Dfs-aware clients to browse) using Samba.

To enable SMB-based DFS for Samba, configure it with the - --with-msdfs--with-msdfs option. Once built, a Samba server can be made a Dfs server by setting the global boolean host msdfs host msdfs parameter in the msdfs root msdfs root parameter. A Dfs root directory on Samba hosts Dfs links in the form of symbolic links that point to other servers. For example, a symbolic link junction->msdfs:storage1\share1junction->msdfs:storage1\share1 in the share directory acts as the Dfs junction. When Dfs-aware clients attempt to access the junction link, they are redirected @@ -162,54 +156,44 @@ CLASS="PROGRAMLISTING" >In the /export/dfsroot directory we set up our dfs links to other servers on the network.

root# root# cd /export/dfsrootcd /export/dfsroot

root# root# chown root /export/dfsrootchown root /export/dfsroot

root# root# chmod 755 /export/dfsrootchmod 755 /export/dfsroot

root# root# ln -s msdfs:storageA\\shareA linkaln -s msdfs:storageA\\shareA linka

root# root# ln -s msdfs:serverB\\share,serverC\\share linkbln -s msdfs:serverB\\share,serverC\\share linkb

You should set up the permissions and ownership of @@ -229,9 +213,9 @@ CLASS="SECT2" >

12.1.1. Notes

12.1.1. Notes

    netnet {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user] [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-C comment] [-M maxusers] [-F flags] [-j jobid] [-l] [-r] [-f] [-t timeout] [-P] [-D debuglevel]

    {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user] [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-C comment] [-M maxusers] [-F flags] [-j jobid] [-l] [-r] [-f] [-t timeout] [-P] [-D debuglevel]

USER DELETE <name> [misc options]
USER DELETE <name> [misc options]

delete specified user

USER INFO <name> [misc options]
USER INFO <name> [misc options]

list the domain groups of the specified user

USER ADD <name> [password] [-F user flags] [misc. options]
USER ADD <name> [password] [-F user flags] [misc. options]

Add specified user @@ -345,14 +345,14 @@ CLASS="VARIABLELIST"

GROUP DELETE <name> [misc. options] [targets]
GROUP DELETE <name> [misc. options] [targets]

Delete specified group

GROUP ADD <name> [-C comment]
GROUP ADD <name> [-C comment]

Create specified group @@ -366,14 +366,14 @@ CLASS="VARIABLELIST"

SHARE ADD <name=serverpath> [misc. options] [targets]
SHARE ADD <name=serverpath> [misc. options] [targets]

Adds a share from a server (makes the export active)

SHARE DELETE <sharenam
SHARE DELETE <sharenam

nmbdnmbd [-D] [-F] [-S] [-a] [-i] [-o] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-n <primary netbios name>] [-p <port number>] [-s <configuration file>]

[-D] [-F] [-S] [-a] [-i] [-o] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-n <primary netbios name>] [-p <port number>] [-s <configuration file>]

nmbd also logs to standard - output, as if the -S-S parameter had been given.

.

-H <filename>
-H <filename>

NetBIOS lmhosts file. The lmhosts @@ -253,12 +253,10 @@ CLASS="COMMAND" resolution mechanism name resolve - order described in .

-d <debug level>
-d <debug level>

debuglevel is an integer @@ -344,11 +342,9 @@ CLASS="COMMAND" the log levellog level parameter in the file.

-l <log directory>
-l <log directory>

The -l parameter specifies a directory @@ -395,7 +391,7 @@ CLASS="COMMAND"

-n <primary NetBIOS name>
-n <primary NetBIOS name>

This option allows you to override @@ -403,12 +399,10 @@ CLASS="COMMAND" to setting the NetBIOS - name parameter in the .

-p <UDP port number>
-p <UDP port number>

UDP port number is a positive integer value. @@ -440,7 +434,7 @@ CLASS="COMMAND" won't need help!

-s <configuration file>
-s <configuration file>

The default configuration file name @@ -565,9 +559,9 @@ CLASS="FILENAME" wins supportwins support parameter in the (see the local masterlocal master parameter in the nmblookupnmblookup [-M] [-R] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] [-f] {name}

[-M] [-R] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] [-f] {name}

Searches for a master browser by looking - up the NetBIOS name namename with a - type of 0x1d. If 0x1d. If name name is "-" then it does a lookup on the special name - __MSBROWSE____MSBROWSE__.

-A

Interpret Interpret namename as an IP Address and do a node status query on this address.

Print a help (usage) message.

-B <broadcast address>
-B <broadcast address>

Send the query to the given broadcast address. Without @@ -169,11 +163,9 @@ CLASS="REPLACEABLE" either auto-detected or defined in the interfacesinterfaces parameter of the

-U <unicast address>
-U <unicast address>

Do a unicast query to the specified address or - host unicast addressunicast address. This option - (along with the -R-R option) is needed to query a WINS server.

-d <debuglevel>
-d <debuglevel>

debuglevel is an integer from 0 to 10.

log level log level parameter in the file.

-s <smb.conf>
-s <smb.conf>

This parameter specifies the pathname to @@ -253,7 +239,7 @@ TARGET="_top" the Samba setup on the machine.

-i <scope>
-i <scope>

This specifies a NetBIOS scope that @@ -307,7 +293,7 @@ CLASS="EMPHASIS" >This is the NetBIOS name being queried. Depending upon the previous options this may be a NetBIOS name or IP address. If a NetBIOS name then the different name types may be specified - by appending '#<type>' to the name. This name may also be + by appending '#<type>' to the name. This name may also be '*', which will return all registered names within a broadcast area.

-Oplocks
SAMBA Project Documentation
PrevNext

Chapter 3. Oplocks

3.1. What are oplocks?

When a client opens a file it can request an "oplock" or file -lease. This is (to simplify a bit) a guarentee that no one else -has the file open simultaneously. It allows the client to not -send any updates on the file to the server, thus reducing a -network file access to local access (once the file is in -client cache). An "oplock break" is when the server sends -a request to the client to flush all its changes back to -the server, so the file is in a consistent state for other -opens to succeed. If a client fails to respond to this -asynchronous request then the file can be corrupted. Hence -the "turn off oplocks" answer if people are having multi-user -file access problems.

Unless the kernel is "oplock aware" (SGI IRIX and Linux are -the only two UNIXes that are at the moment) then if a local -UNIX process accesses the file simultaneously then Samba -has no way of telling this is occuring, so the guarentee -to the client is broken. This can corrupt the file. Short -answer - it you have UNIX clients accessing the same file -as smbd locally or via NFS and you're not running Linux or -IRIX then turn off oplocks for that file or share.

"Share modes". These are modes of opening a file, that -guarentee an invarient - such as DENY_WRITE - which means -that if any other opens are requested with write access after -this current open has succeeded then they should be denied -with a "sharing violation" error message. Samba handles these -internally inside smbd. UNIX clients accessing the same file -ignore these invarients. Just proving that if you need simultaneous -file access from a Windows and UNIX client you *must* have an -application that is written to lock records correctly on both -sides. Few applications are written like this, and even fewer -are cross platform (UNIX and Windows) so in practice this isn't -much of a problem.

"Locking". This really means "byte range locking" - such as -lock 10 bytes at file offset 24 for write access. This is the -area in which well written UNIX and Windows apps will cooperate. -Windows locks (at least from NT or above) are 64-bit unsigned -offsets. UNIX locks are either 31 bit or 63 bit and are signed -(the top bit is used for the sign). Samba handles these by -first ensuring that all the Windows locks don't conflict (ie. -if other Windows clients have competing locks then just reject -immediately) - this allows us to support 64-bit Windows locks -on 32-bit filesystems. Secondly any locks that are valid are -then mapped onto UNIX fcntl byte range locks. These are the -locks that will be seen by UNIX processes. If there is a conflict -here the lock is rejected.

Note that if a client has an oplock then it "knows" that no -other client can have the file open so usually doesn't bother -to send to lock request to the server - this means once again -if you need to share files between UNIX and Windows processes -either use IRIX or Linux, or turn off oplocks for these -files/shares.

PrevHomeNext
Improved browsing in sambaUpQuick Cross Subnet Browsing / Cross Workgroup Browsing guide
\ No newline at end of file diff --git a/docs/htmldocs/optional.html b/docs/htmldocs/optional.html index b5564b9f26..6ef6188311 100644 --- a/docs/htmldocs/optional.html +++ b/docs/htmldocs/optional.html @@ -5,7 +5,7 @@ >Optional configuration

Introduction

9.1. Agenda
9.2. Name Resolution in a pure Unix/Linux world
9.2.1. /etc/hosts
9.2.2. /etc/resolv.conf
9.2.3. /etc/host.conf
9.2.4. /etc/nsswitch.conf
9.3. Name resolution as used within MS Windows networking
9.3.1. The NetBIOS Name Cache
9.3.2. The LMHOSTS file
9.3.3. HOSTS file
9.3.4. DNS Lookup
9.3.5. WINS Lookup
9.4. How browsing functions and how to deploy stable and dependable browsing using Samba
9.5. MS Windows security options and how to configure Samba for seemless integration
9.5.1. Use MS Windows NT as an authentication server
9.5.2. Make Samba a member of an MS Windows NT security domain
9.5.3. Configure Samba as an authentication server
9.6. Conclusions
10.1. Viewing and changing UNIX permissions using the NT security dialogs
10.2. How to view file security on a Samba share
10.3. Viewing file ownership
10.4. Viewing file or directory permissions
10.4.1. File Permissions
10.4.2. Directory Permissions
10.5. Modifying file or directory permissions
10.6. Interaction with the standard Samba create mask parameters
10.7. Interaction with the standard Samba file attribute mapping
11.1. Samba and PAM
11.2. Distributed Authentication
11.3. PAM Configuration in smb.conf
12.1. Instructions
12.1.1. Notes
13.1. Introduction
13.2. Configuration
13.2.1. Creating [print$]
13.2.2. Setting Drivers for Existing Printers
13.2.3. Support a large number of printers
13.2.4. Adding New Printers via the Windows NT APW
13.2.5. Samba and Printer Ports
13.3. The Imprints Toolset
13.3.1. What is Imprints?
13.3.2. Creating Printer Driver Packages
13.3.3. The Imprints server
13.3.4. The Installation Client
13.4. Diagnosis
13.4.1. Introduction
13.4.2. Debugging printer problems
13.4.3. What printers do I have?
13.4.4. Setting up printcap and print servers
13.4.5. Job sent, no output
13.4.6. Job sent, strange output
13.4.7. Raw PostScript printed
13.4.8. Advanced Printing
13.4.9. Real debugging
14.1. Abstract
14.2. Introduction
14.3. What Winbind Provides
14.3.1. Target Uses
14.4. How Winbind Works
14.4.1. Microsoft Remote Procedure Calls
14.4.2. Microsoft Active Directory Services
14.4.3. Name Service Switch
14.4.4. Pluggable Authentication Modules
14.4.5. User and Group ID Allocation
14.4.6. Result Caching
14.5. Installation and Configuration
14.5.1. Introduction
14.5.2. Requirements
14.5.3. Testing Things Out
14.6. Limitations
14.7. Conclusion
15.1. Overview of browsing
15.2. Browsing support in samba
15.3. Problem resolution
15.4. Browsing across subnets
15.4.1. How does cross subnet browsing work ?
15.5. Setting up a WINS server
15.6. Setting up Browsing in a WORKGROUP
15.7. Setting up Browsing in a DOMAIN
15.8. Forcing samba to be the master
15.9. Making samba the domain master
15.10. Note about broadcast addresses
15.11. Multiple interfaces
16.1. Introduction and configuration
16.2. Included modules
16.2.1. audit
16.2.2. recycle
16.2.3. netatalk
16.3. VFS modules available elsewhere
16.3.1. DatabaseFS
16.3.2. vscan
17. Access Samba source code via CVS
17.1. Introduction
17.2. CVS Access to samba.org
17.2.1. Access via CVSweb
17.2.2. Access via cvs
18. Group mapping HOWTO
19. 18. Samba performance issues
19.1. 18.1. Comparisons
19.2. 18.2. Socket options
19.3. 18.3. Read size
19.4. 18.4. Max xmit
19.5. 18.5. Log level
19.6. 18.6. Read raw
19.7. 18.7. Write raw
19.8. 18.8. Slow Clients
19.9. 18.9. Slow Logins
19.10. 18.10. Client tuning
20. 19. Creating Group ProfilesCreating Group Prolicy Files
20.1. 19.1. Windows '9x
20.2. 19.2. Windows NT 4
20.2.1. 19.2.1. Side bar Notes
20.2.2. 19.2.2. Mandatory profiles
20.2.3. 19.2.3. moveuser.exe
20.2.4. 19.2.4. Get SID
20.3. 19.3. Windows 2000/XP
20. Securing Samba
20.1. Introduction
20.2. Using host based protection
20.3. Using interface protection
20.4. Using a firewall
20.5. Using a IPC$ share deny
20.6. Upgrading Samba
Samba and other CIFS clientsNext

22.1. Macintosh clients?

22.1. Macintosh clients?

Yes.

22.2. OS2 Client

22.2. OS2 Client

22.2.1. How can I configure OS/2 Warp Connect or - OS/2 Warp 4 as a client for Samba?

A more complete answer to this question can be found on

22.2.2. How can I configure OS/2 Warp 3 (not Connect), - OS/2 1.2, 1.3 or 2.x for Samba?

You can use the free Microsoft LAN Manager 2.2c Client for OS/2 from @@ -239,10 +239,10 @@ CLASS="SECT2" >

22.2.3. Are there any other issues when OS/2 (any version) - is used as a client?

When you do a NET VIEW or use the "File and Print Client Resource Browser", no Samba servers show up. This can @@ -261,10 +261,10 @@ CLASS="SECT2" >

22.2.4. How do I get printer driver download working - for OS/2 clients?

First, create a share called [PRINTDRV] that is world-readable. Copy your OS/2 driver files there. Note @@ -274,17 +274,13 @@ NAME="AEN3350" >

Install the NT driver first for that printer. Then, add to your smb.conf a parameter, os2 driver map = - filenamefilename". Then, in the file - specified by filenamefilename, map the name of the NT driver name to the OS/2 driver name as follows:

22.3. Windows for Workgroups

22.3. Windows for Workgroups

22.3.1. Use latest TCP/IP stack from Microsoft

22.3.1. Use latest TCP/IP stack from Microsoft

Use the latest TCP/IP stack from microsoft if you use Windows for workgroups.

22.3.2. Delete .pwl files after password change

22.3.2. Delete .pwl files after password change

WfWg does a lousy job with passwords. I find that if I change my password on either the unix box or the PC the safest thing to do is to @@ -362,9 +358,9 @@ CLASS="SECT2" >

22.3.3. Configure WfW password handling

22.3.3. Configure WfW password handling

There is a program call admincfg.exe on the last disk (disk 8) of the WFW 3.11 disk set. To install it @@ -381,9 +377,9 @@ CLASS="SECT2" >

22.3.4. Case handling of passwords

22.3.4. Case handling of passwords

Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the password level to specify what characters samba should try to uppercase when checking.

22.3.5. Use TCP/IP as default protocol

To support print queue reporting you may find +that you have to use TCP/IP as the default protocol under +WfWg. For some reason if you leave Netbeui as the default +it may break the print queue reporting on some systems. +It is presumably a WfWg bug.

22.4. Windows '95/'98

22.4. Windows '95/'98

When using Windows 95 OEM SR2 the following updates are recommended where Samba is being used. Please NOTE that the above change will affect you once these @@ -448,9 +459,9 @@ CLASS="SECT1" >

22.5. Windows 2000 Service Pack 2

22.5. Windows 2000 Service Pack 2

There are several annoyances with Windows 2000 SP2. One of which @@ -560,7 +571,7 @@ WIDTH="33%" ALIGN="right" VALIGN="top" >NextReporting BugsHow to compile SAMBA

-Optional configuration
SAMBA Project Documentation
PrevNext

III. Optional configuration

Introduction

Samba has several features that you might want or might not want to use. The chapters in this -part each cover one specific feature.

Table of Contents
10. Integrating MS Windows networks with Samba
10.1. Agenda
10.2. Name Resolution in a pure Unix/Linux world
10.2.1. /etc/hosts
10.2.2. /etc/resolv.conf
10.2.3. /etc/host.conf
10.2.4. /etc/nsswitch.conf
10.3. Name resolution as used within MS Windows networking
10.3.1. The NetBIOS Name Cache
10.3.2. The LMHOSTS file
10.3.3. HOSTS file
10.3.4. DNS Lookup
10.3.5. WINS Lookup
10.4. How browsing functions and how to deploy stable and -dependable browsing using Samba
10.5. MS Windows security options and how to configure -Samba for seemless integration
10.5.1. Use MS Windows NT as an authentication server
10.5.2. Make Samba a member of an MS Windows NT security domain
10.5.3. Configure Samba as an authentication server
10.6. Conclusions
11. UNIX Permission Bits and Windows NT Access Control Lists
11.1. Viewing and changing UNIX permissions using the NT - security dialogs
11.2. How to view file security on a Samba share
11.3. Viewing file ownership
11.4. Viewing file or directory permissions
11.4.1. File Permissions
11.4.2. Directory Permissions
11.5. Modifying file or directory permissions
11.6. Interaction with the standard Samba create mask - parameters
11.7. Interaction with the standard Samba file attribute - mapping
12. Configuring PAM for distributed but centrally -managed authentication
12.1. Samba and PAM
12.2. Distributed Authentication
12.3. PAM Configuration in smb.conf
13. Hosting a Microsoft Distributed File System tree on Samba
13.1. Instructions
13.1.1. Notes
14. Printing Support
14.1. Introduction
14.2. Configuration
14.2.1. Creating [print$]
14.2.2. Setting Drivers for Existing Printers
14.2.3. Support a large number of printers
14.2.4. Adding New Printers via the Windows NT APW
14.2.5. Samba and Printer Ports
14.3. The Imprints Toolset
14.3.1. What is Imprints?
14.3.2. Creating Printer Driver Packages
14.3.3. The Imprints server
14.3.4. The Installation Client
14.4. Diagnosis
14.4.1. Introduction
14.4.2. Debugging printer problems
14.4.3. What printers do I have?
14.4.4. Setting up printcap and print servers
14.4.5. Job sent, no output
14.4.6. Job sent, strange output
14.4.7. Raw PostScript printed
14.4.8. Advanced Printing
14.4.9. Real debugging
15. Security levels
15.1. Introduction
15.2. More complete description of security levels
16. Unified Logons between Windows NT and UNIX using Winbind
16.1. Abstract
16.2. Introduction
16.3. What Winbind Provides
16.3.1. Target Uses
16.4. How Winbind Works
16.4.1. Microsoft Remote Procedure Calls
16.4.2. Name Service Switch
16.4.3. Pluggable Authentication Modules
16.4.4. User and Group ID Allocation
16.4.5. Result Caching
16.5. Installation and Configuration
16.5.1. Introduction
16.5.2. Requirements
16.5.3. Testing Things Out
16.6. Limitations
16.7. Conclusion
17. Passdb MySQL plugin
17.1. Building
17.2. Configuring
17.3. Using plaintext passwords or encrypted password
17.4. Getting non-column data from the table
18. Passdb XML plugin
18.1. Building
18.2. Usage
19. Storing Samba's User/Machine Account information in an LDAP Directory
19.1. Purpose
19.2. Introduction
19.3. Supported LDAP Servers
19.4. Schema and Relationship to the RFC 2307 posixAccount
19.5. Configuring Samba with LDAP
19.5.1. OpenLDAP configuration
19.5.2. Configuring Samba
19.6. Accounts and Groups management
19.7. Security and sambaAccount
19.8. LDAP specials attributes for sambaAccounts
19.9. Example LDIF Entries for a sambaAccount
19.10. Comments
20. HOWTO Access Samba source code via CVS
20.1. Introduction
20.2. CVS Access to samba.org
20.2.1. Access via CVSweb
20.2.2. Access via cvs
21. Group mapping HOWTO
22. Samba performance issues
22.1. Comparisons
22.2. Oplocks
22.2.1. Overview
22.2.2. Level2 Oplocks
22.2.3. Old 'fake oplocks' option - deprecated
22.3. Socket options
22.4. Read size
22.5. Max xmit
22.6. Locking
22.7. Share modes
22.8. Log level
22.9. Wide lines
22.10. Read raw
22.11. Write raw
22.12. Read prediction
22.13. Memory mapping
22.14. Slow Clients
22.15. Slow Logins
22.16. Client tuning
22.17. My Results
PrevHomeNext
Samba as a NT4 domain member Integrating MS Windows networks with Samba
\ No newline at end of file diff --git a/docs/htmldocs/p18.html b/docs/htmldocs/p18.html deleted file mode 100644 index a8f2a3c53c..0000000000 --- a/docs/htmldocs/p18.html +++ /dev/null @@ -1,438 +0,0 @@ - -General installation
SAMBA Project Documentation
PrevNext

I. General installation

Introduction

This part contains general info on how to install samba -and how to configure the parts of samba you will most likely need. -PLEASE read this.

Table of Contents
1. How to Install and Test SAMBA
1.1. Read the man pages
1.2. Building the Binaries
1.3. The all important step
1.4. Create the smb configuration file.
1.5. Test your config file with - testparm
1.6. Starting the smbd and nmbd
1.6.1. Starting from inetd.conf
1.6.2. Alternative: starting it as a daemon
1.7. Try listing the shares available on your - server
1.8. Try connecting with the unix client
1.9. Try connecting from a DOS, WfWg, Win9x, WinNT, - Win2k, OS/2, etc... client
1.10. What If Things Don't Work?
1.10.1. Diagnosing Problems
1.10.2. Scope IDs
1.10.3. Choosing the Protocol Level
1.10.4. Printing from UNIX to a Client PC
1.10.5. Locking
1.10.6. Mapping Usernames
2. Improved browsing in samba
2.1. Overview of browsing
2.2. Browsing support in samba
2.3. Problem resolution
2.4. Browsing across subnets
2.4.1. How does cross subnet browsing work ?
2.5. Setting up a WINS server
2.6. Setting up Browsing in a WORKGROUP
2.7. Setting up Browsing in a DOMAIN
2.8. Forcing samba to be the master
2.9. Making samba the domain master
2.10. Note about broadcast addresses
2.11. Multiple interfaces
3. Oplocks
3.1. What are oplocks?
4. Quick Cross Subnet Browsing / Cross Workgroup Browsing guide
4.1. Discussion
4.2. Use of the "Remote Announce" parameter
4.3. Use of the "Remote Browse Sync" parameter
4.4. Use of WINS
4.5. Do NOT use more than one (1) protocol on MS Windows machines
4.6. Name Resolution Order
5. LanMan and NT Password Encryption in Samba
5.1. Introduction
5.2. Important Notes About Security
5.2.1. Advantages of SMB Encryption
5.2.2. Advantages of non-encrypted passwords
5.3. The smbpasswd Command
PrevHomeNext
SAMBA Project Documentation How to Install and Test SAMBA
\ No newline at end of file diff --git a/docs/htmldocs/p3106.html b/docs/htmldocs/p3106.html deleted file mode 100644 index 9967d8fb59..0000000000 --- a/docs/htmldocs/p3106.html +++ /dev/null @@ -1,391 +0,0 @@ - -Appendixes
SAMBA Project Documentation
PrevNext

IV. Appendixes

Table of Contents
23. Portability
23.1. HPUX
23.2. SCO Unix
23.3. DNIX
23.4. RedHat Linux Rembrandt-II
24. Samba and other CIFS clients
24.1. Macintosh clients?
24.2. OS2 Client
24.2.1. How can I configure OS/2 Warp Connect or - OS/2 Warp 4 as a client for Samba?
24.2.2. How can I configure OS/2 Warp 3 (not Connect), - OS/2 1.2, 1.3 or 2.x for Samba?
24.2.3. Are there any other issues when OS/2 (any version) - is used as a client?
24.2.4. How do I get printer driver download working - for OS/2 clients?
24.3. Windows for Workgroups
24.3.1. Use latest TCP/IP stack from Microsoft
24.3.2. Delete .pwl files after password change
24.3.3. Configure WfW password handling
24.3.4. Case handling of passwords
24.4. Windows '95/'98
24.5. Windows 2000 Service Pack 2
25. Reporting Bugs
25.1. Introduction
25.2. General info
25.3. Debug levels
25.4. Internal errors
25.5. Attaching to a running process
25.6. Patches
26. Diagnosing your samba server
26.1. Introduction
26.2. Assumptions
26.3. Tests
26.3.1. Test 1
26.3.2. Test 2
26.3.3. Test 3
26.3.4. Test 4
26.3.5. Test 5
26.3.6. Test 6
26.3.7. Test 7
26.3.8. Test 8
26.3.9. Test 9
26.3.10. Test 10
26.3.11. Test 11
26.4. Still having troubles?
PrevHomeNext
Samba performance issues Portability
\ No newline at end of file diff --git a/docs/htmldocs/p544.html b/docs/htmldocs/p544.html deleted file mode 100644 index 502d978b5f..0000000000 --- a/docs/htmldocs/p544.html +++ /dev/null @@ -1,388 +0,0 @@ - -Type of installation
SAMBA Project Documentation
PrevNext

II. Type of installation

Introduction

This part contains information on using samba in a (NT 4 or ADS) domain. -If you wish to run samba as a domain member or DC, read the appropriate chapter in -this part.

