25.1. Macintosh clients?29.1. Macintosh clients?

Yes.

25.2. OS2 Client29.2. OS2 Client

25.2.1. How can I configure OS/2 Warp Connect or +NAME="AEN4207" +>29.2.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?

25.2.2. How can I configure OS/2 Warp 3 (not Connect), +NAME="AEN4222" +>29.2.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?

25.2.3. Are there any other issues when OS/2 (any version) +NAME="AEN4231" +>29.2.3. Are there any other issues when OS/2 (any version) is used as a client?

25.2.4. How do I get printer driver download working +NAME="AEN4235" +>29.2.4. How do I get printer driver download working for OS/2 clients?

25.3. Windows for Workgroups29.3. Windows for Workgroups

25.3.1. Use latest TCP/IP stack from Microsoft29.3.1. Use latest TCP/IP stack from Microsoft

Use the latest TCP/IP stack from microsoft if you use Windows @@ -338,8 +338,8 @@ CLASS="SECT2" >

25.3.2. Delete .pwl files after password change29.3.2. Delete .pwl files after password change

WfWg does a lousy job with passwords. I find that if I change my @@ -358,8 +358,8 @@ CLASS="SECT2" >

25.3.3. Configure WfW password handling29.3.3. Configure WfW password handling

There is a program call admincfg.exe @@ -377,8 +377,8 @@ CLASS="SECT2" >

25.3.4. Case handling of passwords29.3.4. Case handling of passwords

Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the

25.3.5. Use TCP/IP as default protocol29.3.5. Use TCP/IP as default protocol

To support print queue reporting you may find @@ -411,8 +411,8 @@ CLASS="SECT1" >

25.4. Windows '95/'9829.4. Windows '95/'98

When using Windows 95 OEM SR2 the following updates are recommended where Samba @@ -459,8 +459,8 @@ CLASS="SECT1" >

25.5. Windows 2000 Service Pack 229.5. Windows 2000 Service Pack 2

@@ -526,15 +526,49 @@ for the profile. This default ACL includes

DOMAIN\user "Full Control"

NOTE : This bug does not occur when using winbind to -create accounts on the Samba host for Domain users.

This bug does not occur when using winbind to +create accounts on the Samba host for Domain users.

29.6. Windows NT 3.1

If you have problems communicating across routers with Windows +NT 3.1 workstations, read this Microsoft Knowledge Base article.

Configuring PAM for distributed but centrally -managed authenticationPAM Configuration for Centrally Managed AuthenticationPrev Next Chapter 13. Configuring PAM for distributed but centrally -managed authenticationChapter 18. PAM Configuration for Centrally Managed Authentication

13.1. Samba and PAM18.1. Samba and PAM

A number of Unix systems (eg: Sun Solaris), as well as the @@ -150,7 +148,7 @@ CLASS="FILENAME"

	eg: "auth       required      /other_path/pam_strange_module.so"
+>	auth       required      /other_path/pam_strange_module.so

PAM allows use of replacable modules. Those available on a sample system include:

$/bin/ls /lib/security
+	$ /bin/ls /lib/security
-	pam_access.so    pam_ftp.so          pam_limits.so     
+>	pam_access.so    pam_ftp.so          pam_limits.so     
 	pam_ncp_auth.so  pam_rhosts_auth.so  pam_stress.so     
 	pam_cracklib.so  pam_group.so        pam_listfile.so   
 	pam_nologin.so   pam_rootok.so       pam_tally.so      
@@ -289,10 +293,10 @@ CLASS="PROGRAMLISTING"
 >	#%PAM-1.0
 	# The PAM configuration file for the `samba' service
 	#
-	auth       required     /lib/security/pam_pwdb.so nullok nodelay shadow audit
-	account    required     /lib/security/pam_pwdb.so audit nodelay
-	session    required     /lib/security/pam_pwdb.so nodelay
-	password   required     /lib/security/pam_pwdb.so shadow md5
In the following example the decision has been made to use the 
@@ -306,10 +310,10 @@ CLASS="PROGRAMLISTING"
 >	#%PAM-1.0
 	# The PAM configuration file for the `samba' service
 	#
-	auth       required     /lib/security/pam_smbpass.so nodelay
-	account    required     /lib/security/pam_pwdb.so audit nodelay
-	session    required     /lib/security/pam_pwdb.so nodelay
-	password   required     /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf

13.2. Distributed Authentication18.2. Distributed Authentication

The astute administrator will realize from this that the @@ -385,8 +389,8 @@ CLASS="SECT1" >

13.3. PAM Configuration in smb.conf18.3. PAM Configuration in smb.conf

There is an option in smb.conf called Prev NextGroup mapping HOWTODesktop Profile ManagementPrinting SupportStackable VFS modules

3.1. Introduction

3.2. Important Notes About Security

3.2.1. Advantages of SMB Encryption

Encrypted password support allows auto-matic share +>Encrypted password support allows automatic share (resource) reconnects.

3.2.2. Advantages of non-encrypted passwords

3.3. The smbpasswd Command

3.4. Plain text

3.5. TDB

3.6. LDAP

3.6.1. Introduction

3.6.2. Introduction

3.6.3. Supported LDAP Servers

samba-patches@samba.org and jerry@samba.org.

3.6.4. Schema and Relationship to the RFC 2307 posixAccount

jerry@samba.org

3.6.5. Configuring Samba with LDAP

3.6.5.1. OpenLDAP configuration

root# cp samba.schema /etc/openldap/schema/cp samba.schema /etc/openldap/schema/

Next, include the

`3.6.5.2. Configuring Samba`

`3.6.6. Accounts and Groups management`

`3.6.7. Security and sambaAccount`

`3.6.8. LDAP specials attributes for sambaAccounts`

`3.6.9. Example LDIF Entries for a sambaAccount`

`3.7. MySQL`

`3.7.1. Building`

To build the plugin, run make bin/pdb_mysql.so -in the source/ directory of samba distribution.

Next, copy pdb_mysql.so to any location you want. I -strongly recommend installing it in $PREFIX/lib or /usr/lib/samba/

`3.7.2. Creating the database3.7.1. Creating the database`

You either can set up your own table and specify the field names to pdb_mysql (see below @@ -1403,8 +1382,8 @@ CLASS="SECT2" >

`3.7.3. Configuring3.7.2. Configuring`

This plugin lacks some good documentation, but here is some short info:

: passdb backend = [other-plugins] plugin:/location/to/pdb_mysql.so:identifier [other-plugins] passdb backend = [other-plugins] mysql:identifier [other-plugins] The identifier can be any string you like, as long as it doesn't collide with @@ -1514,8 +1493,8 @@ CLASS="SECT2" > 3.7.4. Using plaintext passwords or encrypted password3.7.3. Using plaintext passwords or encrypted password I strongly discourage the use of plaintext passwords, however, you can use them: 3.7.5. Getting non-column data from the table3.7.4. Getting non-column data from the table It is possible to have not all data in the database and making some 'constant'. 3.8. Passdb XML plugin3.8. XML 3.8.1. Building This module requires libxml2 to be installed. To build pdb_xml, run: make bin/pdb_xml.so in -the directory source/. 3.8.2. Usage The usage of pdb_xml is pretty straightforward. To export data, use: -pdbedit -e plugin:/usr/lib/samba/pdb_xml.so:filenamepdbedit -e xml:filename (where filename is the name of the file to put the data in) To import data, use: -pdbedit -i plugin:/usr/lib/samba/pdb_xml.so:filename -e current-pdbpdbedit -i xml:filename -e current-pdb Where filename is the name to read the data from and current-pdb to put it in.