Table of Contents
6. How to Configure Samba as a NT4 Primary Domain Controller
6.1. Prerequisite Reading
6.2. Background
6.3. Configuring the Samba Domain Controller
6.4. Creating Machine Trust Accounts and Joining Clients to the -Domain
6.4.1. Manual Creation of Machine Trust Accounts
6.4.2. "On-the-Fly" Creation of Machine Trust Accounts
6.4.3. Joining the Client to the Domain
6.5. Common Problems and Errors
6.6. System Policies and Profiles
6.7. What other help can I get?
6.8. Domain Control for Windows 9x/ME
6.8.1. Configuration Instructions: Network Logons
6.8.2. Configuration Instructions: Setting up Roaming User Profiles
6.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
7. How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain
7.1. Prerequisite Reading
7.2. Background
7.3. What qualifies a Domain Controller on the network?
7.3.1. How does a Workstation find its domain controller?
7.3.2. When is the PDC needed?
7.4. Can Samba be a Backup Domain Controller?
7.5. How do I set up a Samba BDC?
7.5.1. How do I replicate the smbpasswd file?
8. Samba as a ADS domain member
8.1. Installing the required packages for Debian
8.2. Installing the required packages for RedHat
8.3. Compile Samba
8.4. Setup your /etc/krb5.conf
8.5. Create the computer account
8.5.1. Possible errors
8.6. Test your server setup
8.7. Testing with smbclient
8.8. Notes
9. Samba as a NT4 domain member
9.1. Joining an NT Domain with Samba 2.2
9.2. Samba and Windows 2000 Domains
9.3. Why is this better than security = server?
PrevHomeNext
LanMan and NT Password Encryption in Samba How to Configure Samba as a NT4 Primary Domain Controller
\ No newline at end of file diff --git a/docs/htmldocs/pam.html b/docs/htmldocs/pam.html index a64de2a1b4..d110c385f1 100644 --- a/docs/htmldocs/pam.html +++ b/docs/htmldocs/pam.html @@ -6,7 +6,7 @@ managed authentication

11.1. Samba and PAM

11.1. Samba and PAM

A number of Unix systems (eg: Sun Solaris), as well as the xxxxBSD family and Linux, now utilize the Pluggable Authentication @@ -296,9 +296,9 @@ CLASS="SECT1" >

11.2. Distributed Authentication

11.2. Distributed Authentication

The astute administrator will realize from this that the combination of

11.3. PAM Configuration in smb.conf

11.3. PAM Configuration in smb.conf

There is an option in smb.conf called

When Samba 2.2 is configure to enable PAM support (i.e. ---with-pam--with-pam), this parameter will control whether or not Samba should obey PAM's account and session management directives. The default behavior diff --git a/docs/htmldocs/passdb.html b/docs/htmldocs/passdb.html index f53641624a..7a8fb7fdec 100644 --- a/docs/htmldocs/passdb.html +++ b/docs/htmldocs/passdb.html @@ -5,7 +5,7 @@ >User information database

3.1. Introduction

3.1. Introduction

Old windows clients send plain text passwords over the wire. Samba can check these passwords by crypting them and comparing them @@ -121,9 +121,9 @@ CLASS="SECT1" >

3.2. Important Notes About Security

3.2. Important Notes About Security

The unix and SMB password encryption techniques seem similar on the surface. This similarity is, however, only skin deep. The unix @@ -229,9 +229,9 @@ CLASS="SECT2" >

3.2.1. Advantages of SMB Encryption

3.2.1. Advantages of SMB Encryption

3.2.2. Advantages of non-encrypted passwords

3.2.2. Advantages of non-encrypted passwords

3.3. The smbpasswd Command

3.3. The smbpasswd Command

The smbpasswd utility is a utility similar to the

To run smbpasswd as a normal user just type :

$ $ smbpasswdsmbpasswd

Old SMB password: Old SMB password: <type old value here - - or hit return if there was no old password><type old value here - + or hit return if there was no old password>

New SMB Password: New SMB Password: <type new value> - <type new value> +

Repeat New SMB Password: Repeat New SMB Password: <re-type new value - <re-type new value +

If the old value does not match the current value stored for @@ -411,9 +403,9 @@ CLASS="SECT1" >

3.4. Plain text

3.4. Plain text

Older versions of samba retrieved user information from the unix user database and eventually some other fields from the file

3.5. TDB

3.5. TDB

Samba can also store the user data in a "TDB" (Trivial Database). Using this backend doesn't require any additional configuration. This backend is recommended for new installations who @@ -444,17 +436,17 @@ CLASS="SECT1" >

3.6. LDAP

3.6. LDAP

3.6.1. Introduction

3.6.1. Introduction

This document describes how to use an LDAP directory for storing Samba user account information traditionally stored in the smbpasswd(5) file. It is @@ -520,9 +512,9 @@ CLASS="SECT2" >

3.6.2. Introduction

3.6.2. Introduction

Traditionally, when configuring --with-ldapsam--with-ldapsam or ---with-tdbsam--with-tdbsam) requires compile time support.

When compiling Samba to include the When compiling Samba to include the --with-ldapsam--with-ldapsam autoconf option, smbd (and associated tools) will store and lookup user accounts in an LDAP directory. In reality, this is very easy to understand. If you are comfortable with using an smbpasswd file, simply replace "smbpasswd" with "LDAP directory" in all the documentation.

There are a few points to stress about what the There are a few points to stress about what the --with-ldapsam--with-ldapsam does not provide. The LDAP support referred to in the this documentation does not include:

3.6.3. Supported LDAP Servers

3.6.3. Supported LDAP Servers

The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP 2.0 server and client libraries. The same code should be able to work with @@ -662,9 +646,9 @@ CLASS="SECT2" >

3.6.4. Schema and Relationship to the RFC 2307 posixAccount

3.6.4. Schema and Relationship to the RFC 2307 posixAccount

Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in /etc/passwd entry, so is the sambaAccount object meant to supplement the UNIX user account information. A sambaAccount is a -STRUCTURALSTRUCTURAL objectclass so it can be stored individually in the directory. However, there are several fields (e.g. uid) which overlap with the posixAccount objectclass outlined in RFC2307. This is by design.

3.6.5. Configuring Samba with LDAP

3.6.5. Configuring Samba with LDAP

3.6.5.1. OpenLDAP configuration

3.6.5.1. OpenLDAP configuration

To include support for the sambaAccount object in an OpenLDAP directory server, first copy the samba.schema file to slapd's configuration directory.

root# root# cp samba.schema /etc/openldap/schema/

3.6.5.2. Configuring Samba

3.6.5.2. Configuring Samba

The following parameters are available in smb.conf only with The following parameters are available in smb.conf only with --with-ldapsam--with-ldapsam was included with compiling Samba.

secretpwsecretpw' to store the # passphrase in the secrets.tdb file. If the "ldap admin dn" values # changes, this password will need to be reset. @@ -920,7 +900,7 @@ CLASS="REPLACEABLE" ldap suffix = "ou=people,dc=samba,dc=org" # generally the default ldap search filter is ok - # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"

3.6.6. Accounts and Groups management

3.6.6. Accounts and Groups management

As users accounts are managed thru the sambaAccount objectclass, you should modify you existing administration tools to deal with sambaAccount attributes.

3.6.7. Security and sambaAccount

3.6.7. Security and sambaAccount

There are two important points to remember when discussing the security of sambaAccount entries in the directory.

3.6.8. LDAP specials attributes for sambaAccounts

3.6.8. LDAP specials attributes for sambaAccounts

The sambaAccount objectclass is composed of the following attributes:

  • lmPasswordlmPassword: the LANMAN password 16-byte hash stored as a character representation of a hexidecimal string.

  • ntPasswordntPassword: the NT password hash 16-byte stored as a character representation of a hexidecimal string.

  • pwdLastSetpwdLastSet: The integer time in seconds since 1970 when the - lmPassword and lmPassword and ntPasswordntPassword attributes were last set.

  • acctFlagsacctFlags: string of 11 characters surrounded by square brackets [] representing account flags such as U (user), W(workstation), X(no password expiration), and D(disabled).

  • logonTimelogonTime: Integer value currently unused

  • logoffTimelogoffTime: Integer value currently unused

  • kickoffTimekickoffTime: Integer value currently unused

  • pwdCanChangepwdCanChange: Integer value currently unused

  • pwdMustChangepwdMustChange: Integer value currently unused

  • homeDrivehomeDrive: specifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the form "X:" where X is the letter of the drive to map. Refer to the "logon drive" parameter in the @@ -1128,9 +1108,9 @@ CLASS="CONSTANT" >

  • scriptPathscriptPath: The scriptPath property specifies the path of the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path is relative to the netlogon share. Refer to the "logon script" parameter in the @@ -1138,18 +1118,18 @@ CLASS="CONSTANT" >

  • profilePathprofilePath: specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path. Refer to the "logon path" parameter in the smb.conf(5) man page for more information.

  • smbHomesmbHome: The homeDirectory property specifies the path of the home directory for the user. The string can be null. If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network @@ -1159,25 +1139,25 @@ CLASS="CONSTANT" >

  • userWorkstationuserWorkstation: character string value currently unused.

  • ridrid: the integer representation of the user's relative identifier (RID).

  • primaryGroupIDprimaryGroupID: the relative identifier (RID) of the primary group of the user.

    • smb.conf file. When a user named "becky" logons to the domain, -the logon homelogon home string is expanded to \\TASHTEGO\becky. If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org", this value is used. However, if this attribute does not exist, then the value -of the logon homelogon home parameter is used in its place. Samba will only write the attribute value to the directory entry is the value is something other than the default (e.g. \\MOBY\becky).

    3.6.9. Example LDIF Entries for a sambaAccount

    3.6.9. Example LDIF Entries for a sambaAccount

    The following is a working LDIF with the inclusion of the posixAccount objectclass:

    3.7. MySQL

    3.7. MySQL

    3.7.1. Building

    3.7.1. Building

    To build the plugin, run

    3.7.2. Creating the database

    3.7.2. Creating the database

    You either can set up your own table and specify the field names to pdb_mysql (see below for the column names) or use the default table. The file mysql -umysql -uusername -husername -hhostname -phostname -ppassword password databasenamedatabasename < /path/to/samba/examples/pdb/mysql/mysql.dump

    3.7.3. Configuring

    3.7.3. Configuring

    This plugin lacks some good documentation, but here is some short info:

    3.7.4. Using plaintext passwords or encrypted password

    3.7.4. Using plaintext passwords or encrypted password

    I strongly discourage the use of plaintext passwords, however, you can use them:

    3.7.5. Getting non-column data from the table

    3.7.5. Getting non-column data from the table

    It is possible to have not all data in the database and making some 'constant'.

    3.8. Passdb XML plugin

    3.8. Passdb XML plugin

    3.8.1. Building

    3.8.1. Building

    This module requires libxml2 to be installed.

    3.8.2. Usage

    3.8.2. Usage

    The usage of pdb_xml is pretty straightforward. To export data, use: diff --git a/docs/htmldocs/pdb-mysql.html b/docs/htmldocs/pdb-mysql.html deleted file mode 100644 index e98d0c30d0..0000000000 --- a/docs/htmldocs/pdb-mysql.html +++ /dev/null @@ -1,341 +0,0 @@ - -Passdb MySQL plugin

SAMBA Project Documentation
PrevNext

Chapter 16. Passdb MySQL plugin

16.1. Building

To build the plugin, run make bin/pdb_mysql.so -in the source/ directory of samba distribution.

Next, copy pdb_mysql.so to any location you want. I -strongly recommend installing it in $PREFIX/lib or /usr/lib/samba/

16.2. Creating the database

You either can set up your own table and specify the field names to pdb_mysql (see below -for the column names) or use the default table. The file examples/pdb/mysql/mysql.dump -contains the correct queries to create the required tables. Use the command : - -mysql -uusername -hhostname -ppassword databasename < /path/to/samba/examples/pdb/mysql/mysql.dump

16.3. Configuring

This plugin lacks some good documentation, but here is some short info:

Add a the following to the passdb backend variable in your smb.conf: -

passdb backend = [other-plugins] plugin:/location/to/pdb_mysql.so:identifier [other-plugins]

The identifier can be any string you like, as long as it doesn't collide with -the identifiers of other plugins or other instances of pdb_mysql. If you -specify multiple pdb_mysql.so entries in 'passdb backend', you also need to -use different identifiers!

Additional options can be given thru the smb.conf file in the [global] section.

identifier:mysql host                     - host name, defaults to 'localhost'
-identifier:mysql password
-identifier:mysql user                     - defaults to 'samba'
-identifier:mysql database                 - defaults to 'samba'
-identifier:mysql port                     - defaults to 3306
-identifier:table                          - Name of the table containing users

WARNING: since the password for the mysql user is stored in the -smb.conf file, you should make the the smb.conf file -readable only to the user that runs samba. This is considered a security -bug and will be fixed soon.

Names of the columns in this table(I've added column types those columns should have first):

identifier:logon time column             - int(9)
-identifier:logoff time column            - int(9)
-identifier:kickoff time column           - int(9)
-identifier:pass last set time column     - int(9)
-identifier:pass can change time column   - int(9)
-identifier:pass must change time column  - int(9)
-identifier:username column               - varchar(255) - unix username
-identifier:domain column                 - varchar(255) - NT domain user is part of
-identifier:nt username column            - varchar(255) - NT username
-identifier:fullname column            - varchar(255) - Full name of user
-identifier:home dir column               - varchar(255) - Unix homedir path
-identifier:dir drive column              - varchar(2) - Directory drive path (eg: 'H:')
-identifier:logon script column           - varchar(255) - Batch file to run on client side when logging on
-identifier:profile path column           - varchar(255) - Path of profile
-identifier:acct desc column              - varchar(255) - Some ASCII NT user data
-identifier:workstations column           - varchar(255) - Workstations user can logon to (or NULL for all)
-identifier:unknown string column         - varchar(255) - unknown string
-identifier:munged dial column            - varchar(255) - ?
-identifier:uid column                    - int(9) - Unix user ID (uid)
-identifier:gid column                    - int(9) - Unix user group (gid)
-identifier:user sid column               - varchar(255) - NT user SID
-identifier:group sid column              - varchar(255) - NT group ID
-identifier:lanman pass column            - varchar(255) - encrypted lanman password
-identifier:nt pass column                - varchar(255) - encrypted nt passwd
-identifier:plain pass column             - varchar(255) - plaintext password
-identifier:acct control column           - int(9) - nt user data
-identifier:unknown 3 column              - int(9) - unknown
-identifier:logon divs column             - int(9) - ?
-identifier:hours len column              - int(9) - ?
-identifier:unknown 5 column              - int(9) - unknown
-identifier:unknown 6 column              - int(9) - unknown

Eventually, you can put a colon (:) after the name of each column, which -should specify the column to update when updating the table. You can also -specify nothing behind the colon - then the data from the field will not be -updated.

16.4. Using plaintext passwords or encrypted password

I strongly discourage the use of plaintext passwords, however, you can use them:

If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords.

If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default.

16.5. Getting non-column data from the table

It is possible to have not all data in the database and making some 'constant'.

For example, you can set 'identifier:fullname column' to : -CONCAT(First_name,' ',Sur_name)

Or, set 'identifier:workstations column' to : -NULL

See the MySQL documentation for more language constructs.

PrevHomeNext
Unified Logons between Windows NT and UNIX using WinbindUpPassdb XML plugin
\ No newline at end of file diff --git a/docs/htmldocs/pdb-xml.html b/docs/htmldocs/pdb-xml.html deleted file mode 100644 index 1b419dcc74..0000000000 --- a/docs/htmldocs/pdb-xml.html +++ /dev/null @@ -1,189 +0,0 @@ - -Passdb XML plugin
SAMBA Project Documentation
PrevNext

Chapter 17. Passdb XML plugin

17.1. Building

This module requires libxml2 to be installed.

To build pdb_xml, run: make bin/pdb_xml.so in -the directory source/.

17.2. Usage

The usage of pdb_xml is pretty straightforward. To export data, use: - -pdbedit -e plugin:/usr/lib/samba/pdb_xml.so:filename - -(where filename is the name of the file to put the data in)

To import data, use: -pdbedit -i plugin:/usr/lib/samba/pdb_xml.so:filename -e current-pdb - -Where filename is the name to read the data from and current-pdb to put it in.

PrevHomeNext
Passdb MySQL pluginUpStackable VFS modules
\ No newline at end of file diff --git a/docs/htmldocs/pdbedit.8.html b/docs/htmldocs/pdbedit.8.html index 14497f522c..ee7b980211 100644 --- a/docs/htmldocs/pdbedit.8.html +++ b/docs/htmldocs/pdbedit.8.html @@ -5,7 +5,7 @@ >pdbedit

This option may only be used in conjunction - with the -a-a option. It will make pdbedit to add a machine trust account instead of a user account (-u username will provide the machine name).

Sets an account policy to a specified value. This option may only be used in conjunction - with the -P-P option.

-d|--debug=debuglevel

debugleveldebuglevel is an integer from 0 to 10. The default value if this parameter is not specified is zero.

Print a summary of command line options.

-s <configuration file>
-s <configuration file>

The file specified contains the diff --git a/docs/htmldocs/portability.html b/docs/htmldocs/portability.html index 4942cdb1bb..b6d406ce1d 100644 --- a/docs/htmldocs/portability.html +++ b/docs/htmldocs/portability.html @@ -5,7 +5,7 @@ >Portability

21.1. HPUX

21.1. HPUX

HP's implementation of supplementary groups is, er, non-standard (for hysterical reasons). There are two group files, /etc/group and @@ -114,9 +114,9 @@ CLASS="SECT1" >

21.2. SCO Unix

21.2. SCO Unix

If you run an old version of SCO Unix then you may need to get important @@ -131,9 +131,9 @@ CLASS="SECT1" >

21.3. DNIX

21.3. DNIX

DNIX has a problem with seteuid() and setegid(). These routines are needed for Samba to work correctly, but they were left out of the DNIX @@ -238,9 +238,9 @@ CLASS="SECT1" >

21.4. RedHat Linux Rembrandt-II

21.4. RedHat Linux Rembrandt-II

By default RedHat Rembrandt-II during installation adds an entry to /etc/hosts as follows: @@ -257,6 +257,27 @@ is the master browse list holder and who is the master browser.

Corrective Action: Delete the entry after the word loopback in the line starting 127.0.0.1

21.5. AIX

21.5.1. Sequential Read Ahead

Disabling Sequential Read Ahead using "vmtune -r 0" improves +samba performance significally.

Printing Support

13.1. Introduction

13.1. Introduction

Beginning with the 2.2.0 release, Samba supports the native Windows NT printing mechanisms implemented via @@ -163,9 +163,9 @@ CLASS="SECT1" >

13.2. Configuration

13.2. Configuration

However, the initial implementation allowed for a -parameter named printer driver locationprinter driver location to be used on a per share basis to specify the location of the driver files associated with that printer. Another -parameter named printer driverprinter driver provided a means of defining the printer driver name to be sent to the client.

13.2.1. Creating [print$]

13.2.1. Creating [print$]

In order to support the uploading of printer driver files, you must first configure a file share named [print$]. @@ -270,11 +266,9 @@ CLASS="PROGRAMLISTING" >The write listwrite list is used to allow administrative level user accounts to have write access in order to update files @@ -414,12 +408,10 @@ one of two conditions must hold true:

printer - admin list.

Once you have created the required [print$] service and associated subdirectories, simply log onto the Samba server using -a root (or printer adminprinter admin) account from a Windows NT 4.0/2k client. Open "Network Neighbourhood" or "My Network Places" and browse for the Samba host. Once you have located @@ -452,9 +442,9 @@ CLASS="SECT2" >

13.2.2. Setting Drivers for Existing Printers

13.2.2. Setting Drivers for Existing Printers

The initial listing of printers in the Samba host's Printers folder will have no real printer driver assigned @@ -524,9 +514,9 @@ CLASS="SECT2" >

13.2.3. Support a large number of printers

13.2.3. Support a large number of printers

One issue that has arisen during the development phase of Samba 2.2 is the need to support driver downloads for @@ -547,9 +537,9 @@ of how this could be accomplished:

 
-$ $ rpcclient pogo -U root%secret -c "enumdrivers"
 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
  
@@ -563,9 +553,9 @@ Printer Driver Info 1:
 Printer Driver Info 1:
      Driver Name: [HP LaserJet 4Si/4SiMX PS]
 				  
-$ $ rpcclient pogo -U root%secret -c "enumprinters"
 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
      flags:[0x800000]
@@ -573,13 +563,13 @@ Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
      description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
      comment:[]
 				  
-$ $ rpcclient pogo -U root%secret \
-> >  -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""
 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
 Successfully set hp-print to driver HP LaserJet 4000 Series PS.

13.2.4. Adding New Printers via the Windows NT APW

13.2.4. Adding New Printers via the Windows NT APW

By default, Samba offers all printer shares defined in

The connected user is able to successfully execute an OpenPrinterEx(\\server) with administrative - privileges (i.e. root or printer adminprinter admin).

show - add printer wizard = yes (the default).

add -printer command must have a defined value. The program hook must successfully add the printer to the system (i.e. @@ -658,35 +642,29 @@ CLASS="FILENAME" not exist, smbd will execute the will execute the add printer -command and reparse to the smb.conf to attempt to locate the new printer share. If the share is still not defined, an error of "Access Denied" is returned to the client. Note that the -add printer programadd printer program is executed under the context of the connected user, not necessarily a root account.

There is a complementary delete -printer command for removing entries from the "Printers..." folder.

The following is an example add printer commandadd printer command script. It adds the appropriate entries to

13.2.5. Samba and Printer Ports

13.2.5. Samba and Printer Ports

Windows NT/2000 print servers associate a port with each printer. These normally take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the @@ -780,12 +756,10 @@ CLASS="FILENAME" > possesses a enumports -command which can be used to define an external program that generates a listing of ports on a system.

13.3. The Imprints Toolset

13.3. The Imprints Toolset

The Imprints tool set provides a UNIX equivalent of the Windows NT Add Printer Wizard. For complete information, please @@ -814,9 +788,9 @@ CLASS="SECT2" >

13.3.1. What is Imprints?

13.3.1. What is Imprints?

Imprints is a collection of tools for supporting the goals of

13.3.2. Creating Printer Driver Packages

13.3.2. Creating Printer Driver Packages

The process of creating printer driver packages is beyond the scope of this document (refer to Imprints.txt also included @@ -862,9 +836,9 @@ CLASS="SECT2" >

13.3.3. The Imprints server

13.3.3. The Imprints server

The Imprints server is really a database server that may be queried via standard HTTP mechanisms. Each printer @@ -886,9 +860,9 @@ CLASS="SECT2" >

13.3.4. The Installation Client

13.3.4. The Installation Client

More information regarding the Imprints installation client is available in the

13.4. Diagnosis

13.4. Diagnosis

13.4.1. Introduction

13.4.1. Introduction

This is a short description of how to debug printing problems with Samba. This describes how to debug problems with printing from a SMB @@ -1052,7 +1026,7 @@ and it should be periodically cleaned out. Samba used the lpq command to determine the "job number" assigned to your print job by the spooler.

The %>letter< are "macros" that get dynamically replaced with appropriate +>The %>letter< are "macros" that get dynamically replaced with appropriate values when they are used. The %s gets replaced with the name of the spool file that Samba creates and the %p gets replaced with the name of the printer. The %j gets replaced with the "job number" which comes from @@ -1063,9 +1037,9 @@ CLASS="SECT2" >

13.4.2. Debugging printer problems

13.4.2. Debugging printer problems

One way to debug printing problems is to start by replacing these command with shell scripts that record the arguments and the contents @@ -1081,7 +1055,7 @@ CLASS="PROGRAMLISTING" /usr/bin/id -p >/tmp/tmp.print # we run the command and save the error messages # replace the command with the one appropriate for your system - /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print

Then you print a file and try removing it. You may find that the @@ -1120,9 +1094,9 @@ CLASS="SECT2" >

13.4.3. What printers do I have?

13.4.3. What printers do I have?

You can use the 'testprns' program to check to see if the printer name you are using is recognized by Samba. For example, you can @@ -1149,9 +1123,9 @@ CLASS="SECT2" >

13.4.4. Setting up printcap and print servers

13.4.4. Setting up printcap and print servers

You may need to set up some printcaps for your Samba system to use. It is strongly recommended that you use the facilities provided by @@ -1233,9 +1207,9 @@ CLASS="SECT2" >

13.4.5. Job sent, no output

13.4.5. Job sent, no output

This is the most frustrating part of printing. You may have sent the job, verified that the job was forwarded, set up a wrapper around @@ -1278,9 +1252,9 @@ CLASS="SECT2" >

13.4.6. Job sent, strange output

13.4.6. Job sent, strange output

Once you have the job printing, you can then start worrying about making it print nicely.

13.4.7. Raw PostScript printed

13.4.7. Raw PostScript printed

This is a problem that is usually caused by either the print spooling system putting information at the start of the print job that makes @@ -1339,9 +1313,9 @@ CLASS="SECT2" >

13.4.8. Advanced Printing

13.4.8. Advanced Printing

Note that you can do some pretty magic things by using your imagination with the "print command" option and some shell scripts. @@ -1355,9 +1329,9 @@ CLASS="SECT2" >

13.4.9. Real debugging

13.4.9. Real debugging

If the above debug tips don't help, then maybe you need to bring in the bug guns, system tracing. See Tracing.txt in this directory.

-LanMan and NT Password Encryption in Samba
SAMBA Project Documentation
PrevNext

Chapter 4. LanMan and NT Password Encryption in Samba

4.1. Introduction

Newer windows clients send encrypted passwords over - the wire, instead of plain text passwords. The newest clients - will only send encrypted passwords and refuse to send plain text - passwords, unless their registry is tweaked.

These passwords can't be converted to unix style encrypted - passwords. Because of that you can't use the standard unix - user database, and you have to store the Lanman and NT hashes - somewhere else. For more information, see the documentation - about the passdb backend = parameter. -

4.2. Important Notes About Security

The unix and SMB password encryption techniques seem similar - on the surface. This similarity is, however, only skin deep. The unix - scheme typically sends clear text passwords over the network when - logging in. This is bad. The SMB encryption scheme never sends the - cleartext password over the network but it does store the 16 byte - hashed values on disk. This is also bad. Why? Because the 16 byte hashed - values are a "password equivalent". You cannot derive the user's - password from them, but they could potentially be used in a modified - client to gain access to a server. This would require considerable - technical knowledge on behalf of the attacker but is perfectly possible. - You should thus treat the smbpasswd file as though it contained the - cleartext passwords of all your users. Its contents must be kept - secret, and the file should be protected accordingly.

Ideally we would like a password scheme which neither requires - plain text passwords on the net or on disk. Unfortunately this - is not available as Samba is stuck with being compatible with - other SMB systems (WinNT, WfWg, Win95 etc).

Note that Windows NT 4.0 Service pack 3 changed the - default for permissible authentication so that plaintext - passwords are never sent over the wire. - The solution to this is either to switch to encrypted passwords - with Samba or edit the Windows NT registry to re-enable plaintext - passwords. See the document WinNT.txt for details on how to do - this.

Other Microsoft operating systems which also exhibit - this behavior includes

  • MS DOS Network client 3.0 with - the basic network redirector installed

  • Windows 95 with the network redirector - update installed

  • Windows 98 [se]

  • Windows 2000

Note :All current release of - Microsoft SMB/CIFS clients support authentication via the - SMB Challenge/Response mechanism described here. Enabling - clear text authentication does not disable the ability - of the client to participate in encrypted authentication.

4.2.1. Advantages of SMB Encryption

  • plain text passwords are not passed across - the network. Someone using a network sniffer cannot just - record passwords going to the SMB server.

  • WinNT doesn't like talking to a server - that isn't using SMB encrypted passwords. It will refuse - to browse the server if the server is also in user level - security mode. It will insist on prompting the user for the - password on each connection, which is very annoying. The - only things you can do to stop this is to use SMB encryption. -

4.2.2. Advantages of non-encrypted passwords

  • plain text passwords are not kept - on disk.

  • uses same password file as other unix - services such as login and ftp

  • you are probably already using other - services (such as telnet and ftp) which send plain text - passwords over the net, so sending them for SMB isn't - such a big deal.

4.3. The smbpasswd Command

The smbpasswd command maintains the two 32 byte password fields - in the smbpasswd file. If you wish to make it similar to the unix - passwd or yppasswd programs, - install it in /usr/local/samba/bin/ (or your - main Samba binary directory).

smbpasswd now works in a client-server mode - where it contacts the local smbd to change the user's password on its - behalf. This has enormous benefits - as follows.

smbpasswd now has the capability - to change passwords on Windows NT servers (this only works when - the request is sent to the NT Primary Domain Controller if you - are changing an NT Domain user's password).

To run smbpasswd as a normal user just type :

$ smbpasswd

Old SMB password: <type old value here - - or hit return if there was no old password>

New SMB Password: <type new value> -

Repeat New SMB Password: <re-type new value -

If the old value does not match the current value stored for - that user, or the two new values do not match each other, then the - password will not be changed.

If invoked by an ordinary user it will only allow the user - to change his or her own Samba password.

If run by the root user smbpasswd may take an optional - argument, specifying the user name whose SMB password you wish to - change. Note that when run as root smbpasswd does not prompt for - or check the old password value, thus allowing root to set passwords - for users who have forgotten their passwords.

smbpasswd is designed to work in the same way - and be familiar to UNIX users who use the passwd or - yppasswd commands.

For more details on using smbpasswd refer - to the man page which will always be the definitive reference.

PrevHomeNext
Quick Cross Subnet Browsing / Cross Workgroup Browsing guideUpUser information database
\ No newline at end of file diff --git a/docs/htmldocs/rpcclient.1.html b/docs/htmldocs/rpcclient.1.html index 611512a53b..6e71ddeb14 100644 --- a/docs/htmldocs/rpcclient.1.html +++ b/docs/htmldocs/rpcclient.1.html @@ -5,7 +5,7 @@ >rpcclientrpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-h] [-l logfile] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-N] [-I destinationIP] {server}

[-A authfile] [-c <command string>] [-d debuglevel] [-h] [-l logfile] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-N] [-I destinationIP] {server}

name resolve ordername resolve order line from 

username = <value> 
-password = <value>
-domain   = <value>
username = <value> +password = <value> +domain = <value>

Make certain that the permissions on the file restrict @@ -136,11 +134,9 @@ domain = <value>-d|--debug=debuglevel

debugleveldebuglevel is an integer from 0 to 10. The default value if this parameter is not specified is zero.

-I IP-address

IP addressIP address is the address of the server to connect to. It should be specified in standard "a.b.c.d" notation.

Normally the client would attempt to locate a named SMB/CIFS server by looking it up via the NetBIOS name resolution - mechanism described above in the name resolve ordername resolve order parameter above. Using this parameter will force the client to assume that the server is on the machine with the specified IP @@ -207,9 +199,9 @@ CLASS="PARAMETER" >

File name for log/debug files. The extension - '.client''.client' will be appended. The log file is never removed by the client.

rpcclient will - prompt for a password. See also the -U-U option.

Sets the SMB username or username and password.

If %password is not specified, the user will be prompted. The - client will first check the USERUSER environment variable, then the - LOGNAMELOGNAME variable and if either exists, the string is uppercased. If these environmental variables are not - found, the username GUESTGUEST is used.

A third option is to use a credentials file which @@ -271,11 +261,9 @@ CLASS="CONSTANT" wish to pass the credentials on the command line or via environment variables. If this method is used, make certain that the permissions on the file restrict access from unwanted users. See the - -A-A for more details.

Be cautious about including passwords in scripts. Also, on @@ -441,7 +429,7 @@ CLASS="EMPHASIS" >

adddriver <arch> <config>adddriver <arch> <config> - Execute an AddPrinterDriver() RPC to install the printer driver information on the server. Note that the driver files should @@ -450,21 +438,17 @@ CLASS="COMMAND" CLASS="COMMAND" >getdriverdir. Possible values for - archarch are the same as those for the getdriverdir command. - The configconfig parameter is defined as follows:

addprinter <printername> - <sharename> <drivername> <port>addprinter <printername> + <sharename> <drivername> <port> - Add a printer on the remote server. This printer will be automatically shared. Be aware that the printer driver @@ -502,11 +486,9 @@ CLASS="COMMAND" CLASS="COMMAND" >adddriver) - and the portportmust be a valid port name (see

enumjobs <printer>enumjobs <printer> - List the jobs and status of a given printer. This command corresponds to the MS Platform SDK EnumJobs() @@ -582,7 +564,7 @@ CLASS="COMMAND" >

getdata <printername>getdata <printername> - Retrieve the data for a given printer setting. See the

getdriver <printername>getdriver <printername> - Retrieve the printer driver information (such as driver file, config file, dependent files, etc...) for @@ -608,16 +590,14 @@ CLASS="COMMAND" >

getdriverdir <arch>getdriverdir <arch> - Execute a GetPrinterDriverDirectory() RPC to retrieve the SMB share name and subdirectory for storing printer driver files for a given architecture. Possible - values for archarch are "Windows 4.0" (for Windows 95/98), "Windows NT x86", "Windows NT PowerPC", "Windows Alpha_AXP", and "Windows NT R4000".

getprinter <printername>getprinter <printername> - Retrieve the current printer information. This command corresponds to the GetPrinter() MS Platform SDK function. @@ -636,7 +616,7 @@ CLASS="COMMAND" >

openprinter <printername>openprinter <printername> - Execute an OpenPrinterEx() and ClosePrinter() RPC against a given printer.

setdriver <printername> - <drivername>setdriver <printername> + <drivername> - Execute a SetPrinter() command to update the printer driver associated with an installed printer. The printer driver must diff --git a/docs/htmldocs/samba-bdc.html b/docs/htmldocs/samba-bdc.html index 42f653fb7d..c0c1805f8f 100644 --- a/docs/htmldocs/samba-bdc.html +++ b/docs/htmldocs/samba-bdc.html @@ -5,7 +5,7 @@ >How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain

6.1. Prerequisite Reading

6.1. Prerequisite Reading

Before you continue reading in this chapter, please make sure that you are comfortable with configuring a Samba PDC @@ -97,9 +97,9 @@ CLASS="SECT1" >

6.2. Background

6.2. Background

What is a Domain Controller? It is a machine that is able to answer logon requests from workstations in a Windows NT Domain. Whenever a @@ -142,9 +142,9 @@ CLASS="SECT1" >

6.3. What qualifies a Domain Controller on the network?

6.3. What qualifies a Domain Controller on the network?

Every machine that is a Domain Controller for the domain SAMBA has to register the NetBIOS group name SAMBA#1c with the WINS server and/or @@ -159,9 +159,9 @@ CLASS="SECT2" >

6.3.1. How does a Workstation find its domain controller?

6.3.1. How does a Workstation find its domain controller?

A NT workstation in the domain SAMBA that wants a local user to be authenticated has to find the domain controller for SAMBA. It does @@ -178,9 +178,9 @@ CLASS="SECT2" >

6.3.2. When is the PDC needed?

6.3.2. When is the PDC needed?

Whenever a user wants to change his password, this has to be done on the PDC. To find the PDC, the workstation does a NetBIOS name query @@ -194,9 +194,9 @@ CLASS="SECT1" >

6.4. Can Samba be a Backup Domain Controller to an NT PDC?

6.4. Can Samba be a Backup Domain Controller to an NT PDC?

With version 2.2, no. The native NT SAM replication protocols have not yet been fully implemented. The Samba Team is working on @@ -217,9 +217,9 @@ CLASS="SECT1" >

6.5. How do I set up a Samba BDC?

6.5. How do I set up a Samba BDC?

Several things have to be done:

6.5.1. How do I replicate the smbpasswd file?

6.5.1. How do I replicate the smbpasswd file?

Replication of the smbpasswd file is sensitive. It has to be done whenever changes to the SAM are made. Every user's password change is @@ -305,9 +305,9 @@ CLASS="SECT2" >

6.5.2. Can I do this all with LDAP?

6.5.2. Can I do this all with LDAP?

The simple answer is YES. Samba's pdb_ldap code supports binding to a replica LDAP server, and will also follow referrals and diff --git a/docs/htmldocs/samba-howto-collection.html b/docs/htmldocs/samba-howto-collection.html index 82e29206ac..51b4fddcba 100644 --- a/docs/htmldocs/samba-howto-collection.html +++ b/docs/htmldocs/samba-howto-collection.html @@ -5,7 +5,7 @@ >SAMBA Project DocumentationSAMBA Project DocumentationSAMBA Project Documentation

1.1. Read the man pagesObtaining and installing samba
1.2. Building the BinariesConfiguring samba
1.3. The all important step
1.4. Create the smb configuration file.
1.5. Test your config file with - testparm
1.6. Starting the smbd and nmbd
1.7. Try listing the shares available on your server
1.8. 1.4. Try connecting with the unix client
1.9. 1.5. Try connecting from a DOS, WfWg, Win9x, WinNT, Win2k, OS/2, etc... client
1.10. 1.6. What If Things Don't Work?
2.1. Discussion
2.2. Use of the "Remote Announce" parameter
2.3. Use of the "Remote Browse Sync" parameter
2.4. Use of WINS
2.5. Do NOT use more than one (1) protocol on MS Windows machines
2.6. Name Resolution Order
3.1. Introduction
3.2. Important Notes About Security
3.3. The smbpasswd Command
3.4. Plain text
3.5. TDB
3.6. LDAP
3.7. MySQL
3.8. Passdb XML plugin
5.1. Prerequisite Reading
5.2. Background
5.3. Configuring the Samba Domain Controller
5.4. Creating Machine Trust Accounts and Joining Clients to the Domain
5.5. Common Problems and Errors
5.6. System Policies and Profiles
5.7. What other help can I get?
5.8. Domain Control for Windows 9x/ME
5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & SambaDOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
6.1. Prerequisite Reading
6.2. Background
6.3. What qualifies a Domain Controller on the network?
6.4. Can Samba be a Backup Domain Controller to an NT PDC?
6.5. How do I set up a Samba BDC?
7.1. Installing the required packages for Debian
7.2. Installing the required packages for RedHat
7.3. Compile Samba
7.4. Setup your /etc/krb5.conf
7.5. Create the computer account
7.6. Test your server setup
7.7. Testing with smbclient
7.8. Notes
8.1. Joining an NT Domain with Samba 3.0
8.2. Samba and Windows 2000 Domains
8.3. Why is this better than security = server?
9.1. Agenda
9.2. Name Resolution in a pure Unix/Linux world
9.3. Name resolution as used within MS Windows networking
9.4. How browsing functions and how to deploy stable and dependable browsing using Samba
9.5. MS Windows security options and how to configure Samba for seemless integration
9.6. Conclusions
10.1. Viewing and changing UNIX permissions using the NT security dialogs
10.2. How to view file security on a Samba share
10.3. Viewing file ownership
10.4. Viewing file or directory permissions
10.5. Modifying file or directory permissions
10.6. Interaction with the standard Samba create mask parameters
10.7. Interaction with the standard Samba file attribute mapping
11.1. Samba and PAM
11.2. Distributed Authentication
11.3. PAM Configuration in smb.conf
12.1. Instructions
13.1. Introduction
13.2. Configuration
13.3. The Imprints Toolset
13.4. Diagnosis
14.1. Abstract
14.2. Introduction
14.3. What Winbind Provides
14.4. How Winbind Works
14.5. Installation and Configuration
14.6. Limitations
14.7. Conclusion
15.1. Overview of browsing
15.2. Browsing support in samba
15.3. Problem resolution
15.4. Browsing across subnets
15.5. Setting up a WINS server
15.6. Setting up Browsing in a WORKGROUP
15.7. Setting up Browsing in a DOMAIN
15.8. Forcing samba to be the master
15.9. Making samba the domain master
15.10. Note about broadcast addresses
15.11. Multiple interfaces
16.1. Introduction and configuration
16.2. Included modules
16.3. VFS modules available elsewhere
17. Access Samba source code via CVS
17.1. Introduction
17.2. CVS Access to samba.org
18. Group mapping HOWTO
19. 18. Samba performance issues
19.1. 18.1. Comparisons
19.2. 18.2. Socket options
19.3. 18.3. Read size
19.4. 18.4. Max xmit
19.5. 18.5. Log level
19.6. 18.6. Read raw
19.7. 18.7. Write raw
19.8. 18.8. Slow Clients
19.9. 18.9. Slow Logins
19.10. 18.10. Client tuning
20. 19. Creating Group ProfilesCreating Group Prolicy Files
20.1. 19.1. Windows '9x
20.2. 19.2. Windows NT 4
20.3. 19.3. Windows 2000/XP
20. Securing Samba
20.1. Introduction
20.2. Using host based protection
20.3. Using interface protection
20.4. Using a firewall
20.5. Using a IPC$ share deny
20.6. Upgrading Samba
21.1. HPUX
21.2. SCO Unix
21.3. DNIX
21.4. RedHat Linux Rembrandt-II
21.5. AIX
22.1. Macintosh clients?
22.2. OS2 Client
22.3. Windows for Workgroups
22.4. Windows '95/'98
22.5. Windows 2000 Service Pack 2
23. How to compile SAMBA
23.1. Access Samba source code via CVS
23.2. Accessing the samba sources via rsync and ftp
23.3. Building the Binaries
23.4. Starting the smbd and nmbd
24. Reporting Bugs
23.1. 24.1. Introduction
23.2. 24.2. General info
23.3. 24.3. Debug levels
23.4. 24.4. Internal errors
23.5. 24.5. Attaching to a running process
23.6. 24.6. Patches
24. 25. Diagnosing your samba serverThe samba checklist
24.1. 25.1. Introduction
24.2. 25.2. Assumptions
24.3. 25.3. Tests
24.4. 25.4. Still having troubles?
-Storing Samba's User/Machine Account information in an LDAP Directory
SAMBA Project Documentation
PrevNext

Chapter 17. Storing Samba's User/Machine Account information in an LDAP Directory

17.1. Purpose

This document describes how to use an LDAP directory for storing Samba user -account information traditionally stored in the smbpasswd(5) file. It is -assumed that the reader already has a basic understanding of LDAP concepts -and has a working directory server already installed. For more information -on LDAP architectures and Directories, please refer to the following sites.

Note that O'Reilly Publishing is working on -a guide to LDAP for System Administrators which has a planned release date of -early summer, 2002.

Two additional Samba resources which may prove to be helpful are

  • The Samba-PDC-LDAP-HOWTO - maintained by Ignacio Coupeau.

  • The NT migration scripts from IDEALX that are - geared to manage users and group in such a Samba-LDAP Domain Controller configuration. -

17.2. Introduction

Traditionally, when configuring "encrypt -passwords = yes" in Samba's smb.conf file, user account -information such as username, LM/NT password hashes, password change times, and account -flags have been stored in the smbpasswd(5) file. There are several -disadvantages to this approach for sites with very large numbers of users (counted -in the thousands).

  • The first is that all lookups must be performed sequentially. Given that -there are approximately two lookups per domain logon (one for a normal -session connection such as when mapping a network drive or printer), this -is a performance bottleneck for lareg sites. What is needed is an indexed approach -such as is used in databases.

  • The second problem is that administrators who desired to replicate a -smbpasswd file to more than one Samba server were left to use external -tools such as rsync(1) and ssh(1) -and wrote custom, in-house scripts.

  • And finally, the amount of information which is stored in an -smbpasswd entry leaves no room for additional attributes such as -a home directory, password expiration time, or even a Relative -Identified (RID).

As a result of these defeciencies, a more robust means of storing user attributes -used by smbd was developed. The API which defines access to user accounts -is commonly referred to as the samdb interface (previously this was called the passdb -API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support -for a samdb backend (e.g. --with-ldapsam or ---with-tdbsam) requires compile time support.

When compiling Samba to include the --with-ldapsam autoconf -option, smbd (and associated tools) will store and lookup user accounts in -an LDAP directory. In reality, this is very easy to understand. If you are -comfortable with using an smbpasswd file, simply replace "smbpasswd" with -"LDAP directory" in all the documentation.

There are a few points to stress about what the --with-ldapsam -does not provide. The LDAP support referred to in the this documentation does not -include:

  • A means of retrieving user account information from - an Windows 2000 Active Directory server.

  • A means of replacing /etc/passwd.

The second item can be accomplished by using LDAP NSS and PAM modules. LGPL -versions of these libraries can be obtained from PADL Software -(http://www.padl.com/). However, -the details of configuring these packages are beyond the scope of this document.

17.3. Supported LDAP Servers

The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP -2.0 server and client libraries. The same code should be able to work with -Netscape's Directory Server and client SDK. However, due to lack of testing -so far, there are bound to be compile errors and bugs. These should not be -hard to fix. If you are so inclined, please be sure to forward all patches to -samba-patches@samba.org and -jerry@samba.org.

17.4. Schema and Relationship to the RFC 2307 posixAccount

Samba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in -examples/LDAP/samba.schema. (Note that this schema -file has been modified since the experimental support initially included -in 2.2.2). The sambaAccount objectclass is given here:

objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
-     DESC 'Samba Account'
-     MUST ( uid $ rid )
-     MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
-            logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
-            displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
-            description $ userWorkstations $ primaryGroupID $ domain ))

The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are -owned by the Samba Team and as such is legal to be openly published. -If you translate the schema to be used with Netscape DS, please -submit the modified schema file as a patch to jerry@samba.org

Just as the smbpasswd file is mean to store information which supplements a -user's /etc/passwd entry, so is the sambaAccount object -meant to supplement the UNIX user account information. A sambaAccount is a -STRUCTURAL objectclass so it can be stored individually -in the directory. However, there are several fields (e.g. uid) which overlap -with the posixAccount objectclass outlined in RFC2307. This is by design.

In order to store all user account information (UNIX and Samba) in the directory, -it is necessary to use the sambaAccount and posixAccount objectclasses in -combination. However, smbd will still obtain the user's UNIX account -information via the standard C library calls (e.g. getpwnam(), et. al.). -This means that the Samba server must also have the LDAP NSS library installed -and functioning correctly. This division of information makes it possible to -store all Samba account information in LDAP, but still maintain UNIX account -information in NIS while the network is transitioning to a full LDAP infrastructure.

17.5. Configuring Samba with LDAP

17.5.1. OpenLDAP configuration

To include support for the sambaAccount object in an OpenLDAP directory -server, first copy the samba.schema file to slapd's configuration directory.

root# cp samba.schema /etc/openldap/schema/

Next, include the samba.schema file in slapd.conf. -The sambaAccount object contains two attributes which depend upon other schema -files. The 'uid' attribute is defined in cosine.schema and -the 'displayName' attribute is defined in the inetorgperson.schema -file. Both of these must be included before the samba.schema file.

## /etc/openldap/slapd.conf
-
-## schema files (core.schema is required by default)
-include	           /etc/openldap/schema/core.schema
-
-## needed for sambaAccount
-include            /etc/openldap/schema/cosine.schema
-include            /etc/openldap/schema/inetorgperson.schema
-include            /etc/openldap/schema/samba.schema
-
-## uncomment this line if you want to support the RFC2307 (NIS) schema
-## include         /etc/openldap/schema/nis.schema
-
-....

It is recommended that you maintain some indices on some of the most usefull attributes, -like in the following example, to speed up searches made on sambaAccount objectclasses -(and possibly posixAccount and posixGroup as well).

# Indices to maintain
-## required by OpenLDAP 2.0
-index objectclass   eq
-
-## support pb_getsampwnam()
-index uid           pres,eq
-## support pdb_getsambapwrid()
-index rid           eq
-
-## uncomment these if you are storing posixAccount and
-## posixGroup entries in the directory as well
-##index uidNumber     eq
-##index gidNumber     eq
-##index cn            eq
-##index memberUid     eq

17.5.2. Configuring Samba

The following parameters are available in smb.conf only with --with-ldapsam -was included with compiling Samba.

These are described in the smb.conf(5) man -page and so will not be repeated here. However, a sample smb.conf file for -use with an LDAP directory could appear as

## /usr/local/samba/lib/smb.conf
-[global]
-     security = user
-     encrypt passwords = yes
-
-     netbios name = TASHTEGO
-     workgroup = NARNIA
-
-     # ldap related parameters
-
-     # define the DN to use when binding to the directory servers
-     # The password for this DN is not stored in smb.conf.  Rather it
-     # must be set by using 'smbpasswd -w secretpw' to store the
-     # passphrase in the secrets.tdb file.  If the "ldap admin dn" values
-     # changes, this password will need to be reset.
-     ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org"
-
-     #  specify the LDAP server's hostname (defaults to locahost)
-     ldap server = ahab.samba.org
-
-     # Define the SSL option when connecting to the directory
-     # ('off', 'start tls', or 'on' (default))
-     ldap ssl = start tls
-
-     # define the port to use in the LDAP session (defaults to 636 when
-     # "ldap ssl = on")
-     ldap port = 389
-
-     # specify the base DN to use when searching the directory
-     ldap suffix = "ou=people,dc=samba,dc=org"
-
-     # generally the default ldap search filter is ok
-     # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"

17.6. Accounts and Groups management

As users accounts are managed thru the sambaAccount objectclass, you should -modify you existing administration tools to deal with sambaAccount attributes.

Machines accounts are managed with the sambaAccount objectclass, just -like users accounts. However, it's up to you to stored thoses accounts -in a different tree of you LDAP namespace: you should use -"ou=Groups,dc=plainjoe,dc=org" to store groups and -"ou=People,dc=plainjoe,dc=org" to store users. Just configure your -NSS and PAM accordingly (usually, in the /etc/ldap.conf configuration -file).

In Samba release 2.2.3, the group management system is based on posix -groups. This meand that Samba make usage of the posixGroup objectclass. -For now, there is no NT-like group system management (global and local -groups).

17.7. Security and sambaAccount

There are two important points to remember when discussing the security -of sambaAccount entries in the directory.

  • Never retrieve the lmPassword or - ntPassword attribute values over an unencrypted LDAP session.

  • Never allow non-admin users to - view the lmPassword or ntPassword attribute values.

These password hashes are clear text equivalents and can be used to impersonate -the user without deriving the original clear text strings. For more information -on the details of LM/NT password hashes, refer to the ENCRYPTION chapter of the Samba-HOWTO-Collection.

To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults -to require an encrypted session (ldap ssl = on) using -the default port of 636 -when contacting the directory server. When using an OpenLDAP 2.0 server, it -is possible to use the use the StartTLS LDAP extended operation in the place of -LDAPS. In either case, you are strongly discouraged to disable this security -(ldap ssl = off).

Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS -extended operation. However, the OpenLDAP library still provides support for -the older method of securing communication between clients and servers.

The second security precaution is to prevent non-administrative users from -harvesting password hashes from the directory. This can be done using the -following ACL in slapd.conf:

## allow the "ldap admin dn" access, but deny everyone else
-access to attrs=lmPassword,ntPassword
-     by dn="cn=Samba Admin,ou=people,dc=plainjoe,dc=org" write
-     by * none

17.8. LDAP specials attributes for sambaAccounts

The sambaAccount objectclass is composed of the following attributes:

  • lmPassword: the LANMAN password 16-byte hash stored as a character - representation of a hexidecimal string.

  • ntPassword: the NT password hash 16-byte stored as a character - representation of a hexidecimal string.

  • pwdLastSet: The integer time in seconds since 1970 when the - lmPassword and ntPassword attributes were last set. -

  • acctFlags: string of 11 characters surrounded by square brackets [] - representing account flags such as U (user), W(workstation), X(no password expiration), and - D(disabled).

  • logonTime: Integer value currently unused

  • logoffTime: Integer value currently unused

  • kickoffTime: Integer value currently unused

  • pwdCanChange: Integer value currently unused

  • pwdMustChange: Integer value currently unused

  • homeDrive: specifies the drive letter to which to map the - UNC path specified by homeDirectory. The drive letter must be specified in the form "X:" - where X is the letter of the drive to map. Refer to the "logon drive" parameter in the - smb.conf(5) man page for more information.

  • scriptPath: The scriptPath property specifies the path of - the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path - is relative to the netlogon share. Refer to the "logon script" parameter in the - smb.conf(5) man page for more information.

  • profilePath: specifies a path to the user's profile. - This value can be a null string, a local absolute path, or a UNC path. Refer to the - "logon path" parameter in the smb.conf(5) man page for more information.

  • smbHome: The homeDirectory property specifies the path of - the home directory for the user. The string can be null. If homeDrive is set and specifies - a drive letter, homeDirectory should be a UNC path. The path must be a network - UNC path of the form \\server\share\directory. This value can be a null string. - Refer to the "logon home" parameter in the smb.conf(5) man page for more information. -

  • userWorkstation: character string value currently unused. -

  • rid: the integer representation of the user's relative identifier - (RID).

  • primaryGroupID: the relative identifier (RID) of the primary group - of the user.

The majority of these parameters are only used when Samba is acting as a PDC of -a domain (refer to the Samba-PDC-HOWTO for details on -how to configure Samba as a Primary Domain Controller). The following four attributes -are only stored with the sambaAccount entry if the values are non-default values:

  • smbHome

  • scriptPath

  • logonPath

  • homeDrive

These attributes are only stored with the sambaAccount entry if -the values are non-default values. For example, assume TASHTEGO has now been -configured as a PDC and that logon home = \\%L\%u was defined in -its smb.conf file. When a user named "becky" logons to the domain, -the logon home string is expanded to \\TASHTEGO\becky. -If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org", -this value is used. However, if this attribute does not exist, then the value -of the logon home parameter is used in its place. Samba -will only write the attribute value to the directory entry is the value is -something other than the default (e.g. \\MOBY\becky).

17.9. Example LDIF Entries for a sambaAccount

The following is a working LDIF with the inclusion of the posixAccount objectclass:

dn: uid=guest2, ou=people,dc=plainjoe,dc=org
-ntPassword: 878D8014606CDA29677A44EFA1353FC7
-pwdMustChange: 2147483647
-primaryGroupID: 1201
-lmPassword: 552902031BEDE9EFAAD3B435B51404EE
-pwdLastSet: 1010179124
-logonTime: 0
-objectClass: sambaAccount
-uid: guest2
-kickoffTime: 2147483647
-acctFlags: [UX         ]
-logoffTime: 2147483647
-rid: 19006
-pwdCanChange: 0

The following is an LDIF entry for using both the sambaAccount and -posixAccount objectclasses:

dn: uid=gcarter, ou=people,dc=plainjoe,dc=org
-logonTime: 0
-displayName: Gerald Carter
-lmPassword: 552902031BEDE9EFAAD3B435B51404EE
-primaryGroupID: 1201
-objectClass: posixAccount
-objectClass: sambaAccount
-acctFlags: [UX         ]
-userPassword: {crypt}BpM2ej8Rkzogo
-uid: gcarter
-uidNumber: 9000
-cn: Gerald Carter
-loginShell: /bin/bash
-logoffTime: 2147483647
-gidNumber: 100
-kickoffTime: 2147483647
-pwdLastSet: 1010179230
-rid: 19000
-homeDirectory: /home/tashtego/gcarter
-pwdCanChange: 0
-pwdMustChange: 2147483647
-ntPassword: 878D8014606CDA29677A44EFA1353FC7

17.10. Comments

Please mail all comments regarding this HOWTO to jerry@samba.org. This documents was -last updated to reflect the Samba 2.2.3 release.

PrevHomeNext
Stackable VFS modulesUpHOWTO Access Samba source code via CVS
\ No newline at end of file diff --git a/docs/htmldocs/samba-pdc.html b/docs/htmldocs/samba-pdc.html index 63a52129d0..7c4caf4f30 100644 --- a/docs/htmldocs/samba-pdc.html +++ b/docs/htmldocs/samba-pdc.html @@ -5,7 +5,7 @@ >Samba as a NT4 or Win2k Primary Domain Controller

5.1. Prerequisite Reading

5.1. Prerequisite Reading

Before you continue reading in this chapter, please make sure that you are comfortable with configuring basic files services @@ -108,9 +108,9 @@ CLASS="SECT1" >

5.2. Background

5.2. Background

5.3. Configuring the Samba Domain Controller

5.3. Configuring the Samba Domain Controller

The first step in creating a working Samba PDC is to understand the parameters necessary in smb.conf. I will not @@ -288,21 +288,17 @@ CLASS="PROGRAMLISTING" HREF="smb.conf.5.html#NETBIOSNAME" TARGET="_top" >netbios name = = POGOPOGO workgroup = = NARNIANARNIA ; we should act as the domain and local master browser @@ -392,11 +388,9 @@ TARGET="_top" HREF="smb.conf.5.html#WRITELIST" TARGET="_top" >write list = = ntadminntadmin ; share for storing user profiles @@ -472,10 +466,10 @@ CLASS="SECT1" >

5.4. Creating Machine Trust Accounts and Joining Clients to the -Domain

A machine trust account is a Samba account that is used to authenticate a client machine (rather than a user) to the Samba @@ -546,9 +540,9 @@ CLASS="SECT2" >

5.4.1. Manual Creation of Machine Trust Accounts

5.4.1. Manual Creation of Machine Trust Accounts

The first step in manually creating a machine trust account is to manually create the corresponding Unix account in @@ -563,55 +557,45 @@ CLASS="COMMAND" used to create new Unix accounts. The following is an example for a Linux based Samba server:

root# root# /usr/sbin/useradd -g 100 -d /dev/null -c /usr/sbin/useradd -g 100 -d /dev/null -c "machine -nickname" -s /bin/false -s /bin/false machine_namemachine_name$

root# root# passwd -l passwd -l machine_namemachine_name$

On *BSD systems, this can be done using the 'chpass' utility:

root# root# chpass -a "chpass -a "machine_name$:*:101:100::0:0:Workstation machine_name$:*:101:100::0:0:Workstation machine_namemachine_name:/dev/null:/sbin/nologin"

doppy$:x:505:501:doppy$:x:505:501:machine_nicknamemachine_nickname:/dev/null:/bin/false

Above, Above, machine_nicknamemachine_nickname can be any descriptive name for the client, i.e., BasementComputer. -machine_namemachine_name absolutely must be the NetBIOS name of the client to be joined to the domain. The "$" must be appended to the NetBIOS name of the client or Samba will not recognize @@ -665,24 +643,20 @@ CLASS="COMMAND" > command as shown here:

root# root# smbpasswd -a -m smbpasswd -a -m machine_namemachine_name

where where machine_namemachine_name is the machine's NetBIOS name. The RID of the new machine account is generated from the UID of the corresponding Unix account.

5.4.2. "On-the-Fly" Creation of Machine Trust Accounts

5.4.2. "On-the-Fly" Creation of Machine Trust Accounts

The second (and recommended) way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the client @@ -764,7 +738,7 @@ be created manually.

[global]
-   # <...remainder of parameters...>
+   # <...remainder of parameters...>
    add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

5.4.3. Joining the Client to the Domain

5.4.3. Joining the Client to the Domain

The procedure for joining a client to the domain varies with the version of Windows.

5.5. Common Problems and Errors

5.5. Common Problems and Errors

C:\WINNT\>C:\WINNT\> net use * /d

This problem is caused by the PDC not having a suitable machine trust account. - If you are using the add user scriptadd user script method to create accounts then this would indicate that it has not worked. Ensure the domain admin user system is working. @@ -1010,11 +982,9 @@ CLASS="COMMAND"

In order to work around this problem in 2.2.0, configure the - accountaccount control flag in

5.6. System Policies and Profiles

5.6. System Policies and Profiles

Much of the information necessary to implement System Policies and Roving User Profiles in a Samba domain is the same as that for @@ -1228,9 +1198,9 @@ CLASS="SECT1" >

5.7. What other help can I get?

5.7. What other help can I get?

There are many sources of information available in the form of mailing lists, RFC's and documentation. The docs that come @@ -1648,9 +1618,9 @@ CLASS="SECT1" >

5.8. Domain Control for Windows 9x/ME

5.8. Domain Control for Windows 9x/ME

  • The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -1782,9 +1752,9 @@ CLASS="SECT2" >

    5.8.1. Configuration Instructions: Network Logons

    5.8.1. Configuration Instructions: Network Logons

    The main difference between a PDC and a Windows 9x logon server configuration is that

    There are a few comments to make in order to tie up some loose ends. There has been much debate over the issue of whether or not it is ok to configure Samba as a Domain Controller in security -modes other than USERUSER. The only security mode -which will not work due to technical reasons is SHARESHARE -mode security. DOMAIN and DOMAIN and SERVERSERVER mode security is really just a variation on SMB user level security.

    5.8.2. Configuration Instructions: Setting up Roaming User Profiles

    5.8.2. Configuration Instructions: Setting up Roaming User Profiles

    5.8.2.1. Windows NT Configuration

    5.8.2.1. Windows NT Configuration

    To support WinNT clients, in the [global] section of smb.conf set the following (for example):

    5.8.2.2. Windows 9X Configuration

    5.8.2.2. Windows 9X Configuration

    To support Win9X clients, you must use the "logon home" parameter. Samba has now been fixed so that "net use/home" now works as well, and it, too, relies @@ -2023,9 +1993,9 @@ CLASS="SECT3" >

    5.8.2.3. Win9X and WinNT Configuration

    5.8.2.3. Win9X and WinNT Configuration

    You can support profiles for both Win9X and WinNT clients by setting both the "logon home" and "logon path" parameters. For example:

    5.8.2.4. Windows 9X Profile Setup

    5.8.2.4. Windows 9X Profile Setup

    When a user first logs in on Windows 9X, the file user.DAT is created, as are folders "Start Menu", "Desktop", "Programs" and "Nethood". @@ -2228,9 +2198,9 @@ CLASS="SECT3" >

    5.8.2.5. Windows NT Workstation 4.0

    5.8.2.5. Windows NT Workstation 4.0

    When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile location can be now specified @@ -2342,9 +2312,9 @@ CLASS="SECT3" >

    5.8.2.6. Windows NT Server

    5.8.2.6. Windows NT Server

    There is nothing to stop you specifying any path that you like for the location of users' profiles. Therefore, you could specify that the @@ -2356,9 +2326,9 @@ CLASS="SECT3" >

    5.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0

    5.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0

    5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

    5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

    The registry files can be located on any Windows NT machine by opening a command prompt and typing:

    C:\WINNT\>C:\WINNT\> dir %SystemRoot%\System32\config

    The environment variable %SystemRoot% value can be obtained by typing:

    C:\WINNT>C:\WINNT>echo %SystemRoot%

    The active parts of the registry that you may want to be familiar with are diff --git a/docs/htmldocs/samba.7.html b/docs/htmldocs/samba.7.html index 796bce7d20..689fba7cee 100644 --- a/docs/htmldocs/samba.7.html +++ b/docs/htmldocs/samba.7.html @@ -5,7 +5,7 @@ >samba +Securing Samba

    SAMBA Project Documentation
    PrevNext

    Chapter 20. Securing Samba

    20.1. Introduction

    This note was attached to the Samba 2.2.8 release notes as it contained an +important security fix. The information contained here applies to Samba +installations in general.

    20.2. Using host based protection

    In many installations of Samba the greatest threat comes for outside +your immediate network. By default Samba will accept connections from +any host, which means that if you run an insecure version of Samba on +a host that is directly connected to the Internet you can be +especially vulnerable.

    One of the simplest fixes in this case is to use the 'hosts allow' and +'hosts deny' options in the Samba smb.conf configuration file to only +allow access to your server from a specific range of hosts. An example +might be:

      hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
+  hosts deny = 0.0.0.0/0

    The above will only allow SMB connections from 'localhost' (your own +computer) and from the two private networks 192.168.2 and +192.168.3. All other connections will be refused connections as soon +as the client sends its first packet. The refusal will be marked as a +'not listening on called name' error.

    20.3. Using interface protection

    By default Samba will accept connections on any network interface that +it finds on your system. That means if you have a ISDN line or a PPP +connection to the Internet then Samba will accept connections on those +links. This may not be what you want.

    You can change this behaviour using options like the following:

      interfaces = eth* lo
+  bind interfaces only = yes

    This tells Samba to only listen for connections on interfaces with a +name starting with 'eth' such as eth0, eth1, plus on the loopback +interface called 'lo'. The name you will need to use depends on what +OS you are using, in the above I used the common name for Ethernet +adapters on Linux.

    If you use the above and someone tries to make a SMB connection to +your host over a PPP interface called 'ppp0' then they will get a TCP +connection refused reply. In that case no Samba code is run at all as +the operating system has been told not to pass connections from that +interface to any process.

    20.4. Using a firewall

    Many people use a firewall to deny access to services that they don't +want exposed outside their network. This can be a very good idea, +although I would recommend using it in conjunction with the above +methods so that you are protected even if your firewall is not active +for some reason.

    If you are setting up a firewall then you need to know what TCP and +UDP ports to allow and block. Samba uses the following:

    UDP/137    - used by nmbd
+UDP/138    - used by nmbd
+TCP/139    - used by smbd
+TCP/445    - used by smbd

    The last one is important as many older firewall setups may not be +aware of it, given that this port was only added to the protocol in +recent years.

    20.5. Using a IPC$ share deny

    If the above methods are not suitable, then you could also place a +more specific deny on the IPC$ share that is used in the recently +discovered security hole. This allows you to offer access to other +shares while denying access to IPC$ from potentially untrustworthy +hosts.

    To do that you could use:

      [ipc$]
+     hosts allow = 192.168.115.0/24 127.0.0.1
+     hosts deny = 0.0.0.0/0

    this would tell Samba that IPC$ connections are not allowed from +anywhere but the two listed places (localhost and a local +subnet). Connections to other shares would still be allowed. As the +IPC$ share is the only share that is always accessible anonymously +this provides some level of protection against attackers that do not +know a username/password for your host.

    If you use this method then clients will be given a 'access denied' +reply when they try to access the IPC$ share. That means that those +clients will not be able to browse shares, and may also be unable to +access some other resources.

    This is not recommended unless you cannot use one of the other +methods listed above for some reason.

    20.6. Upgrading Samba

    Please check regularly on http://www.samba.org/ for updates and +important announcements. Occasionally security releases are made and +it is highly recommended to upgrade Samba when a security vulnerability +is discovered.

    PrevHomeNext
    Creating Group Prolicy FilesUpAppendixes
    \ No newline at end of file diff --git a/docs/htmldocs/securitylevels.html b/docs/htmldocs/securitylevels.html index 9501fa5c6a..0904611dbe 100644 --- a/docs/htmldocs/securitylevels.html +++ b/docs/htmldocs/securitylevels.html @@ -5,7 +5,7 @@ >User and Share security level (for servers not in a domain)smb.conf

    name = name = value -

    The file is line-based - that is, each newline-terminated @@ -178,11 +174,11 @@ CLASS="FILENAME" The share is accessed via the share name "foo":

    [foo]
 	path = /home/bar
-	read only = no

    The following sample section defines a printable share. @@ -199,13 +195,13 @@ CLASS="EMPHASIS" elsewhere):

    [aprinter]
 	path = /usr/spool/public
 	read only = yes
 	printable = yes
-	guest ok = yes

    path = /data/pchome/%Spath = /data/pchome/%S

    would be useful if you have different home directories @@ -300,10 +294,10 @@ CLASS="USERINPUT" section:

    [homes]
-	read only = no

    An important point is that if guest access is specified @@ -401,12 +395,12 @@ NAME="AEN80" this:

    [printers]
 	path = /usr/spool/public
 	guest ok = yes
-	printable = yes

    All aliases given for a printer in the printcap file @@ -416,9 +410,9 @@ CLASS="COMPUTEROUTPUT" more lines like this:

    alias|alias|alias|alias...    alias|alias|alias|alias...

    Each alias should be an acceptable printer name for @@ -614,20 +608,16 @@ TARGET="_top" >Name of the domain or workgroup of the current user.

    %$(%$(envvarenvvar)

    The value of the environment variable - envarenvar.

    username    username method of passing a username.

    • abort shutdown scriptabort shutdown script

    add group scriptadd group script

    addprinter commandaddprinter command

    add share commandadd share command

    add user scriptadd user script

    add user to group scriptadd user to group script

    add machine scriptadd machine script

    delete group scriptdelete group script

    ads serverads server

    algorithmic rid basealgorithmic rid base

    allow trusted domainsallow trusted domains

    announce asannounce as

    announce versionannounce version

    auth methodsauth methods

    auto servicesauto services

    bind interfaces onlybind interfaces only

    browse listbrowse list

    change notify timeoutchange notify timeout

    change share commandchange share command

    config fileconfig file

    deadtimedeadtime

    debug hires timestampdebug hires timestamp

    debug piddebug pid

    debug timestampdebug timestamp

    debug uiddebug uid

    debugleveldebuglevel

    defaultdefault

    default servicedefault service

    deleteprinter commanddeleteprinter command

    delete share commanddelete share command

    delete user scriptdelete user script

    delete user from group scriptdelete user from group script

    dfree commanddfree command

    disable netbiosdisable netbios

    disable spoolssdisable spoolss

    display charsetdisplay charset

    dns proxydns proxy

    domain logonsdomain logons

    domain masterdomain master

    dos charsetdos charset

    encrypt passwordsencrypt passwords

    enhanced browsingenhanced browsing

    enumports commandenumports command

    getwd cachegetwd cache

    hide local usershide local users

    hide unreadablehide unreadable

    hide unwriteable fileshide unwriteable files

    hide special fileshide special files

    homedir maphomedir map

    host msdfshost msdfs

    hostname lookupshostname lookups

    hosts equivhosts equiv

    interfacesinterfaces

    keepalivekeepalive

    kernel oplockskernel oplocks

    lanman authlanman auth

    large readwritelarge readwrite

    ldap admin dnldap admin dn

    ldap filterldap filter

    ldap portldap port

    ldap serverldap server

    ldap sslldap ssl

    ldap suffixldap suffix

    ldap user suffixldap user suffix

    ldap machine suffixldap machine suffix

    ldap passwd syncldap passwd sync

    ldap trust idsldap trust ids

    lm announcelm announce

    lm intervallm interval

    load printersload printers

    local masterlocal master

    lock dirlock dir

    lock directorylock directory

    lock spin countlock spin count

    lock spin timelock spin time

    pid directorypid directory

    log filelog file

    log levellog level

    logon drivelogon drive

    logon homelogon home

    logon pathlogon path

    logon scriptlogon script

    lpq cache timelpq cache time

    machine password timeoutmachine password timeout

  • mangle prefix

    • mangled stackmangled stack

    map to guestmap to guest

    max disk sizemax disk size

    max log sizemax log size

    max muxmax mux

    max open filesmax open files

    max protocolmax protocol

    max smbd processesmax smbd processes

    max ttlmax ttl

    max wins ttlmax wins ttl

    max xmitmax xmit

    message commandmessage command

    min passwd lengthmin passwd length

    min password lengthmin password length

    min protocolmin protocol

    min wins ttlmin wins ttl

    name cache timeoutname cache timeout

    name resolve ordername resolve order

    netbios aliasesnetbios aliases

    netbios namenetbios name

    netbios scopenetbios scope

    nis homedirnis homedir

    ntlm authntlm auth

    non unix account rangenon unix account range

    nt pipe supportnt pipe support

    nt status supportnt status support

    null passwordsnull passwords

    obey pam restrictionsobey pam restrictions

    oplock break wait timeoplock break wait time

    os levelos level

    os2 driver mapos2 driver map

    pam password changepam password change

    panic actionpanic action

    paranoid server securityparanoid server security

    passdb backendpassdb backend

    passwd chatpasswd chat

    passwd chat debugpasswd chat debug

    passwd programpasswd program

    password levelpassword level

    password serverpassword server

    prefered masterprefered master

    preferred masterpreferred master

    preloadpreload

    printcapprintcap

    printcap name

  • printer driver fileprintcap name

    • private dirprivate dir

    protocolprotocol

    read bmpxread bmpx

    read rawread raw

    read sizeread size

    realmrealm

    remote announceremote announce

    remote browse syncremote browse sync

    restrict anonymousrestrict anonymous

    rootroot

    root dirroot dir

    root directoryroot directory

    securitysecurity

    server stringserver string

    show add printer wizardshow add printer wizard

    shutdown scriptshutdown script

    smb passwd filesmb passwd file

    smb portssmb ports

    socket addresssocket address

    socket optionssocket options

    source environmentsource environment

    use spnegouse spnego

    stat cachestat cache

    stat cache sizestat cache size

    strip dotstrip dot

    syslogsyslog

    syslog onlysyslog only

    template homedirtemplate homedir

    template shelltemplate shell

    time offsettime offset

    time servertime server

    timestamp logstimestamp logs

    total print jobstotal print jobs

    unicodeunicode

    unix charsetunix charset

    unix extensionsunix extensions

    unix password syncunix password sync

    update encryptedupdate encrypted

    use mmap

  • use rhostsuse mmap

    • use sendfileuse sendfile

    username levelusername level

    username mapusername map

    utmputmp

    utmp directoryutmp directory

    wtmp directorywtmp directory

    winbind cache timewinbind cache time

    winbind enum userswinbind enum users

    winbind enum groupswinbind enum groups

    winbind gidwinbind gid

    winbind separatorwinbind separator

    winbind uidwinbind uid

    winbind use default domainwinbind use default domain

    wins hookwins hook

    wins partnerswins partners

    wins proxywins proxy

    wins serverwins server

    wins supportwins support

    workgroupworkgroup

    write rawwrite raw

    COMPLETE LIST OF SERVICE PARAMETERS

    admin usersadmin users

    allow hostsallow hosts

    availableavailable

    blocking locksblocking locks

    block sizeblock size

    browsablebrowsable

    browseablebrowseable

    case sensitivecase sensitive

    casesignamescasesignames

    commentcomment

    copycopy

    create maskcreate mask

    create modecreate mode

    csc policycsc policy

    default casedefault case

    default devmodedefault devmode

    delete readonlydelete readonly

    delete veto filesdelete veto files

    deny hostsdeny hosts

    directorydirectory

    directory maskdirectory mask

    directory modedirectory mode

    directory security maskdirectory security mask

    dont descenddont descend

    dos filemodedos filemode

    dos filetime resolutiondos filetime resolution

    dos filetimesdos filetimes

    execexec

    fake directory create timesfake directory create times

    fake oplocksfake oplocks

    follow symlinksfollow symlinks

    force create modeforce create mode

    force directory modeforce directory mode

    force directory security modeforce directory security mode

    force groupforce group

    force security modeforce security mode

    force userforce user

    fstypefstype

    groupgroup

    guest accountguest account

    guest okguest ok

    guest onlyguest only

    hide dot fileshide dot files

    hide fileshide files

    hosts allowhosts allow

    hosts denyhosts deny

    includeinclude

    inherit aclsinherit acls

    inherit permissionsinherit permissions

    invalid usersinvalid users

    level2 oplockslevel2 oplocks

    lockinglocking

    lppause commandlppause command

    lpq commandlpq command

    lpresume commandlpresume command

    lprm commandlprm command

    magic outputmagic output

    magic scriptmagic script

    mangle casemangle case

    mangled mapmangled map

    mangled namesmangled names

    mangling charmangling char

    mangling methodmangling method

    map archivemap archive

    map hiddenmap hidden

    map systemmap system

    max connectionsmax connections

    max print jobsmax print jobs

    min print spacemin print space

    msdfs proxymsdfs proxy

    msdfs rootmsdfs root

    nt acl supportnt acl support

    only guestonly guest

    only useronly user

    oplock contention limitoplock contention limit

    oplocksoplocks

    pathpath

    posix lockingposix locking

    postexec

  • postscriptpostexec

    • preexecpreexec

    preexec closepreexec close

    preserve casepreserve case

    print commandprint command

    print okprint ok

    printableprintable

    printerprinter

    printer admin

  • printer driver

  • printer driver locationprinter admin

    • printer nameprinter name

    printingprinting

    publicpublic

    queuepause commandqueuepause command

    queueresume commandqueueresume command

    read listread list

    read onlyread only

    root postexecroot postexec

    root preexecroot preexec

    root preexec closeroot preexec close

    security masksecurity mask

    set directoryset directory

    share modesshare modes

    short preserve caseshort preserve case

    strict allocatestrict allocate

    strict lockingstrict locking

    strict syncstrict sync

    sync alwayssync always

    use client driveruse client driver

    useruser

    usernameusername

    usersusers

    valid usersvalid users

    veto filesveto files

    veto oplock filesveto oplock files

    vfs pathvfs path

    vfs objectvfs object

    vfs optionsvfs options

    volumevolume

    wide linkswide links

    writablewritable

    write cache sizewrite cache size

    write listwrite list

    write okwrite ok

    writeablewriteable

    EXPLANATION OF EACH PARAMETER

    that should stop a shutdown procedure issued by the shutdown scriptshutdown script.

    For a Samba host this means that the printer must be - physically added to the underlying printing system. The add - printer command defines a script to be run which will perform the necessary operations for adding the printer to the print system and to add the appropriate service definition @@ -4788,11 +4102,9 @@ CLASS="REFENTRYTITLE" >(8).

    The The addprinter commandaddprinter command is automatically invoked with the following parameter (in order):

    • printer nameprinter name

    • share nameshare name

    • port nameport name

    • driver namedriver name

    • locationlocation

    • Windows 9x driver locationWindows 9x driver location

      • Once the Once the addprinter commandaddprinter command has been executed, will return an ACCESS_DENIED error to the client.

      The "add printer command" program can output a single line of text, + which Samba will set as the port the new printer is connected to. + If this line isn't output, Samba won't reload its printer shares. +

      See also deleteprinter command deleteprinter command, printingprinting, show add - printer wizard

      Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The - add share commandadd share command is used to define an external program or script which will add a new service definition to smb.conf. In order to successfully - execute the add share commandadd share command, smbdsmbd will automatically invoke the - add share commandadd share command with four parameters.

      • configFileconfigFile - the location of the global

      • shareNameshareName - the name of the new share.

      • pathNamepathName - path to an **existing** directory on disk.

      • commentcomment - comment string to associate with the new share.

        This parameter is only used for add file shares. To add printer shares, see the addprinter - command.

        See also change share - command, delete share - command.

        Default: add machine script = <empty string> +>add machine script = <empty string>

        NOT be set to be set to security = sharesecurity = share - and add user scriptadd user script must be set to a full pathname for a script that will create a UNIX - user given one argument of %u%u, which expands into the UNIX user name to create.

        smbd(8) contacts the contacts the password serverpassword server and attempts to authenticate the given user with the given password. If the authentication succeeds then smbd attempts to find a UNIX user in the UNIX password database to map the - Windows user into. If this lookup fails, and add user script - is set then smbdAS ROOT, expanding - any %u%u argument to be the user name to create.

        If this script successfully creates the user then

        See also security security, password serverpassword server, delete user - script.

        Default: add user script = <empty string> +>add user script = <empty string>

        (8) when a new group is requested. It will expand any - %g%g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. The script is @@ -5370,17 +4627,13 @@ CLASS="EMPHASIS" >AS ROOT. - Any %g%g will be replaced with the group name and - any %u%u will be replaced with the user name.

        Synonym for hosts allowhosts allow.

        This option only takes effect when the securitysecurity option is set to - server or server or domaindomain. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which

        This is a synonym for the preloadpreload.

        will use when authenticating a user. This option defaults to sensible values based on security security. @@ -5590,7 +4835,7 @@ CLASS="PARAMETER" >

        Default: auth methods = <empty string>auth methods = <empty string>

        Example:

        This parameter lets you "turn off" a service. If - available = noavailable = no, then nmbd will service - name requests on all of these sockets. If bind interfaces - only is set then nmbd will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the - interfaces in the interfacesinterfaces parameter list. As unicast packets are received on the other sockets it allows nmbd to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the - interfacesinterfaces list. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for

        If If bind interfaces onlybind interfaces only is set then unless the network address 127.0.0.1 is added - to the interfacesinterfaces parameter list address as an SMB client to issue the password change request. If - bind interfaces onlybind interfaces only is set then unless the network address 127.0.0.1 is added to the - interfacesinterfaces parameter list then smbpasswdsmbpasswd(8) -r -r remote machineremote machine - parameter, with remote machineremote machine set to the IP name of the primary interface of the local host.

        If this parameter is set to If this parameter is set to nono, then samba will behave as previous versions of Samba would and will fail the lock request immediately if the lock range @@ -5937,11 +5160,9 @@ NAME="BROWSABLE" >

        See the browseable browseable.

        NetServerEnum call. Normally - set to yesyes. You should never need to change this.

        smbd(8) daemon only performs such a scan - on each requested directory once every change notify - timeout seconds.

        Default:

        Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The - change share commandchange share command is used to define an external program or script which will modify an existing service definition in smb.conf. In order to successfully - execute the change share commandchange share command, smbdsmbd will automatically invoke the - change share commandchange share command with four parameters.

        • configFileconfigFile - the location of the global

        • shareNameshareName - the name of the new share.

        • pathNamepathName - path to an **existing** directory on disk.

        • commentcomment - comment string to associate with the new share.

          See also add share - command, delete - share command.

          If you want to set the string that is displayed next to the machine name then see the server string server string parameter.

          A synonym for this parameter is create modecreate mode .

          Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force create modeforce create mode parameter which is set to 000 by default.

          This parameter does not affect directory modes. See the parameter directory mode - for details.

          See also the force - create mode parameter for forcing particular mode bits to be set on created files. See also the directory modedirectory mode parameter for masking mode bits on created directories. See also the inherit permissionsinherit permissions parameter.

          security masksecurity mask.

          This is a synonym for create mask create mask.

          Note that the parameter debug timestamp debug timestamp must be on for this to have an effect.

          Note that the parameter debug timestamp debug timestamp must be on for this to have an effect.

          Samba debug log messages are timestamped by default. If you are running at a high debug leveldebug level these timestamps can be distracting. This boolean parameter allows timestamping @@ -6591,11 +5768,9 @@ NAME="DEBUGUID" >

          Note that the parameter debug timestamp debug timestamp must be on for this to have an effect.

          Synonym for log level log level.

          A synonym for default service default service.

          NAME MANGLING. Also note the short preserve caseshort preserve case parameter.

          Typically the default service would be a guest okguest ok, read-onlyread-only service.

          Also note that the apparent service name will be changed to equal that of the requested service, this is very useful as it - allows you to use macros like %S%S to make a wildcard service.

          smbd(8) when a group is requested to be deleted. - It will expand any %g%g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools.

          For a Samba host this means that the printer must be - physically deleted from underlying printing system. The deleteprinter command deleteprinter command defines a script to be run which will perform the necessary operations for removing the printer from the print system and from .

          The The deleteprinter commanddeleteprinter command is - automatically called with only one parameter: "printer name" "printer name".

          Once the Once the deleteprinter commanddeleteprinter command has been executed,

          See also addprinter command addprinter command, printingprinting, show add - printer wizard

          Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The - delete share commanddelete share command is used to define an external program or script which will remove an existing service definition from smb.conf. In order to successfully - execute the delete share commanddelete share command, smbdsmbd will automatically invoke the - delete share commanddelete share command with two parameters.

          • configFileconfigFile - the location of the global

          • shareNameshareName - the name of the existing service.

            This parameter is only used to remove file shares. To delete printer shares, see the deleteprinter - command.

            See also add share - command, change - share command.

            Default: delete user script = <empty string> +>delete user script = <empty string>

            AS ROOT. - Any %g%g will be replaced with the group name and - any %u%u will be replaced with the user name.

            veto filesveto files - option). If this option is set to nono (the default) then if a vetoed directory contains any non-vetoed files or directories then the directory delete will fail. This is usually what you want.

            If this option is set to If this option is set to yesyes, then Samba will attempt to recursively delete any files and directories within the vetoed directory. This can be useful for integration with file @@ -7184,12 +6309,10 @@ CLASS="COMMAND" >

            See also the veto - files parameter.

            Synonym for hosts - deny.

            >dfree command (G)

            The The dfree commanddfree command setting should only be used on systems where a problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, @@ -7306,12 +6425,10 @@ NAME="DIRECTORY" >

            Synonym for path - .

            Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force directory mode - parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added).

            directory security maskdirectory security mask.

            See the force - directory mode parameter to cause particular mode bits to always be set on created directories.

            See also the create mode - parameter for masking mode bits on created files, and the directory - security mask parameter.

            Also refer to the inherit permissions inherit permissions parameter.

            Synonym for directory mask directory mask

            0777            0777.

            See also the force directory security mode force directory security mode, security masksecurity mask, force security mode - parameters.

            See also the parameter wins support wins support.

            >domain logons (G)

            If set to If set to yesyes, the Samba server will serve Windows 95/98 Domain logons for the workgroupworkgroup it is in. Samba 2.2 has limited capability to act as a domain controller for Windows @@ -7698,18 +6791,14 @@ CLASS="COMMAND" claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroupworkgroup. Local master browsers - in the same workgroupworkgroup on broadcast-isolated subnets will give this

            Note that Windows NT Primary Domain Controllers expect to be - able to claim this workgroupworkgroup specific special NetBIOS name that identifies them as domain master browsers for - that workgroupworkgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting to do this). This means that if this parameter is set and nmbd claims - the special name for a workgroupworkgroup before a Windows NT PDC is able to do so then cross subnet browsing will behave strangely and may fail.

            domain logons = yes , then the default behavior is to enable the , then the default behavior is to enable the domain - master parameter. If parameter. If domain logonsdomain logons is - not enabled (the default setting), then neither will domain - master be enabled by default.

            Default: smbd is acting - on behalf of is not the file owner. Setting this option to yes yes allows DOS semantics and "Samba Printer Port""Samba Printer Port". Under Windows NT/2000, all printers must have a valid port name. If you wish to have a list of ports displayed (smbd does not use a port name for anything) other than - the default "Samba Printer Port""Samba Printer Port", you - can define enumports commandenumports command to point to a program which should generate a list of ports, one per line, to standard output. This listing will then be used in response @@ -8082,11 +7157,9 @@ NAME="EXEC" >

            This is a synonym for preexecpreexec.

            It is generally much better to use the real oplocksoplocks support rather than this parameter.

            (8) from following symbolic links in a particular share. Setting this - parameter to nono prevents any file or directory that is a symbolic link from being followed (the user will get an error). This option is very useful to stop users from adding a @@ -8240,33 +7311,27 @@ CLASS="EMPHASIS" the mode bits of a file that is being created or having its permissions changed. The default for this parameter is (in octal) 000. The modes in this parameter are bitwise 'OR'ed onto the file - mode after the mask set in the create maskcreate mask parameter is applied.

            See also the parameter create - mask for details on masking mode bits on files.

            See also the inherit - permissions parameter.

            directory maskdirectory mask is applied.

            See also the parameter directory mask directory mask for details on masking mode bits on created directories.

            See also the inherit permissions inherit permissions parameter.

            See also the directory security mask directory security mask, security masksecurity mask, force security mode - parameters.

            If the force user - parameter is also set the group specified in - force groupforce group will override the primary group - set in force userforce user.

            See also force - user.

            See also the force directory security mode force directory security mode, directory security - mask, security mask security mask parameters.

            See also force group -

            smbd(8) when a client queries the filesystem type - for a share. The default type is NTFSNTFS for compatibility with Windows NT but this can be changed to other - strings such as Samba or Samba or FAT - if required.

            Default: wide linkswide links parameter is set to parameter is set to nono.

            Default:

            Synonym for force - group.

            This is a username which will be used for access to services which are specified as guest ok guest ok (see below). Whatever privileges this user has will be available to any client connecting to the guest service. @@ -8764,40 +7795,34 @@ NAME="GUESTOK" >>guest ok (S)

            If this parameter is If this parameter is yesyes for a service, then no password is required to connect to the service. Privileges will be those of the guest account guest account.

            This paramater nullifies the benifits of setting restrict - anonymous = 2

            See the section below on security security for more information about this option.

            >guest only (S)

            If this parameter is If this parameter is yesyes for a service, then only guest connections to the service are permitted. This parameter will have no effect if guest okguest ok is not set for the service.

            See the section below on security security for more information about this option.

            See also hide - dot files, veto files veto files and case sensitivecase sensitive.

            Ifnis homedir - is is yesyes, and smbd(8) is also acting - as a Win95/98 logon serverlogon server then this parameter specifies the NIS (or YP) map from which the server for the user's home directory should be extracted. At present, only the Sun @@ -9057,27 +8068,23 @@ CLASS="EMPHASIS" >

            See also nis homedirnis homedir , domain logonsdomain logons .

            Default: homedir map = <empty string>homedir map = <empty string>

            Example: --with-msdfs option. If set to option. If set to yesyes, Samba will act as a Dfs server, and allow Dfs-aware clients to browse Dfs trees hosted on the server.

            See also the msdfs root msdfs root share level parameter. For more information on setting up a Dfs tree on Samba, @@ -9161,12 +8166,10 @@ NAME="HOSTSALLOW" >>hosts allow (S)

            A synonym for this parameter is A synonym for this parameter is allow - hosts.

            This parameter is a comma, space, or tab delimited @@ -9193,11 +8196,9 @@ CLASS="FILENAME" >Note that the localhost address 127.0.0.1 will always be allowed access unless specifically denied by a hosts denyhosts deny option.

            >hosts deny (S)

            The opposite of The opposite of hosts allowhosts allow - hosts listed here are permitted access to services unless the specific services have their own lists to override - this one. Where the lists conflict, the allowallow list takes precedence.

            This is not be confused with hosts allowhosts allow which is about hosts - access to services and is more useful for guest services. hosts equiv hosts equiv may be useful for NT clients which will not supply passwords to Samba.

            NOTE : The use of The use of hosts equiv - can be a major security hole. This is because you are trusting the PC to supply the correct username. It is very easy to get a PC to supply a false username. I recommend that the - hosts equivhosts equiv option be only used if you really know what you are doing, or perhaps on a home network where you trust your spouse and kids. And only if you

            It takes the standard substitutions, except It takes the standard substitutions, except %u - , , %P and %P and %S%S.

            The permissions on new files and directories are normally governed by create mask create mask, directory maskdirectory mask, force create modeforce create mode and force - directory mode but the boolean inherit permissions parameter overrides this.

            map archivemap archive , map hiddenmap hidden and map systemmap system as usual.

            See also create mask - , directory mask directory mask, force create modeforce create mode and force directory modeforce directory mode .

            See also bind - interfaces only.

            A name starting with '+' is interpreted only by looking in the UNIX group database. A name starting with - '&' is interpreted only by looking in the NIS netgroup database + '&' is interpreted only by looking in the NIS netgroup database (this requires NIS to be working on your system). The characters - '+' and '&' may be used at the start of the name in either order - so the value +&group+&group means check the UNIX group database, followed by the NIS netgroup database, and - the value &+group&+group means check the NIS netgroup database, followed by the UNIX group database (the same as the '@' prefix).

            The current servicename is substituted for The current servicename is substituted for %S%S. This is useful in the [homes] section.

            See also valid users - .

            The value of the parameter (an integer) represents - the number of seconds between keepalivekeepalive packets. If this parameter is zero, no keepalive packets will be sent. Keepalive packets, if sent, allow the server to tell whether @@ -9765,11 +8714,9 @@ CLASS="PARAMETER" >Keepalives should, in general, not be needed if the socket being used has the SO_KEEPALIVE attribute set on it (see socket optionssocket options). Basically you should only use this option if you strike difficulties.

            For UNIXes that support kernel based oplocksoplocks (currently only IRIX and the Linux 2.4 kernel), this parameter allows the use of them to be turned on or off.

            Kernel oplocks support allows Samba Kernel oplocks support allows Samba oplocks - to be broken whenever a local UNIX process or NFS operation accesses a file that cool feature :-).

            This parameter defaults to This parameter defaults to onon, but is translated to a no-op on systems that no not have the necessary kernel support. You should never need to touch this parameter.

            See also the oplocksoplocks and level2 oplocks - parameters.

            >ldap admin dn (G)

            The The ldap admin dnldap admin dn defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retreiving - user account information. The ldap - admin dn is used in conjunction with the admin dn password stored in the

            This parameter specifies the RFC 2254 compliant LDAP search filter. - The default is to match the login name with the uiduid - attribute for all entries matching the sambaAccountsambaAccount objectclass. Note that this filter should only return one entry.

            Default : ldap filter = (&(uid=%u)(objectclass=sambaAccount))ldap filter = (&(uid=%u)(objectclass=sambaAccount))

            This option is used to control the tcp port number used to contact the ldap serverldap server. The default is to use the stand LDAPS port 636. @@ -10070,11 +9003,9 @@ CLASS="FILENAME" script.

            The The ldap sslldap ssl can be set to one of three values:

            • OffOff = Never use SSL when querying the directory.

            • Start_tlsStart_tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server.

            • OnOn = Use SSL on the ldaps port when contacting the - ldap serverldap server. Only available when the backwards-compatiblity option is specified to configure. See passdb backendpassdb backend

              • The The ldap passwd syncldap passwd sync can be set to one of three values:

              • YesYes = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time.

              • NoNo = Update NT and LM passwords and update the pwdLastSet time.

              • OnlyOnly = Only update the LDAP password and let the LDAP server do the rest.

              Currently, if kernel - oplocks are supported then level2 oplocks are - not granted (even if this parameter is set to yesyes). Note also, the oplocksoplocks parameter must be set to parameter must be set to yesyes on this share in order for this parameter to have any effect.

              See also the oplocksoplocks and kernel oplockskernel oplocks parameters.

              will produce Lanman announce broadcasts that are needed by OS/2 clients in order for them to see the Samba server in their browse list. This parameter can have three - values, yes, yes, nono, or - auto. The default is auto. The default is autoauto. - If set to nono Samba will never produce these - broadcasts. If set to yesyes Samba will produce Lanman announce broadcasts at a frequency set by the parameter - lm interval. If set to lm interval. If set to autoauto Samba will not send Lanman announce broadcasts by default but will listen for them. If it hears such a broadcast on the wire it will then start sending them at a frequency set by the parameter - lm intervallm interval.

              See also lm interval - .

              If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients (see the lm announcelm announce parameter) then this parameter defines the frequency in seconds with which they will be made. If this is set to zero then no Lanman announcements will be - made despite the setting of the lm announcelm announce parameter.

              See also lm - announce.

              nmbd(8) to try and become a local master browser - on a subnet. If set to nono then nmbd will not attempt to become a local master browser on a subnet and will also lose in all browsing elections. By - default this value is set to yes. Setting this value to yes. Setting this value to yesyes doesn't mean that Samba will in elections for local master browser.

              Setting this value to Setting this value to nono will cause nmbd

              Synonym for lock directory lock directory.

              max connectionsmax connections option.

              lock spin - count for more details.

              may not need locking (such as - CDROM drives), although setting this parameter of nono is not really recommended even in this case.

              This parameter specifies the local path to which the home directory will be connected (see logon homelogon home) and is only used by NT Workstations.

              C:\> C:\> NET USE H: /HOMENET USE H: /HOME

              Note that in prior versions of Samba, the logon pathlogon path was returned rather than - logon homelogon home. This broke net use @@ -10902,11 +9781,9 @@ NAME="LOGONPATH" nothing to do with Win 9X roaming profiles. To find out how to handle roaming profiles for Win 9X system, see the logon homelogon home parameter.

              The script must be a relative path to the [netlogon] service. If the [netlogon] service specifies a pathpath of

              If a If a %p%p is given then the printer name - is put in its place. A %j%j is replaced with - the job number (an integer). On HPUX (see printing=hpux - ), if the ), if the -p%p-p%p option is added to the lpq command, the job will show up with the correct status, i.e. if the job priority is lower than the set fence priority it will @@ -11097,25 +9964,21 @@ CLASS="PARAMETER" >

              See also the printing - parameter.

              Default: Currently no default value is given to - this string, unless the value of the printingprinting - parameter is SYSVSYSV, in which case the default is :

              lp -i %p-%j -H hold

              or if the value of the or if the value of the printingprinting parameter - is SOFTQSOFTQ, then the default is:

              See also the printing - parameter.

              Currently nine styles of printer status information are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. This covers most UNIX systems. You control which type is expected - using the printing =printing = option.

              Some clients (notably Windows for Workgroups) may not @@ -11244,43 +10101,35 @@ CLASS="PARAMETER" server reports on the first printer service connected to by the client. This only happens if the connection number sent is invalid.

              If a If a %p%p is given then the printer name is put in its place. Otherwise it is placed at the end of the command.

              Note that it is good practice to include the absolute path - in the lpq command as the lpq command as the $PATH - may not be available to the server. When compiled with - the CUPS libraries, no lpq commandlpq command is needed because smbd will make a library call to obtain the print queue listing.

              See also the printing - parameter.

              depends on the setting of depends on the setting of printing printing

              lppause command - parameter.

              If a If a %p%p is given then the printer name - is put in its place. A %j%j is replaced with the job number (an integer).

              Note that it is good practice to include the absolute path - in the lpresume commandlpresume command as the PATH may not be available to the server.

              See also the printing - parameter.

              Default: Currently no default value is given - to this string, unless the value of the printingprinting - parameter is SYSVSYSV, in which case the default is :

              lp -i %p-%j -H resume

              or if the value of the or if the value of the printingprinting parameter - is SOFTQSOFTQ, then the default is:

              This command should be a program or script which takes a printer name and job number, and deletes the print job.

              If a If a %p%p is given then the printer name - is put in its place. A %j%j is replaced with the job number (an integer).

              Note that it is good practice to include the absolute - path in the lprm commandlprm command as the PATH may not be available to the server.

              See also the printing - parameter.

              depends on the setting of depends on the setting of printing -

              magic scriptmagic script parameter below).

              Warning: If two clients use the same Warning: If two clients use the same magic script - in the same directory the output file content is undefined.

              Default: magic output = <magic script name>.out +>magic output = <magic script name>.out

              If the script generates output, output will be sent to the file specified by the magic output magic output parameter (see above).

              Note that the character to use may be specified using the mangling charmangling char option, if you don't like '~'.

              Note that this requires the Note that this requires the create maskcreate mask parameter to be set such that owner execute bit is not masked out (i.e. it must include 100). See the parameter create maskcreate mask for details.

              This controls whether DOS style hidden files should be mapped to the UNIX world execute bit.

              Note that this requires the Note that this requires the create maskcreate mask to be set such that the world execute bit is not masked out (i.e. it must include 001). See the parameter create maskcreate mask for details.

              This controls whether DOS style system files should be mapped to the UNIX group execute bit.

              Note that this requires the Note that this requires the create maskcreate mask to be set such that the group execute bit is not masked out (i.e. it must include 010). See the parameter create maskcreate mask for details.

              This parameter is only useful in security modes other than modes other than security = sharesecurity = share - - i.e. user, user, serverserver, - and domaindomain.

              This parameter can take three different values, which tell @@ -12040,36 +10841,34 @@ CLASS="REFENTRYTITLE" >

              Note that this parameter is needed to set up "Guest" - share services when using securitysecurity modes other than share. This is because in these modes the name of the resource being requested is

              For people familiar with the older Samba releases, this - parameter maps to the old compile-time setting of the GUEST_SESSSETUP GUEST_SESSSETUP value in local.h.

              Default:

              This option allows the number of simultaneous - connections to a service to be limited. If max connections - is greater than 0 then connections will be refused if this number of connections to the service are already open. A value of zero mean an unlimited number of connections may be made.

              Record lock files are used to implement this feature. The lock files will be stored in the directory specified by the lock directorylock directory option.

              max - disk size              .

              This option is primarily useful to work around bugs in some pieces of software that can't handle very large disks, particularly disks over 1GB in size.

              A A max disk sizemax disk size of 0 means no limit.

              Default: will remote "Out of Space" to the client. See all total - print jobs.

              • CORECORE: Earliest version. No concept of user names.

              • COREPLUSCOREPLUS: Slight improvements on CORE for efficiency.

              • LANMAN1LANMAN1: First

              • LANMAN2LANMAN2: Updates to Lanman1 protocol.

              • NT1NT1: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.

                • See also min - protocol

                (8) when acting as a WINS server ( wins support = yeswins support = yes) what the maximum 'time to live' of NetBIOS names that

                See also the min - wins ttl parameter.

                message command = csh -c 'xedit %s;rm %s' &message command = csh -c 'xedit %s;rm %s' &

                . That's why I - have the '&' on the end. If it doesn't return immediately then + have the '&' on the end. If it doesn't return immediately then your PCs may freeze when sending messages (they should recover after 30 seconds, hopefully).

                All messages are delivered as the global guest user. - The command takes the standard substitutions, although %u won't work ( %u won't work (%U%U may be better in this case).

                • %s%s = the filename containing the message.

                • %t%t = the destination that the message was sent to (probably the server name).

                • %f%f = who the message is from.

                  • message command = /bin/mail -s 'message from %f on - %m' root < %s; rm %s

                  If you don't have a message command then the message @@ -12673,7 +11442,7 @@ CLASS="EMPHASIS" >Example: message command = csh -c 'xedit %s; - rm %s' &

              Synonym for min password lengthmin password length.

              See also unix - password sync, passwd programpasswd program and passwd chat debugpasswd chat debug .

              See also the printing - parameter.

              max protocolmax protocol parameter for a list of valid protocol names and a brief description @@ -12802,12 +11559,10 @@ CLASS="FILENAME" >If you are viewing this parameter as a security measure, you should also refer to the lanman - auth parameter. Otherwise, you should never need to change this parameter.

              when acting as a WINS server ( wins support = yes wins support = yes) what the minimum 'time to live' of NetBIOS names that Only Dfs roots can act as proxy shares. Take a look at the msdfs rootmsdfs root and host msdfshost msdfs options to find out how to set up a Dfs root share.

              --with-msdfs               option. If set to option. If set to yesyes, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory. @@ -12930,12 +11679,10 @@ TARGET="_top" >

              See also host msdfs -

              • lmhostslmhosts : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has no name type attached to the NetBIOS name (see the

              • hosthost : Do a standard host name to IP address resolution, using the system

              • winswins : Query a name with the IP address listed in the wins server wins server parameter. If no WINS server has been specified this method will be ignored.

              • bcastbcast : Do a broadcast on each of the known local interfaces listed in the interfacesinterfaces parameter. This is the least reliable of the name resolution @@ -13092,12 +11835,10 @@ TARGET="_top" >

                See also netbios - name.

                See also netbios - aliases.

                homedir maphomedir map and return the server listed there.

                Default: non unix account range = <empty string> +>non unix account range = <empty string>

                smbd(8) will allow Windows NT - clients to connect to the NT SMB specific IPC$IPC$ pipes. This is a developer debugging option and can be left alone.

                will negotiate NT specific status support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. - If this option is set to nono then Samba offers exactly the same DOS error codes that versions prior to Samba 2.2.3 reported.

                encrypt passwords = yesencrypt passwords = yes . The reason is that PAM modules cannot support the challenge/response @@ -13376,20 +12111,16 @@ NAME="ONLYUSER" >

                This is a boolean option that controls whether - connections with usernames not in the useruser list will be allowed. By default this option is disabled so that a client can supply a username to be used by the server. Enabling this parameter will force the server to only use the login - names from the useruser list and is only really useful in user = %S which means your which means your useruser list will be just the service name, which for home directories is the name of the user.

                See also the useruser parameter.

                A synonym for guest only guest only.

                Oplocks may be selectively turned off on certain files with a share. See the veto oplock files veto oplock files parameter. On some systems oplocks are recognized by the underlying operating system. This allows data synchronization between all access to oplocked files, whether it be via Samba or NFS or a local UNIX process. See the - kernel oplockskernel oplocks parameter for details.

                See also the kernel - oplocks and level2 oplocks level2 oplocks parameters.

                nmbd(8) - has a chance of becoming a local master browser for the WORKGROUP WORKGROUP in the local broadcast area.

                <nt driver name> = <os2 driver - name>.<device name>

                <nt driver name> = <os2 driver + name>.<device name>

                For example, a valid entry using the HP LaserJet 5 printer driver would appear as

                Default: os2 driver map = <empty string> +>os2 driver map = <empty string>

                passwd programpasswd program. It should be possible to enable this without changing your passwd chatpasswd chat parameter for most setups. @@ -13777,7 +12488,7 @@ CLASS="REFENTRYTITLE" >

                Default: panic action = <empty string>panic action = <empty string>

                Example:

                See also non unix account rangenon unix account range

                • private dirprivate dir directory.

                private dirprivate dir directory.

                See also non unix account rangenon unix account range

                See also non unix account - range

                ldap sslldap ssl) or by - specifying ldaps://ldaps:// in the URL argument.

                uses to determine what to send to the passwd programpasswd program and what to expect back. If the expected output is not @@ -14066,16 +12761,14 @@ CLASS="PARAMETER" >

                Note that this parameter only is only used if the unix - password sync parameter is set to parameter is set to yesyes. This sequence is then called

                The string can contain the macro The string can contain the macro %n%n which is substituted for the new password. The chat sequence can also contain the standard - macros \\n, \\n, \\r, \\r, \\t and \\t and \\s\\s to give line-feed, carriage-return, tab and space. The chat sequence string can also contain a '*' which matches any sequence of characters. @@ -14125,16 +12816,14 @@ CLASS="CONSTANT" >

                If the pam - password change parameter is set to parameter is set to yesyes, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output. The \n macro is ignored for PAM conversions. @@ -14142,36 +12831,28 @@ CLASS="CONSTANT" >

                See also unix password - sync, passwd program passwd program , passwd chat debugpasswd chat debug and pam password changepam password change.

                log with a debug leveldebug level of 100. This is a dangerous option as it will allow plaintext passwords @@ -14225,55 +12904,43 @@ CLASS="PARAMETER" CLASS="COMMAND" >smbd log. It is available to help - Samba admins debug their passwd chatpasswd chat scripts - when calling the passwd programpasswd program and should be turned off after this has been done. This option has no effect if the pam password changepam password change paramter is set. This parameter is off by default.

                See also passwd chatpasswd chat , pam password changepam password change , passwd programpasswd program .

                The name of a program that can be used to set - UNIX user passwords. Any occurrences of %u%u will be replaced with the user name. The user name is checked for existence before calling the password changing program.

                Note                 that if the that if the unix - password sync parameter is set to parameter is set to yes - then this program is called will fail to change the SMB password also (this is by design).

                If the If the unix password syncunix password sync parameter is set this parameter ALL programs called, and must be examined - for security implications. Note that by default unix - password sync is set to is set to nono.

                See also unix - password sync.

                This parameter defines the maximum number of characters that may be upper case in passwords.

                For example, say the password given was "FRED". If For example, say the password given was "FRED". If password level password level is set to 1, the following combinations would be tried if "FRED" failed:

                "Fred", "fred", "fRed", "frEd","freD"

                If If password levelpassword level was set to 2, the following combinations would also be tried:

                The name of the password server is looked up using the parameter name - resolve order and so may resolved by any method and order described in that parameter.

                The name of the password server takes the standard - substitutions, but probably the only useful one is %m - , which means the Samba server will use the incoming client as the password server. If you use this then you better trust your clients, and you had better restrict them with hosts allow!

                If the If the securitysecurity parameter is set to - domaindomain, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character '*', as the Samba server is effectively @@ -14553,11 +13200,9 @@ CLASS="CONSTANT" CLASS="COMMAND" > security = domain is that if you list several hosts in the - password serverpassword server option then smbd @@ -14565,17 +13210,15 @@ CLASS="COMMAND" > will try each in turn till it finds one that responds. This is useful in case your primary server goes down.

                If the If the password serverpassword server option is set to the character '*', then Samba will attempt to auto-locate the Primary or Backup Domain controllers to authenticate against by - doing a query for the name WORKGROUP<1C>WORKGROUP<1C> and then contacting each server returned in the list of IP addresses from the name resolution source.

                If the If the securitysecurity parameter is - set to serverserver, then there are different restrictions that

              • You may list several password servers in - the password serverpassword server parameter, however if an

                See also the security - parameter.

                Default: password server = <empty string>password server = <empty string>

                Any occurrences of Any occurrences of %u%u in the path will be replaced with the UNIX username that the client is using - on this connection. Any occurrences of %m%m will be replaced by the NetBIOS name of the machine they are connecting from. These replacements are very useful for setting @@ -14705,11 +13338,9 @@ CLASS="PARAMETER" >

                Note that this path will be based on root dirroot dir if one was specified.

                See also preexecpreexec .

                Example: postexec = echo \"%u disconnected from %S - from %m (%I)\" >> /tmp/log

                • >postscript (S)

                This parameter forces a printer to interpret - the print files as PostScript. This is done by adding a %! - to the start of print output.

                This is most useful when you have lots of PCs that persist - in putting a control-D at the start of print jobs, which then - confuses your printer.

                Default: postscript = no

                preexec = csh -c 'echo \"Welcome to %S!\" | - /usr/local/samba/bin/smbclient -M %m -I %I' &

                Of course, this could get annoying after a while :-)

                See also preexec close - and postexec - .

                Example: preexec = echo \"%u connected to %S from %m - (%I)\" >> /tmp/log

                This boolean option controls whether a non-zero return code from preexec - should close the service being connected to.

                is a preferred master browser for its workgroup.

                If this is set to If this is set to yesyes, on startup, nmbd domain master domain master = yes, so that

                See also os levelos level .

                Synonym for preferred master preferred master for people who cannot spell :-).

                Note that if you just want all printers in your printcap file loaded then the load printersload printers option is easier.

                default case - .

                MUST contain at least - one occurrence of %s or %s or %f - - the - the %p%p is optional. At the time - a job is submitted, if no printer name is supplied the %p - will be silently removed from the printer command.

                If specified in the [global] section, the print command given @@ -15146,17 +13728,15 @@ CLASS="PARAMETER" be created but not processed and (most importantly) not removed.

                Note that printing may fail on some UNIXes from the - nobodynobody account. If this happens then create an alternative guest account that can print and set the guest accountguest account in the [global] section.

                print command = echo Printing %s >> +>print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s

                printingprinting parameter.

                Synonym for printableprintable.

                >printable (S)

                If this parameter is If this parameter is yesyes, then clients may open, write to and submit spool files on the directory specified for the service.

                read only - parameter controls only non-printing access to the resource.

                Synonym for printcap name printcap name.

                to automatically obtain lists of available printers. This is the default for systems that define SYSV at configure time in - Samba (this includes most System V based systems). If printcap name printcap name is set to lpstat

                Default: printer admin = <empty string>printer admin = <empty string>

                >printer driver (S)

                Note :This is a deprecated - parameter and will be removed in the next major release - following version 2.2. Please see the instructions in - the Samba 2.2. Printing - HOWTO for more information - on the new method of loading printer drivers onto a Samba server. -

                This option allows you to control the string - that clients receive when they ask the server for the printer driver - associated with a printer. If you are using Windows95 or Windows NT - then you can use this to automate the setup of printers on your - system.

                You need to set this parameter to the exact string (case - sensitive) that describes the appropriate printer driver for your - system. If you don't know the exact string to use then you should - first try with no printer driver option set and the client will - give you a list of printer drivers. The appropriate strings are - shown in a scroll box after you have chosen the printer manufacturer.

                See also printer - driver file.

                Example: printer driver = HP LaserJet 4L

                >printer driver file (G)

                Note :This is a deprecated - parameter and will be removed in the next major release - following version 2.2. Please see the instructions in - the Samba 2.2. Printing - HOWTO for more information - on the new method of loading printer drivers onto a Samba server. -

                This parameter tells Samba where the printer driver - definition file, used when serving drivers to Windows 95 clients, is - to be found. If this is not set, the default is :

                SAMBA_INSTALL_DIRECTORY - /lib/printers.def

                This file is created from Windows 95 msprint.inf - files found on the Windows 95 client system. For more - details on setting up serving of printer drivers to Windows 95 - clients, see the outdated documentation file in the docs/ - directory, PRINTER_DRIVER.txt.

                See also printer driver location.

                Default: None (set in compile).

                Example: printer driver file = - /usr/local/samba/printers/drivers.def

                >printer driver location (S)

                Note :This is a deprecated - parameter and will be removed in the next major release - following version 2.2. Please see the instructions in - the Samba 2.2. Printing - HOWTO for more information - on the new method of loading printer drivers onto a Samba server. -

                This parameter tells clients of a particular printer - share where to find the printer driver files for the automatic - installation of drivers for Windows 95 machines. If Samba is set up - to serve printer drivers to Windows 95 machines, this should be set to

                \\MACHINE\PRINTER$

                Where MACHINE is the NetBIOS name of your Samba server, - and PRINTER$ is a share you set up for serving printer driver - files. For more details on setting this up see the outdated documentation - file in the docs/ directory, PRINTER_DRIVER.txt.

                See also printer driver file.

                Default: none

                Example: printer driver location = \\MACHINE\PRINTER$ -

                >printer name (S)
                none (but may be none (but may be lplp on many systems)

                Synonym for printer name printer name.

                This parameters controls how printer status information is interpreted on your system. It also affects the - default values for the print commandprint command, - lpq command, lpq command, lppause command - , , lpresume commandlpresume command, and - lprm commandlprm command if specified in the [global] section.

                Currently nine printing styles are supported. They are - BSD, BSD, AIXAIX, - LPRNG, LPRNG, PLPPLP, - SYSV, SYSV, HPUXHPUX, - QNX, QNX, SOFTQSOFTQ, - and CUPSCUPS.

                To see what the defaults are for the other print @@ -15810,11 +14160,9 @@ NAME="PROTOCOL" >

                Synonym for max protocolmax protocol.

                Synonym for guest - ok.

                If a If a %p%p is given then the printer name is put in its place. Otherwise it is placed at the end of the command.

                depends on the setting of depends on the setting of printing -

                queuepause command queuepause command).

                If a If a %p%p is given then the printer name is put in its place. Otherwise it is placed at the end of the command.

                depends on the setting of printingprintingsmbd(8) will support the "Read Block Multiplex" SMB. This is now rarely used and defaults to - nono. You should never need to set this parameter.

                read onlyread only option is set to. The list can include group names using the syntax described in the invalid users invalid users parameter.

                See also the write list write list parameter and the invalid usersinvalid users parameter.

                Default: read list = <empty string>read list = <empty string>

                Example:

                An inverted synonym is writeablewriteable.

                If this parameter is If this parameter is yesyes, then users of a service may not create or modify files in the service's directory.

                In general this parameter should be viewed as a system tuning tool and left severely alone. See also write rawwrite raw.

                >read size (G)

              The option The option read sizeread size affects the overlap of disk reads/writes with network reads/writes. If the amount of data being transferred in several of the SMB @@ -16210,11 +14532,9 @@ CLASS="COMMAND" If you leave out the workgroup name then the one given in the workgroupworkgroup parameter is used instead.

              Default: remote announce = <empty string> +>remote announce = <empty string>

              Default: remote browse sync = <empty string> +>remote browse sync = <empty string>

              This is a integer parameter, and mirrors as much as possible the functinality the - RestrictAnonymousRestrictAnonymous registry key does on NT/Win2k.

              Synonym for root directory"root directory".

              Synonym for root directory"root directory".

              wide linkswide links parameter).

              Adding a Adding a root directoryroot directory entry other than "/" adds an extra level of security, but at a price. It absolutely ensures that no access is given to files not in the - sub-tree specified in the root directoryroot directory option, some files needed for complete operation of the server. To maintain full operability of the server you will need to mirror some system files - into the root directoryroot directory tree. In particular you will need to mirror >root postexec (S)

            This is the same as the This is the same as the postexecpostexec parameter except that the command is run as root. This is useful for unmounting filesystems @@ -16436,17 +14742,15 @@ CLASS="PARAMETER" >

            See also postexec postexec.

            Default: root postexec = <empty string> +>root postexec = <empty string>

            >root preexec (S)

            This is the same as the This is the same as the preexecpreexec parameter except that the command is run as root. This is useful for mounting filesystems (such as CDROMs) when a @@ -16469,25 +14771,21 @@ CLASS="PARAMETER" >

            See also preexec preexec and preexec closepreexec close.

            Default: root preexec = <empty string> +>root preexec = <empty string>

            >root preexec close (S)

            This is the same as the This is the same as the preexec close - parameter except that the command is run as root.

            See also preexec preexec and preexec closepreexec close.

            , see the map to guestmap to guest parameter for details.

            where it is offers both user and share level security under different NetBIOS aliasesNetBIOS aliases.

            If the guest - only parameter is set, then all the other stages are missed and only the guest accountguest account username is checked.

            Is a username is sent with the share connection request, then this username (after mapping - see username mapusername map), is added as a potential username.

            Any users on the user user list are added as potential usernames.

          If the If the guest onlyguest only parameter is not set, then this list is then tried with the supplied password. The first user for whom the password matches will be used as the UNIX user.

          If the If the guest onlyguest only parameter is set, or no username can be determined then if the share is marked - as available to the guest accountguest account, then this guest user will be used, otherwise access is denied.

          username mapusername map parameter). Encrypted passwords (see the encrypted passwordsencrypted passwords parameter) can also be used in this security mode. Parameters such as useruser and guest onlyguest only if set are then applied and may change the UNIX user to use on this connection, but only after @@ -16880,20 +15146,16 @@ CLASS="EMPHASIS" guest shares don't work in user level security without allowing the server to automatically map unknown users into the guest accountguest account. See the map to guestmap to guest parameter for details on doing this.

          has been used to add this machine into a Windows NT Domain. It expects the encrypted passwordsencrypted passwords parameter to be set to parameter to be set to yesyes. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly @@ -16985,20 +15245,16 @@ CLASS="EMPHASIS" guest shares don't work in user level security without allowing the server to automatically map unknown users into the guest accountguest account. See the map to guestmap to guest parameter for details on doing this.

          See also the password - server parameter and the encrypted passwordsencrypted passwords parameter.

          . It expects the encrypted passwordsencrypted passwords parameter to be set to - yesyes, unless the remote server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot @@ -17130,20 +15380,16 @@ CLASS="EMPHASIS" guest shares don't work in user level security without allowing the server to automatically map unknown users into the guest accountguest account. See the map to guestmap to guest parameter for details on doing this.

          See also the password - server parameter and the encrypted passwordsencrypted passwords parameter.

          0777          0777.

          See also the force directory security modeforce directory security mode, directory - security mask, force security modeforce security mode parameters.

          It also sets what will appear in browse lists next to the machine name.

          A A %v%v will be replaced with the Samba version number.

          A A %h%h will be replaced with the hostname.

          This enables or disables the honoring of - the share modesshare modes during a file open. These modes are used by clients to gain exclusive read or write access to a file.

          The share modes that are enabled by this option are - DENY_DOS, DENY_DOS, DENY_ALLDENY_ALL, - DENY_READ, DENY_READ, DENY_WRITEDENY_WRITE, - DENY_NONE and DENY_NONE and DENY_FCBDENY_FCB.

          default case - . This option can be use with printer adminprinter admin group), the OpenPrinterEx() call fails and the client makes another open call with a request for a lower privilege level. This should succeed, however the APW icon will not be displayed.

          Disabling the Disabling the show add printer wizardshow add printer wizard parameter will always cause the OpenPrinterEx() on the server to fail. Thus the APW icon will never be displayed.

          See also addprinter - command, deleteprinter commanddeleteprinter command, printer adminprinter admin

          %m %t %r %f parameters are expanded

          %m%m will be substituted with the shutdown message sent to the server.

          %t%t will be substituted with the number of seconds to wait before effectively starting the shutdown procedure.

          %r%r will be substituted with the switch

          %f%f will be substituted with the switch Shutdown does not return so we need to launch it in background.

          See also abort shutdown scriptabort shutdown script.

          This parameter determines the number of - entries in the stat cachestat cache. You should never need to change this parameter.

          This is a boolean that controls the handling of - disk space allocation in the server. When this is set to yesyes the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour @@ -17947,15 +16153,15 @@ CLASS="CONSTANT" terminology this means that Samba will stop creating sparse files. This can be slow on some systems.

          When strict allocate is When strict allocate is nono the server does sparse disk block allocation when a file is extended.

          Setting this to Setting this to yesyes can help Samba return out of quota messages on systems that are restricting the disk quota of users.

          This is a boolean that controls the handling of - file locking in the server. When this is set to yesyes the server will check every read and write access for file locks, and deny access if locks exist. This can be slow on some systems.

          When strict locking is When strict locking is nono the server does file lock checks only when the client explicitly asks for them.

          nono (the default) means that

          See also the sync - always> parameter.

          This is a boolean parameter that controls whether writes will always be written to stable storage before - the write call returns. If this is nono then the server will be guided by the client's request in each write call (clients can set a bit indicating that a particular write should be synchronous). - If this is yesyes then every write will be followed by a fsync() call to ensure the data is written to disk. Note that - the strict syncstrict sync parameter must be set to - yesyes in order for this parameter to have any affect.

          See also the strict - sync parameter.

          This parameter maps how Samba debug messages are logged onto the system syslog logging levels. Samba debug - level zero maps onto syslog LOG_ERRLOG_ERR, debug - level one maps onto LOG_WARNINGLOG_WARNING, debug level - two maps onto LOG_NOTICELOG_NOTICE, debug level three - maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG LOG_DEBUG.

          This parameter sets the threshold for sending messages @@ -18176,18 +16376,14 @@ TARGET="_top" >winbindd(8) daemon uses this parameter to fill in the home directory for that user. - If the string %D%D is present it is substituted - with the user's Windows NT domain name. If the string %U - is present it is substituted with the user's Windows NT user name.

          Synonym for debug timestamp debug timestamp.

          max print jobsmax print jobs.

          This boolean parameter controls whether Samba attempts to synchronize the UNIX password with the SMB password when the encrypted SMB password in the smbpasswd file is changed. - If this is set to yes the program specified in the yes the program specified in the passwd - programparameter is called

          See also passwd - program, passwd chat passwd chat.

          nono.

          In order for this parameter to work correctly the encrypt passwordsencrypt passwords parameter must be set to parameter must be set to nono when - this parameter is set to yesyes.

          Note that even when this parameter is set a user @@ -18551,9 +16735,9 @@ NAME="USEMMAP" >This global parameter determines if the tdb internals of Samba can depend on mmap working correctly on the running system. Samba requires a coherent mmap/read-write system memory cache. Currently only HPUX does not have such a - coherent cache, and so this parameter is set to nono by default on HPUX. On all other systems this parameter should be left alone. This parameter is provided to help the Samba developers track down problems with @@ -18567,51 +16751,6 @@ CLASS="COMMAND" >

          >use rhosts (G)

          If this global parameter is yes, it specifies - that the UNIX user's .rhosts file in their home directory - will be read to find the names of hosts and users who will be allowed - access without specifying a password.

          NOTE: The use of use rhosts - can be a major security hole. This is because you are - trusting the PC to supply the correct username. It is very easy to - get a PC to supply a false username. I recommend that the use rhosts option be only used if you really know what - you are doing.

          Default: use rhosts = no

          >user (S)

          Synonym for username username.

          Synonym for username username.

          The The usernameusername line is needed only when the PC is unable to supply its own username. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames. In both these cases you may also be better using the \\server\share%user syntax instead.

          The The usernameusername line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the - usernameusername line in turn. This is slow and a bad idea for lots of users in case of duplicate passwords. You may get timeouts or security breaches using this parameter @@ -18695,12 +16824,10 @@ CLASS="PARAMETER" >To restrict a service to a particular set of users you can use the valid users - parameter.

          If any of the usernames begin with a '&' then the name +>If any of the usernames begin with a '&' then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name.

          Default: The guest account if a guest service, - else <empty string>.

          Examples:AstrangeUser - .

          Default:

          For example to map from the name For example to map from the name adminadmin - or administrator to the UNIX name administrator to the UNIX name root root you would use:

          root = admin administrator

          Or to map anyone in the UNIX group Or to map anyone in the UNIX group systemsystem - to the UNIX name syssys you would use:

          Note that the remapping is applied to all occurrences - of usernames. Thus if you connect to \\server\fred and fred is remapped to fred is remapped to marymary then you will actually be connecting to \\server\mary and will need to - supply a password suitable for marymary not - fredfred. The only exception to this is the username passed to the password server password server (if you have one). The password server will receive whatever username the client supplies without @@ -18931,9 +17056,9 @@ NAME="USESENDFILE" >>use sendfile (S)

          If this parameter is If this parameter is yesyes, and Samba was built with the --with-sendfile-support option, and the underlying operating system supports sendfile system call, then some SMB read calls (mainly ReadAndX @@ -18959,9 +17084,9 @@ NAME="UTMP" Samba has been configured and compiled with the option --with-utmp. If set to . If set to yesyes then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server. Sites may use this to record the @@ -18975,11 +17100,9 @@ CLASS="CONSTANT" >

          See also the utmp directory utmp directory parameter.

          utmputmp parameter. By default this is not set, meaning the system will use whatever utmp file the @@ -19049,11 +17170,9 @@ CLASS="COMMAND" See also the utmputmp parameter. By default this is not set, meaning the system will use whatever utmp file the @@ -19084,40 +17203,32 @@ NAME="VALIDUSERS" >

          This is a list of users that should be allowed - to login to this service. Names starting with '@', '+' and '&' + to login to this service. Names starting with '@', '+' and '&' are interpreted using the same rules as described in the - invalid usersinvalid users parameter.

          If this is empty (the default) then any user can login. - If a username is in both this list and the invalid - users list then access is denied for that user.

          The current servicename is substituted for The current servicename is substituted for %S - . This is useful in the [homes] section.

          See also invalid users -

          include the unix directory separator '/'.

          Note that the Note that the case sensitivecase sensitive option is applicable in vetoing files.

          fail unless you also set - the delete veto filesdelete veto files parameter to - yesyes.

          Setting this parameter will affect the performance @@ -19196,20 +17301,16 @@ CLASS="PARAMETER" >

          See also hide files - and case sensitive case sensitive.

          This parameter is only valid when the oplocksoplocks parameter is turned on for a share. It allows the Samba administrator @@ -19255,11 +17354,9 @@ CLASS="PARAMETER" match a wildcarded list, similar to the wildcarded list used in the veto filesveto files parameter.

          vfs object vfs object.

          endpwent() group of system calls. If - the winbind enum userswinbind enum users parameter is - nono, calls to the getpwentendgrent() group of system calls. If - the winbind enum groupswinbind enum groups parameter is - nono, calls to the getgrent()

          Default: winbind gid = <empty string> +>winbind gid = <empty string>

          This parameter allows an admin to define the character - used when listing a username of the form of DOMAIN - \\useruser. This parameter is only applicable when using the

          Default: winbind uid = <empty string> +>winbind uid = <empty string>

          Default: winbind use default domain = <no> +>winbind use default domain = <no>

          nmbd(8) will respond to broadcast name queries on behalf of other hosts. You may need to set this - to yesyes for some older clients.

          Default: nmbd(8) process in Samba will act as a WINS server. You should - not set this to yesyes unless you have a multi-subnetted network and you wish a particular NEVER set this to set this to yesyes on more than one machine in your network.

          Synonym for writeable writeable for people who can't spell :-).

          read onlyread only option is set to. The list can include group names using the @@ -19968,18 +18051,16 @@ CLASS="PARAMETER" >

          See also the read list - option.

          Default: write list = <empty string> +>write list = <empty string>

          Inverted synonym for read only read only.

          Inverted synonym for read only read only.

          WARNINGS

          VERSION

          SEE ALSO

          AUTHOR

          smbcacls

          The owner of a file or directory can be changed - to the name given using the -C-C option. The name can be a sid in the form S-1-x-y-z or a name resolved against the server specified in the first argument.

          The group owner of a file or directory can - be changed to the name given using the -G-G option. The name can be a sid in the form S-1-x-y-z or a name resolved against the server specified n the first argument. @@ -198,10 +194,10 @@ NAME="AEN79" >

           
-REVISION:<revision number>
-OWNER:<sid or name>
-GROUP:<sid or name>
-ACL:<sid or name>:<type>/<flags>/<mask>

          The revision of the ACL specifies the internal Windows @@ -229,30 +225,30 @@ ACL:<sid or name>:<type>/<flags>/<mask>

          • #define SEC_ACE_FLAG_OBJECT_INHERIT 0x1#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1

          • #define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2

          • #define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4

          • #define SEC_ACE_FLAG_INHERIT_ONLY 0x8#define SEC_ACE_FLAG_INHERIT_ONLY 0x8

          smbclientsmbclient {servicename} [password] [-b <buffer size>] [-d debuglevel] [-D Directory] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l logfile] [-L <netbios name>] [-I destinationIP] [-E] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan] [-k]

          {servicename} [password] [-b <buffer size>] [-d debuglevel] [-D Directory] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l logfile] [-L <netbios name>] [-I destinationIP] [-E] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan] [-k]

          //server/service where where server - is the NetBIOS name of the SMB/CIFS server - offering the desired service and serviceservice is the name of the service offered. Thus to connect to the service "printer" on the SMB/CIFS server "smbserver", @@ -122,11 +118,9 @@ CLASS="FILENAME"

          The server name is looked up according to either - the -R-R parameter to smbclient

          The password required to access the specified service on the specified server. If this parameter is - supplied, the -N-N option (suppress password prompt) is assumed.

          There is no default password. If no password is supplied on the command line (either by using this parameter or adding - a password to the -U-U option (see - below)) and the -N-N option is not specified, the client will prompt for a password, even if the desired service does not require one. (If no password is @@ -212,7 +200,7 @@ CLASS="REFENTRYTITLE" options.

          -R <name resolve order>
          -R <name resolve order>

          This option is used by the programs in the Samba @@ -227,9 +215,9 @@ CLASS="REFENTRYTITLE" >

          • lmhostslmhosts: Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has no name type attached to the NetBIOS name (see @@ -244,9 +232,9 @@ CLASS="REFENTRYTITLE" >

          • hosthost: Do a standard host name to IP address resolution, using the system

          • winswins: Query a name with - the IP address listed in the wins serverwins server parameter. If no WINS server has been specified this method will be ignored.

          • bcastbcast: Do a broadcast on each of the known local interfaces listed in the - interfacesinterfaces parameter. This is the least reliable of the name resolution methods as it depends on the target host being on a locally @@ -307,12 +291,10 @@ CLASS="REFENTRYTITLE" (name resolve order) will be used.

            The default order is lmhosts, host, wins, bcast and without - this parameter or any entry in the name resolve order - parameter of the to the machine FRED.

            You may also find the You may also find the -U-U and - -I-I options useful, as they allow you to control the FROM and TO parts of the message.

            See the See the message commandmessage command parameter in the -d debuglevel

            debugleveldebuglevel is an integer from 0 to 10, or the letter 'A'.

            debugleveldebuglevel is set to the letter 'A', then -l logfilename

            If specified, If specified, logfilenamelogfilename specifies a base filename into which operational data from the running client will be logged.

            -I IP-address

            IP addressIP address is the address of the server to connect to. It should be specified in standard "a.b.c.d" notation.

            Normally the client would attempt to locate a named SMB/CIFS server by looking it up via the NetBIOS name resolution - mechanism described above in the name resolve ordername resolve order parameter above. Using this parameter will force the client to assume that the server is on the machine with the specified IP @@ -578,19 +544,19 @@ CLASS="PARAMETER" >

            Sets the SMB username or username and password. If %pass is not specified, The user will be prompted. The client - will first check the USERUSER environment variable, then the - LOGNAMELOGNAME variable and if either exists, the string is uppercased. Anything in these variables following a '%' sign will be treated as the password. If these environment - variables are not found, the username GUESTGUEST is used.

            smbclient will look for - a PASSWDPASSWD environment variable from which to read the password.

            -A-A for more details.

            Be cautious about including passwords in scripts or in - the PASSWDPASSWD environment variable. Also, on many systems the command line of a running process may be seen via the 

            username = <value> 
-password = <value>
-domain = <value>
            username = <value> +password = <value> +domain = <value>

            If the domain parameter is missing the current workgroup name @@ -663,12 +627,10 @@ domain = <value>smbclient -L host and a list should appear. The and a list should appear. The -I - option may be useful if your NetBIOS names don't match your TCP/IP DNS host names or if you are trying to reach a host on another network.

            • cc - Create a tar file on UNIX. Must be followed by the name of a tar file, tape device or "-" for standard output. If using standard output you must turn the log level to its lowest value -d0 to avoid corrupting your tar file. This flag is mutually exclusive with the - xx flag.

            • xx - Extract (restore) a local tar file back to a share. Unless the -D option is given, the tar files will be restored from the top level of the share. Must be followed by the name of the tar file, device or "-" for standard - input. Mutually exclusive with the cc flag. Restored files have their creation times (mtime) set to the date saved in the tar file. Directories currently do not get @@ -787,11 +741,9 @@ CLASS="PARAMETER" >

            • II - Include files and directories. Is the default behavior when filenames are specified above. Causes tar files to be included in an extract or create (and therefore @@ -800,28 +752,22 @@ CLASS="PARAMETER" >

            • XX - Exclude files and directories. Causes tar files to be excluded from an extract or create. See example below. Filename globbing works in one of two ways now. - See rr below.

            • bb - Blocksize. Must be followed by a valid (greater than zero) blocksize. Causes tar file to be written out in blocksize*TBLOCK (usually 512 byte) blocks. @@ -829,38 +775,30 @@ CLASS="PARAMETER" >

            • gg - Incremental. Only back up files that have the archive bit set. Useful only with the - cc flag.

            • qq - Quiet. Keeps tar from printing diagnostics as it works. This is the same as tarmode quiet.

            • rr - Regular expression include or exclude. Uses regular expression matching for excluding or excluding files if compiled with HAVE_REGEX_H. @@ -870,41 +808,31 @@ CLASS="PARAMETER" >

            • NN - Newer than. Must be followed by the name of a file whose date is compared against files found on the share during a create. Only files newer than the file specified are backed up to the tar file. Useful only with the - cc flag.

            • aa - Set archive bit. Causes the archive bit to be reset when a file is backed up. Useful with the - g and g and cc flags.

              • command string is a semicolon-separated list of - commands to be executed instead of prompting from stdin. -N is implied by -N is implied by -c-c.

              This is particularly useful in scripts and for printing stdin @@ -1056,9 +980,9 @@ NAME="AEN336" >Once the client is running, the user is presented with a prompt :

              smb:\> smb:\>

              The backslash ("\\") indicates the current working directory @@ -1078,7 +1002,7 @@ CLASS="PROMPT" >

              Parameters shown in square brackets (e.g., "[parameter]") are optional. If not given, the command will use suitable defaults. Parameters - shown in angle brackets (e.g., "<parameter>") are required. + shown in angle brackets (e.g., "<parameter>") are required.

              Note that all commands operating on the server are actually @@ -1096,11 +1020,9 @@ CLASS="VARIABLELIST" >? [command]

              If If commandcommand is specified, the ? command will display a brief informative message about the specified command. If no command is specified, a list of available commands will @@ -1110,11 +1032,9 @@ CLASS="REPLACEABLE" >! [shell command]

              If If shell commandshell command is specified, the ! command will execute a shell locally and run the specified shell command. If no command is specified, a local shell will be run. @@ -1169,27 +1089,23 @@ CLASS="REPLACEABLE" directory on the server will be reported.

              del <mask>
              del <mask>

              The client will request that the server attempt - to delete all files matching maskmask from the current working directory on the server.

              dir <mask>
              dir <mask>

              A list of the files matching A list of the files matching maskmask in the current working directory on the server will be retrieved from the server and displayed.

              get <remote file name> [local file name]
              get <remote file name> [local file name]

              Copy the file called lcd [directory name]

              If If directory namedirectory name is specified, the current working directory on the local machine will be changed to the directory specified. This operation will fail if for any @@ -1267,13 +1181,13 @@ CLASS="REPLACEABLE" lowercase filenames are the norm on UNIX systems.

              ls <mask>
              ls <mask>

              See the dir command above.

              mask <mask>
              mask <mask>

              This command allows the user to set up a mask @@ -1299,28 +1213,24 @@ CLASS="REPLACEABLE" mask back to "*" after using the mget or mput commands.

              md <directory name>
              md <directory name>

              See the mkdir command.

              mget <mask>
              mget <mask>

              Copy all files matching Copy all files matching maskmask from the server to the machine running the client.

              Note that Note that maskmask is interpreted differently during recursive operation and non-recursive operation - refer to the recurse and mask commands for more information. Note that all transfers in @@ -1330,30 +1240,26 @@ CLASS="COMMAND" > are binary. See also the lowercase command.

              mkdir <directory name>
              mkdir <directory name>

              Create a new directory on the server (user access privileges permitting) with the specified name.

              mput <mask>
              mput <mask>

              Copy all files matching Copy all files matching maskmask in the current working directory on the local machine to the current working directory on the server.

              Note that Note that maskmask is interpreted differently during recursive operation and non-recursive operation - refer to the recurse and mask commands for more information. Note that all transfers in

              print <file name>
              print <file name>

              Print the specified file from the local machine @@ -1372,7 +1278,7 @@ CLASS="COMMAND" >See also the printmode command.

              printmode <graphics or text>
              printmode <graphics or text>

              Set the print mode to suit either binary data @@ -1392,7 +1298,7 @@ CLASS="COMMAND"

              put <local file name> [remote file name]
              put <local file name> [remote file name]

              Copy the file called See the exit command.

              rd <directory name>
              rd <directory name>

              See the rmdir command.

              rm <mask>
              rm <mask>

              Remove all files matching Remove all files matching maskmask from the current working directory on the server.

              rmdir <directory name>
              rmdir <directory name>

              Remove the specified directory (user access privileges permitting) from the server.

              setmode <filename> <perm=[+|\-]rsha>
              setmode <filename> <perm=[+|\-]rsha>

              A version of the DOS attrib command to set @@ -1493,15 +1397,13 @@ CLASS="COMMAND"

              tar <c|x>[IXbgNa]
              tar <c|x>[IXbgNa]

              Performs a tar operation - see the Performs a tar operation - see the -T - command line option above. Behavior may be affected by the tarmode command (see below). Using g (incremental) and N (newer) will affect tarmode settings. Note that using the "-" option @@ -1509,20 +1411,18 @@ CLASS="PARAMETER"

              blocksize <blocksize>
              blocksize <blocksize>

              Blocksize. Must be followed by a valid (greater than zero) blocksize. Causes tar file to be written out in - blocksizeblocksize*TBLOCK (usually 512 byte) blocks.

              tarmode <full|inc|reset|noreset>
              tarmode <full|inc|reset|noreset>

              Changes tar's behavior with regard to archive @@ -1564,25 +1464,25 @@ NAME="AEN532" >

              ENVIRONMENT VARIABLES

              The variable The variable USERUSER may contain the username of the person using the client. This information is used only if the protocol level is high enough to support session-level passwords.

              The variable The variable PASSWDPASSWD may contain the password of the person using the client. This information is used only if the protocol level is high enough to support session-level passwords.

              The variable The variable LIBSMB_PROGLIBSMB_PROG may contain the path, executed with system(), which the client should connect to instead of connecting to a server. This functionality is primarily diff --git a/docs/htmldocs/smbcontrol.1.html b/docs/htmldocs/smbcontrol.1.html index 25c8e33e08..dcea1b564a 100644 --- a/docs/htmldocs/smbcontrol.1.html +++ b/docs/htmldocs/smbcontrol.1.html @@ -5,7 +5,7 @@ >smbcontroldestination

              One of One of nmbd, nmbd, smbdsmbd or a process ID.

              The The smbdsmbd destination causes the message to "broadcast" to all smbd daemons.

              The The nmbdnmbd destination causes the message to be sent to the nmbd daemon specified in the message-type

              One of: One of: close-shareclose-share, - debugdebug, - force-election, force-election, ping - , , profile, profile, debuglevel, debuglevel, profilelevelprofilelevel, - or printnotifyprintnotify.

              The The close-shareclose-share message-type sends a message to smbd which will then close the client connections to the named share. Note that this doesn't affect client connections @@ -188,25 +180,25 @@ CLASS="CONSTANT" share name for which client connections will be closed, or the "*" character which will close all currently open shares. This may be useful if you made changes to the access controls on the share. - This message can only be sent to smbdsmbd.

              The The debugdebug message-type allows the debug level to be set to the value specified by the parameter. This can be sent to any of the destinations.

              The The force-electionforce-election message-type can only be - sent to the nmbdnmbd destination. This message causes the daemon to force a new browse master election.

              The The pingping message-type sends the number of "ping" messages specified by the parameter and waits for the same number of reply "pong" messages. This can be sent to any of the destinations.

              The The profileprofile message-type sends a message to an smbd to change the profile settings based on the parameter. The parameter can be "on" to turn on profile stats @@ -233,25 +225,25 @@ CLASS="CONSTANT" disabled), and "flush" to zero the current profile stats. This can be sent to any smbd or nmbd destinations.

              The The debugleveldebuglevel message-type sends a "request debug level" message. The current debug level setting is returned by a "debuglevel" message. This can be sent to any of the destinations.

              The The profilelevelprofilelevel message-type sends a "request profile level" message. The current profile level setting is returned by a "profilelevel" message. This can be sent to any smbd or nmbd destinations.

              The The printnotifyprintnotify message-type sends a message to smbd which in turn sends a printer notify message to any Windows NT clients connected to a printer. This message-type @@ -308,9 +300,9 @@ CLASS="VARIABLELIST" event has occured. It doesn't actually cause the event to happen. - This message can only be sent to smbdsmbd.

              smbdsmbd [-D] [-F] [-S] [-i] [-h] [-V] [-b] [-d <debug level>] [-l <log directory>] [-p <port number>] [-O <socket option>] [-s <configuration file>]

              [-D] [-F] [-S] [-i] [-h] [-V] [-b] [-d <debug level>] [-l <log directory>] [-p <port number>] [-O <socket option>] [-s <configuration file>]

          -d <debug level>
          -d <debug level>

          debugleveldebuglevel is an integer from 0 to 10. The default value if this parameter is not specified is zero.

          log - level parameter in the file.

          -l <log directory>
          -l <log directory>

          If specified, - log directorylog directory specifies a log directory into which the "log.smbd" log file will be created for informational and debug @@ -289,11 +283,9 @@ CLASS="REPLACEABLE" its size may be controlled by the max log sizemax log size option in the

          -O <socket options>
          -O <socket options>

          See the socket optionssocket options parameter in the file for details.

          -p <port number>
          -p <port number>

          port numberport number is a positive integer value. The default value if this parameter is not specified is 139.

          -s <configuration file>
          -s <configuration file>

          The file specified contains the @@ -534,17 +522,17 @@ NAME="AEN177" CLASS="VARIABLELIST" >

          PRINTERPRINTER

          If no printer name is specified to printable services, most systems will use the value of - this variable (or lplp if this variable is not defined) as the name of the printer to use. This is not specific to the server, however.

          obey - pam restricions smbgroupedit/etc/group          ), let's call it ), let's call it domadmdomadm. 

          • root# root# smbgroupedit -vs | grep "Domain Admins"root# root# smbgroupedit \
@@ -254,9 +254,9 @@ CLASS="EMPHASIS"
 >To verify that your mapping has taken effect:
 
          root# root# smbgroupedit -vs|grep "Domain Admins"root# root# smbgroupedit -a unixgroup -tdsmbmntsmbmnt  {mount-point} [-s <share>] [-r] [-u <uid>] [-g <gid>] [-f <mask>] [-d <mask>] [-o <options>]
            {mount-point} [-s <share>] [-r] [-u <uid>] [-g <gid>] [-f <mask>] [-d <mask>] [-o <options>]
    smbmount
    username=<arg>
    username=<arg>

    specifies the username to connect as. If - this is not given, then the environment variable USER USER is used. This option can also take the form "user%password" or "user/workgroup" or "user/workgroup%password" to allow the password and workgroup to be specified as part of the username.

    password=<arg>
    password=<arg>

    specifies the SMB password. If this option is not given then the environment variable - PASSWDPASSWD is used. If it can find no password

    credentials=<filename>
    credentials=<filename>

    specifies a file that contains a username and/or password. The format of the file is: 

    username = <value>
-password = <value>
    username = <value> +password = <value>

    This is preferred over having passwords in plaintext in a @@ -181,14 +181,14 @@ CLASS="FILENAME"

    netbiosname=<arg>
    netbiosname=<arg>

    sets the source NetBIOS name. It defaults to the local hostname.

    uid=<arg>
    uid=<arg>

    sets the uid that will own all files on @@ -197,7 +197,7 @@ CLASS="FILENAME"

    gid=<arg>
    gid=<arg>

    sets the gid that will own all files on @@ -206,14 +206,14 @@ CLASS="FILENAME" gid.

    port=<arg>
    port=<arg>

    sets the remote SMB port number. The default is 139.

    fmask=<arg>
    fmask=<arg>

    sets the file mask. This determines the @@ -221,7 +221,7 @@ CLASS="FILENAME" The default is based on the current umask.

    dmask=<arg>
    dmask=<arg>

    sets the directory mask. This determines the @@ -229,7 +229,7 @@ CLASS="FILENAME" The default is based on the current umask.

    debug=<arg>
    debug=<arg>

    sets the debug level. This is useful for @@ -238,20 +238,20 @@ CLASS="FILENAME" output, possibly hiding the useful output.

    ip=<arg>
    ip=<arg>

    sets the destination host or IP address.

    workgroup=<arg>
    workgroup=<arg>

    sets the workgroup on the destination

    sockopt=<arg>
    sockopt=<arg>

    sets the TCP socket options. See the smb.conf(5) socket optionssocket options option.

    scope=<arg>
    scope=<arg>

    sets the NetBIOS scope

    mount read-write

    iocharset=<arg>
    iocharset=<arg>

    sets the charset used by the Linux side for codepage @@ -307,7 +305,7 @@ CLASS="PARAMETER"

    codepage=<arg>
    codepage=<arg>

    sets the codepage the server uses. See the iocharset @@ -316,7 +314,7 @@ CLASS="PARAMETER"

    ttl=<arg>
    ttl=<arg>

    sets how long a directory listing is cached in milliseconds @@ -341,26 +339,26 @@ NAME="AEN130" >

    ENVIRONMENT VARIABLES

    The variable The variable USERUSER may contain the username of the person using the client. This information is used only if the protocol level is high enough to support session-level passwords. The variable can be used to set both username and password by using the format username%password.

    The variable The variable PASSWDPASSWD may contain the password of the person using the client. This information is used only if the protocol level is high enough to support session-level passwords.

    The variable The variable PASSWD_FILEPASSWD_FILE may contain the pathname of a file to read the password from. A single line of input is read and used as the password.

    smbpasswddisabled    disabled and the user will not be able to log onto the Samba server.

    - This means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored). Note that this - will only allow users to log on with no password if the null passwords null passwords parameter is set in the smbpasswdsmbpasswd [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-i] [-L] [username]

    [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-i] [-L] [username]

    smbpasswd can also be used by a normal user to change their SMB password on remote machines, such as Windows NT Primary Domain - Controllers. See the (-r) and -r) and -U-U options below.

    This option specifies that the username following should be added to the local smbpasswd file, with the - new password typed (type <Enter> for the old password). This + new password typed (type <Enter> for the old password). This option is ignored if the username following already exists in the smbpasswd file and it is treated like a regular change password command. Note that the default passdb backends require @@ -181,13 +177,13 @@ CLASS="FILENAME" >

    This option specifies that the username following - should be disableddisabled in the local smbpasswd - file. This is done by writing a 'D''D' flag into the account control space in the smbpasswd file. Once this is done all attempts to authenticate via SMB using this username @@ -212,9 +208,9 @@ CLASS="REFENTRYTITLE" >

    This option specifies that the username following - should be enabledenabled in the local smbpasswd file, if the account was previously disabled. If the account was not disabled this option has no effect. Once the account is enabled then @@ -240,11 +236,9 @@ CLASS="REFENTRYTITLE" >-D debuglevel

    debugleveldebuglevel is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    This option allows a user to specify what machine they wish to change their password on. Without this parameter - smbpasswd defaults to the local host. The remote - machine name is the NetBIOS name of the SMB/CIFS server to contact to attempt the password change. This name is resolved into an IP address using the standard name resolution - mechanism in all programs of the Samba suite. See the -R - name resolve order parameter for details on changing this resolving mechanism.

    The username whose password is changed is that of the - current UNIX logged on user. See the -U username-U username parameter for details on changing the password for a different username.

    -R <name resolve order>
    -R <name resolve order>

    This option is used to determine what naming @@ -145,9 +145,9 @@ CLASS="EMPHASIS" >

    • lmhostslmhosts: Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has no name type attached to the @@ -164,9 +164,9 @@ CLASS="REFENTRYTITLE" >

    • hosthost: Do a standard host name to IP address resolution, using the system

    • winswins: Query a name with the IP address listed in the - wins serverwins server parameter. If no WINS server has been specified this method will be ignored. @@ -203,16 +201,14 @@ CLASS="PARAMETER" >

    • bcastbcast: Do a broadcast on each of the known local interfaces - listed in the interfacesinterfaces parameter. This is the least reliable of the name resolution methods as it depends on the target host @@ -229,20 +225,16 @@ CLASS="REFENTRYTITLE" >smb.conf(5) file parameter - (name resolve ordername resolve order) will be used.

      The default order is lmhosts, host, wins, bcast. Without - this parameter or any entry in the name resolve order - parameter of the

    -d <debug level>
    -d <debug level>

    debug level is an integer from 0 to 10.

    If specified causes all debug messages to be - written to the file specified by logfilename - . If not specified then all messages will be - written tostderrstderr.

    system% system% smbshsmbsh -Username: Username: useruser -Password: Password: XXXXXXXXXXXXXX

    ls /smb/MYGROUP/<machine-name>ls /smb/MYGROUP/<machine-name> will show the share names for that machine. You could then, for example, use the smbspool

    smbspool tries to get the URI from argv[0]. If argv[0] - contains the name of the program then it looks in the DEVICE_URI DEVICE_URI environment variable.

    Programs using the exec(2) functions can pass the URI in argv[0], while shell scripts must set the - DEVICE_URIDEVICE_URI environment variable prior to running smbspool.

    smbstatussmbstatus [-P] [-b] [-d <debug level>] [-v] [-L] [-B] [-p] [-S] [-s <configuration file>] [-u <username>]

    [-P] [-b] [-d <debug level>] [-v] [-L] [-B] [-p] [-S] [-s <configuration file>] [-u <username>]

    gives brief output.

    -d|--debug=<debuglevel>
    -d|--debug=<debuglevel>

    sets debugging to specified level

    causes smbstatus to only list shares.

    -s|--conf=<configuration file>
    -s|--conf=<configuration file>

    The default configuration file name is @@ -146,15 +146,13 @@ CLASS="REFENTRYTITLE" > for more information.

    -u|--user=<username>
    -u|--user=<username>

    selects information relevant to - usernameusername only.

    smbtar-d directory

    Change to initial Change to initial directory - before restoring / backing up files.

    Tape device. May be regular file or tape - device. Default: $TAPE$TAPE environmental variable; if not set, a file called

    Log (debug) level. Corresponds to the - -d-d flag of

    ENVIRONMENT VARIABLES

    The The $TAPE$TAPE variable specifies the default tape device to write to. May be overridden with the -t option.

    smbumountSamba performance issuesChapter 19. Samba performance issuesChapter 18. Samba performance issues

    19.1. Comparisons

    18.1. Comparisons

    The Samba server uses TCP to talk to the client. Thus if you are trying to see if it performs well you should really compare it to @@ -111,9 +111,9 @@ CLASS="SECT1" >

    19.2. Socket options

    18.2. Socket options

    There are a number of socket options that can greatly affect the performance of a TCP based server like Samba.

    19.3. Read size

    18.3. Read size

    The option "read size" affects the overlap of disk reads/writes with network reads/writes. If the amount of data being transferred in @@ -165,9 +165,9 @@ CLASS="SECT1" >

    19.4. Max xmit

    18.4. Max xmit

    At startup the client and server negotiate a "maximum transmit" size, which limits the size of nearly all SMB commands. You can set the @@ -188,9 +188,9 @@ CLASS="SECT1" >

    19.5. Log level

    18.5. Log level

    If you set the log level (also known as "debug level") higher than 2 then you may suffer a large drop in performance. This is because the @@ -202,9 +202,9 @@ CLASS="SECT1" >

    19.6. Read raw

    18.6. Read raw

    The "read raw" operation is designed to be an optimised, low-latency file read operation. A server may choose to not support it, @@ -224,9 +224,9 @@ CLASS="SECT1" >

    19.7. Write raw

    18.7. Write raw

    The "write raw" operation is designed to be an optimised, low-latency file write operation. A server may choose to not support it, @@ -241,9 +241,9 @@ CLASS="SECT1" >

    19.8. Slow Clients

    18.8. Slow Clients

    One person has reported that setting the protocol to COREPLUS rather than LANMAN2 gave a dramatic speed improvement (from 10k/s to 150k/s).

    19.9. Slow Logins

    18.9. Slow Logins

    Slow logins are almost always due to the password checking time. Using the lowest practical "password level" will improve things a lot. You @@ -271,9 +271,9 @@ CLASS="SECT1" >

    19.10. Client tuning

    18.10. Client tuning

    Often a speed problem can be traced to the client. The client (for example Windows for Workgroups) can often be tuned for better TCP @@ -431,7 +431,7 @@ ACCESSKEY="U" WIDTH="33%" ALIGN="right" VALIGN="top" ->Creating Group ProfilesCreating Group Prolicy Files

    swatswat [-s <smb config file>] [-a]

    [-s <smb config file>] [-a]

    smb.conf(5) file. It will rearrange the entries and delete all - comments, include= and include= and copy= - options. If you have a carefully crafted smb.conftestparmtestparm [-s] [-h] [-v] [-L <servername>] [-t <encoding>] {config filename} [hostname hostIP]

    [-s] [-h] [-v] [-L <servername>] [-t <encoding>] {config filename} [hostname hostIP]

    -L servername

    Sets the value of the %L macro to Sets the value of the %L macro to servernameservername. This is useful for testing include files specified with the %L macro.

    testparm     will examine the will examine the hosts - allow and and hosts denyhosts deny parameters in the testprnsDIAGNOSTICS

    If a printer is found to be valid, the message - "Printer name <printername> is valid" will be + "Printer name <printername> is valid" will be displayed.

    If a printer is found to be invalid, the message - "Printer name <printername> is not valid" will be + "Printer name <printername> is not valid" will be displayed.

    All messages that would normally be logged during diff --git a/docs/htmldocs/type.html b/docs/htmldocs/type.html index be7e722b2e..d4db19bf43 100644 --- a/docs/htmldocs/type.html +++ b/docs/htmldocs/type.html @@ -5,7 +5,7 @@ >Type of installation

    Introduction

    5.1. Prerequisite Reading
    5.2. Background
    5.3. Configuring the Samba Domain Controller
    5.4. Creating Machine Trust Accounts and Joining Clients to the Domain
    5.4.1. Manual Creation of Machine Trust Accounts
    5.4.2. "On-the-Fly" Creation of Machine Trust Accounts
    5.4.3. Joining the Client to the Domain
    5.5. Common Problems and Errors
    5.6. System Policies and Profiles
    5.7. What other help can I get?
    5.8. Domain Control for Windows 9x/ME
    5.8.1. Configuration Instructions: Network Logons
    5.8.2. Configuration Instructions: Setting up Roaming User Profiles
    5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & SambaDOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
    6.1. Prerequisite Reading
    6.2. Background
    6.3. What qualifies a Domain Controller on the network?
    6.3.1. How does a Workstation find its domain controller?
    6.3.2. When is the PDC needed?
    6.4. Can Samba be a Backup Domain Controller to an NT PDC?
    6.5. How do I set up a Samba BDC?
    6.5.1. How do I replicate the smbpasswd file?
    6.5.2. Can I do this all with LDAP?
    7.1. Installing the required packages for Debian
    7.2. Installing the required packages for RedHat
    7.3. Compile Samba
    7.4. Setup your /etc/krb5.conf
    7.5. Create the computer account
    7.5.1. Possible errors
    7.6. Test your server setup
    7.7. Testing with smbclient
    7.8. Notes
    8.1. Joining an NT Domain with Samba 3.0
    8.2. Samba and Windows 2000 Domains
    8.3. Why is this better than security = server?
    UNIX Permission Bits and Windows NT Access Control Lists

    10.1. Viewing and changing UNIX permissions using the NT - security dialogs

    New in the Samba 2.0.4 release is the ability for Windows NT clients to use their native security settings dialog box to @@ -100,9 +100,9 @@ CLASS="SECT1" >

    10.2. How to view file security on a Samba share

    10.2. How to view file security on a Samba share

    From an NT 4.0 client, single-click with the right mouse button on any file or directory in a Samba mounted @@ -170,9 +170,9 @@ CLASS="SECT1" >

    10.3. Viewing file ownership

    10.3. Viewing file ownership

    Clicking on the "SERVER\user (Long name)"

    Where Where SERVERSERVER is the NetBIOS name of - the Samba server, useruser is the user name of - the UNIX user who owns the file, and (Long name)(Long name) is the descriptive string identifying the user (normally found in the GECOS field of the UNIX password database). Click on the button to remove this dialog.

    If the parameter If the parameter nt acl supportnt acl support - is set to falsefalse then the file owner will be shown as the NT user

    10.4. Viewing file or directory permissions

    10.4. Viewing file or directory permissions

    The third button is the "SERVER\user (Long name)"

    Where Where SERVERSERVER is the NetBIOS name of - the Samba server, useruser is the user name of - the UNIX user who owns the file, and (Long name)(Long name) is the descriptive string identifying the user (normally found in the GECOS field of the UNIX password database).

    If the parameter If the parameter nt acl supportnt acl support - is set to falsefalse then the file owner will be shown as the NT user

    10.4.1. File Permissions

    10.4.1. File Permissions

    The standard UNIX user/group/world triple and the corresponding "read", "write", "execute" permissions @@ -388,9 +372,9 @@ CLASS="SECT2" >

    10.4.2. Directory Permissions

    10.4.2. Directory Permissions

    Directories on an NT NTFS file system have two different sets of permissions. The first set of permissions @@ -420,9 +404,9 @@ CLASS="SECT1" >

    10.5. Modifying file or directory permissions

    10.5. Modifying file or directory permissions

    Modifying file and directory permissions is as simple as changing the displayed permissions in the dialog box, and @@ -434,15 +418,13 @@ CLASS="COMMAND" with the standard Samba permission masks and mapping of DOS attributes that need to also be taken into account.

    If the parameter If the parameter nt acl supportnt acl support - is set to falsefalse then any attempt to set security permissions will fail with an

    10.6. Interaction with the standard Samba create mask - parameters

    Note that with Samba 2.0.5 there are four new parameters to control this interaction. These are :

    security masksecurity mask

    force security modeforce security mode

    directory security maskdirectory security mask

    force directory security modeforce directory security mode

    Once a user clicks - security masksecurity mask parameter. Any bits that were changed that are not set to '1' in this parameter are left alone in the file permissions.

    Essentially, zero bits in the Essentially, zero bits in the security masksecurity mask mask may be treated as a set of bits the user is create mask - parameter to provide compatibility with Samba 2.0.4 where this permission change facility was introduced. To allow a user to @@ -610,22 +578,18 @@ CLASS="PARAMETER" the bits set in the force security modeforce security mode parameter. Any bits that were changed that correspond to bits set to '1' in this parameter are forced to be set.

    Essentially, bits set in the Essentially, bits set in the force security mode - parameter may be treated as a set of bits that, when modifying security on a file, the user has always set to be 'on'.

    force - create mode parameter to provide compatibility with Samba 2.0.4 where the permission change facility was introduced. To allow a user to modify all the user/group/world permissions on a file with no restrictions set this parameter to 000.

    The The security mask and security mask and force - security mode parameters are applied to the change request in that order.

    For a directory Samba will perform the same operations as - described above for a file except using the parameter directory security mask instead of directory security mask instead of security - mask, and , and force directory security mode - parameter instead of parameter instead of force security mode - .

    The The directory security maskdirectory security mask parameter - by default is set to the same value as the directory mask - parameter and the parameter and the force directory security - mode parameter by default is set to the same value as - the force directory modeforce directory mode parameter to provide compatibility with Samba 2.0.4 where the permission change facility was introduced.

    file in that share specific section :

    security mask = 0777security mask = 0777

    force security mode = 0force security mode = 0

    directory security mask = 0777directory security mask = 0777

    force directory security mode = 0force directory security mode = 0

    As described, in Samba 2.0.4 the parameters :

    create maskcreate mask

    force create modeforce create mode

    directory maskdirectory mask

    force directory modeforce directory mode

    were used instead of the parameters discussed here.

    10.7. Interaction with the standard Samba file attribute - mapping

    Samba maps some of the DOS attribute bits (such as "read only") into the UNIX permissions of a file. This means there can diff --git a/docs/htmldocs/vfs.html b/docs/htmldocs/vfs.html index 0e39297ebb..84ff1227d4 100644 --- a/docs/htmldocs/vfs.html +++ b/docs/htmldocs/vfs.html @@ -5,7 +5,7 @@ >Stackable VFS modulesNext

    16.1. Introduction and configuration

    16.1. Introduction and configuration

    Since samba 3.0, samba supports stackable VFS(Virtual File System) modules. Samba passes each request to access the unix file system thru the loaded VFS modules. @@ -121,17 +121,17 @@ CLASS="SECT1" >

    16.2. Included modules

    16.2. Included modules

    16.2.1. audit

    16.2.1. audit

    A simple module to audit file access to the syslog facility. The following operations are logged: @@ -167,9 +167,9 @@ CLASS="SECT2" >

    16.2.2. recycle

    16.2.2. recycle

    A recycle-bin like modules. When used any unlink call will be intercepted and files moved to the recycle @@ -238,9 +238,9 @@ CLASS="SECT2" >

    16.2.3. netatalk

    16.2.3. netatalk

    A netatalk module, that will ease co-existence of samba and netatalk file sharing services.

    16.3. VFS modules available elsewhere

    16.3. VFS modules available elsewhere

    This section contains a listing of various other VFS modules that have been posted but don't currently reside in the Samba CVS @@ -287,9 +287,9 @@ CLASS="SECT2" >

    16.3.1. DatabaseFS

    16.3.1. DatabaseFS

    URL:

    16.3.2. vscan

    16.3.2. vscan

    URL: NextAccess Samba source code via CVSGroup mapping HOWTO

    vfstest-d|--debug=debuglevel

    debugleveldebuglevel is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    File name for log/debug files. The extension - '.client''.client' will be appended. The log file is never removed by the client.

    load <module.so>load <module.so> - Load specified VFS module

  • populate <char> <size>populate <char> <size> - Populate a data buffer with the specified data

    • showdata [<offset> <len>]showdata [<offset> <len>] - Show data currently in data buffer

    conf <smb.conf>conf <smb.conf> - Load a different configuration file

  • help [<command>]help [<command>] - Get list of commands or info about specified command

  • debuglevel <level>debuglevel <level> - Set debug level

  • wbinfo-N name

    The The -N-N option queries (8) to query the WINS server for the IP address associated with the NetBIOS name - specified by the namename parameter.

    -I ip

    The The -I-I option queries (8) to send a node status request to get the NetBIOS name associated with the IP address - specified by the ipip parameter.

    -n name

    The The -n-n option queries smb.conf(5) workgroup - parameter.

    -s sid

    Use Use -s-s to resolve - a SID to a name. This is the inverse of the -n - option above. SIDs must be specified as ASCII strings in the traditional Microsoft format. For example, S-1-5-21-1455342024-3071081365-2475485837-500.

    Unified Logons between Windows NT and UNIX using Winbind

    14.1. Abstract

    14.1. Abstract

    Integration of UNIX and Microsoft Windows NT through a unified logon has been considered a "holy grail" in heterogeneous @@ -107,9 +107,9 @@ CLASS="SECT1" >

    14.2. Introduction

    14.2. Introduction

    It is well known that UNIX and Microsoft Windows NT have different models for representing user and group information and @@ -161,9 +161,9 @@ CLASS="SECT1" >

    14.3. What Winbind Provides

    14.3. What Winbind Provides

    Winbind unifies UNIX and Windows NT account management by allowing a UNIX box to become a full member of a NT domain. Once @@ -203,9 +203,9 @@ CLASS="SECT2" >

    14.3.1. Target Uses

    14.3.1. Target Uses

    Winbind is targeted at organizations that have an existing NT based domain infrastructure into which they wish @@ -227,9 +227,9 @@ CLASS="SECT1" >

    14.4. How Winbind Works

    14.4. How Winbind Works

    The winbind system is designed around a client/server architecture. A long running

    14.4.1. Microsoft Remote Procedure Calls

    14.4.1. Microsoft Remote Procedure Calls

    Over the last few years, efforts have been underway by various Samba Team members to decode various aspects of @@ -273,9 +273,9 @@ CLASS="SECT2" >

    14.4.2. Microsoft Active Directory Services

    14.4.2. Microsoft Active Directory Services

    Since late 2001, Samba has gained the ability to interact with Microsoft Windows 2000 using its 'Native @@ -292,9 +292,9 @@ CLASS="SECT2" >

    14.4.3. Name Service Switch

    14.4.3. Name Service Switch

    The Name Service Switch, or NSS, is a feature that is present in many UNIX operating systems. It allows system @@ -372,9 +372,9 @@ CLASS="SECT2" >

    14.4.4. Pluggable Authentication Modules

    14.4.4. Pluggable Authentication Modules

    Pluggable Authentication Modules, also known as PAM, is a system for abstracting authentication and authorization @@ -421,9 +421,9 @@ CLASS="SECT2" >

    14.4.5. User and Group ID Allocation

    14.4.5. User and Group ID Allocation

    When a user or group is created under Windows NT is it allocated a numerical relative identifier (RID). This is @@ -447,9 +447,9 @@ CLASS="SECT2" >

    14.4.6. Result Caching

    14.4.6. Result Caching

    An active system can generate a lot of user and group name lookups. To reduce the network cost of these lookups winbind @@ -470,9 +470,9 @@ CLASS="SECT1" >

    14.5. Installation and Configuration

    14.5. Installation and Configuration

    Many thanks to John Trostel

    14.5.1. Introduction

    14.5.1. Introduction

    This HOWTO describes the procedures used to get winbind up and running on my RedHat 7.1 system. Winbind is capable of providing access @@ -556,9 +556,9 @@ CLASS="SECT2" >

    14.5.2. Requirements

    14.5.2. Requirements

    If you have a samba configuration file that you are currently using...

    14.5.3. Testing Things Out

    14.5.3. Testing Things Out

    Before starting, it is probably best to kill off all the SAMBA related daemons running on your server. Kill off all

    14.5.3.1. Configure and compile SAMBA

    14.5.3.1. Configure and compile SAMBA

    The configuration and compilation of SAMBA is pretty straightforward. The first three steps may not be necessary depending upon @@ -681,44 +681,44 @@ whether or not you have previously built the Samba binaries.

    root#root# autoconf
-root#root# make clean
-root#root# rm config.cache
-root#root# ./configure
-root#root# make
-root#root# make install
    14.5.3.2. Configure nsswitch.conf and the 
-winbind libraries
    The libraries needed to run the  daemon 
 through nsswitch need to be copied to their proper locations, so
    root#root# cp ../samba/source/nsswitch/libnss_winbind.so /lib
    I also found it necessary to make the following symbolic link:
    root#root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
    And, in the case of Sun solaris:
    root#root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1
-root#root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1
-root#root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2
    root#root# /sbin/ldconfig -v | grep winbind
    14.5.3.3. Configure smb.conf
    14.5.3.3. Configure smb.conf
    Several parameters are needed in the smb.conf file to control 
 the behavior of 
    [global]
-     <...>
+     <...>
      # separate domain and username with '+', like DOMAIN+username
      
    14.5.3.4. Join the SAMBA server to the PDC domain
    14.5.3.4. Join the SAMBA server to the PDC domain
    Enter the following command to make the SAMBA server join the 
-PDC domain, where DOMAINDOMAIN is the name of 
-your Windows domain and AdministratorAdministrator is 
 a domain user who has administrative privileges in the domain.
    root#root# /usr/local/samba/bin/net join -S PDC -U Administrator
    The proper response to the command should be: "Joined the domain 
-DOMAIN" where DOMAIN" where DOMAINDOMAIN 
 is your DOMAIN name.

    • 14.5.3.5. Start up the winbindd daemon and test it!

    14.5.3.5. Start up the winbindd daemon and test it!

    Eventually, you will want to modify your smb startup script to automatically invoke the winbindd daemon when the other parts of @@ -973,9 +965,9 @@ SAMBA start, but it is possible to test out just the winbind portion first. To start up winbind services, enter the following command as root:

    root#root# /usr/local/samba/bin/winbinddI'm always paranoid and like to make sure the daemon is really running...

    root#root# ps -ae | grep winbinddNow... for the real test, try to get some information about the users on your PDC

    root#root# /usr/local/samba/bin/wbinfo -u

    Obviously, I have named my domain 'CEO' and my Obviously, I have named my domain 'CEO' and my winbind -separator is '+'.

    You can do the same sort of thing to get group information from @@ -1034,9 +1024,9 @@ the PDC:

    root#root# /usr/local/samba/bin/wbinfo -g
    root#root# getent passwd
    The same thing can be done for groups with the command
    root#root# getent group
    14.5.3.6. Fix the init.d startup scripts
    14.5.3.6. Fix the init.d startup scripts
    14.5.3.6.1. Linux
    14.5.3.6.1. Linux
    The 
    14.5.3.6.2. Solaris
    14.5.3.6.2. Solaris
    On solaris, you need to modify the 
 
    14.5.3.6.3. Restarting
    14.5.3.6.3. Restarting
    If you restart the 
    14.5.3.7. Configure Winbind and PAM
    14.5.3.7. Configure Winbind and PAM
    If you have made it this far, you know that winbindd and samba are working
 together.  If you want to use winbind to provide authentication for other 
@@ -1305,9 +1295,9 @@ CLASS="FILENAME"
 > directory
 by invoking the command
    root#root# make nsswitch/pam_winbind.so/usr/lib/security.
    root#root# cp ../samba/source/nsswitch/pam_winbind.so /lib/security
    14.5.3.7.1. Linux/FreeBSD-specific PAM configuration
    14.5.3.7.1. Linux/FreeBSD-specific PAM configuration
    The 
    14.5.3.7.2. Solaris-specific configuration
    14.5.3.7.2. Solaris-specific configuration
    The /etc/pam.conf needs to be changed. I changed this file so that my Domain
 users can logon both locally as well as telnet.The following are the changes
@@ -1559,9 +1549,9 @@ CLASS="SECT1"
 >
    14.6. Limitations
    14.6. Limitations
    Winbind has a number of limitations in its current 
 	released version that we hope to overcome in future 
@@ -1601,9 +1591,9 @@ CLASS="SECT1"
 >
    14.7. Conclusion
    14.7. Conclusion
    The winbind system, through the use of the Name Service 
 	Switch, Pluggable Authentication Modules, and appropriate 
diff --git a/docs/htmldocs/winbindd.8.html b/docs/htmldocs/winbindd.8.html
index dba9988e30..b114c40647 100644
--- a/docs/htmldocs/winbindd.8.html
+++ b/docs/htmldocs/winbindd.8.html
@@ -5,7 +5,7 @@
 >winbinddwinbindd  [-F] [-S] [-i] [-B] [-d <debug level>] [-s <smb config file>] [-n]
      [-F] [-S] [-i] [-B] [-d <debug level>] [-s <smb config file>] [-n]
    pam_winbind module in the 2.2.2 release only 
-	supports the auth and auth and accountaccount 
 	module-types.  The latter simply
 	performs a getpwnam() to verify that the system can obtain a uid for the
@@ -374,11 +370,9 @@ CLASS="REFENTRYTITLE"
 >				winbind separatorwinbind separator
    				winbind uidwinbind uid
    				winbind gidwinbind gid
    				winbind cache timewinbind cache time
    				winbind enum userswinbind enum users
    				winbind enum groupswinbind enum groups
    				template homedirtemplate homedir
    				template shelltemplate shell
    				winbind use default domainwinbind use default domain
    In /etc/pam.d/* replace the  replace the 	auth	auth lines with something like this:
 
    Note in particular the use of the Note in particular the use of the sufficient
-	 keyword and the  keyword and the use_first_passuse_first_pass keyword. 
    Now replace the account lines with this: 
    net join -S PDC -U Administrator
    The username after the The username after the -U-U can be any
 	Domain user that has administrator privileges on the machine.
 	Substitute the name or IP of your PDC for "PDC".
    winbindd    
-	nsswitch module read an environment variable named 	$WINBINDD_DOMAIN	$WINBINDD_DOMAIN.  If this variable contains a comma separated
 	list of Windows NT domain names, then winbindd will only resolve users
 	and groups within those Windows NT domains. 
    Storage for the Windows NT rid to UNIX user/group 
 		id mapping.  The lock directory is specified when Samba is initially 
-		compiled using the --with-lockdir--with-lockdir option.
 		This directory is by default