pdbedit [-l] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-D drive] [-S script] [-p profile] [-a] [-m] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-backend] [-d debuglevel] [-s configfile] [-P account-policy] [-V value] [-l] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-D drive] [-S script] [-p profile] [-a] [-m] [-x] [-i passdb-backend] [-e passdb-backend] [-g] [-b passdb-backend] [-g] [-d debuglevel] [-s configfile] [-P account-policy] [-C value]

DESCRIPTION OPTIONS -g If you specify -g, + then -i in-backend -e out-backend + applies to the group mapping instead of the user database. + + This option will ease migration from one passdb backend to + another and will ease backing up. -g If you specify -g, + then -i in-backend -e out-backend + applies to the group mapping instead of the user database. + + This option will ease migration from one passdb backend to + another and will ease backing up. -b passdb-backend -V account-policy-value -C account-policy-valueSets an account policy to a specified value. @@ -380,7 +418,7 @@ CLASS="PARAMETER" > Example: pdbedit -P "bad lockout attempt" -V 3pdbedit -P "bad lockout attempt" -C 3 -h|--help Print a summary of command line options. -V Prints the version number for +smbd. -s <configuration file> The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See smb.conf(5) for more information. +The default configuration file name is determined at +compile time. -d|--debug=debuglevel file. -h|--help -l|--logfile=logbasenamePrint a summary of command line options. -s <configuration file> The file specified contains the -configuration details required by the server. The -information in this file includes server-specific -information such as what printcap file to use, as well -as descriptions of all the services that the server is -to provide. See smb.conf(5) for more information. -The default configuration file name is determined at -compile time.File name for log/debug files. The extension +".client" will be appended. The log file is +never removed by the client. NOTES VERSION SEE ALSO AUTHOR Chapter 24. PortabilityChapter 28. PortabilitySamba works on a wide range of platforms but the interface all the platforms provide is not always compatible. This chapter contains @@ -84,8 +84,8 @@ CLASS="SECT1" > 24.1. HPUX28.1. HPUX HP's implementation of supplementary groups is, er, non-standard (for @@ -114,8 +114,8 @@ CLASS="SECT1" > 24.2. SCO Unix28.2. SCO Unix @@ -131,8 +131,8 @@ CLASS="SECT1" > 24.3. DNIX28.3. DNIX DNIX has a problem with seteuid() and setegid(). These routines are @@ -238,8 +238,8 @@ CLASS="SECT1" > 24.4. RedHat Linux Rembrandt-II28.4. RedHat Linux Rembrandt-II By default RedHat Rembrandt-II during installation adds an @@ -262,16 +262,16 @@ CLASS="SECT1" > 24.5. AIX28.5. AIX 24.5.1. Sequential Read Ahead28.5.1. Sequential Read Ahead Disabling Sequential Read Ahead using "vmtune -r 0" improves diff --git a/docs/htmldocs/printing.html b/docs/htmldocs/printing.html index 7834e0d884..d30fa88b70 100644 --- a/docs/htmldocs/printing.html +++ b/docs/htmldocs/printing.html @@ -13,9 +13,8 @@ REL="UP" TITLE="Advanced Configuration" HREF="optional.html">PrevChapter 14. Printing SupportChapter 12. Printing Support 14.1. Introduction12.1. Introduction Beginning with the 2.2.0 release, Samba supports @@ -164,8 +163,8 @@ CLASS="SECT1" > 14.2. Configuration12.2. Configuration 14.2.1. Creating [print$]12.2.1. Creating [print$] In order to support the uploading of printer driver @@ -353,14 +352,14 @@ Samba follows this model as well.Next create the directory tree below the [print$] share for each architecture you wish to support. [print$]----- |-W32X86 ; "Windows NT x86" |-WIN40 ; "Windows 95/98" |-W32ALPHA ; "Windows NT Alpha_AXP" |-W32MIPS ; "Windows NT R4000" - |-W32PPC ; "Windows NT PowerPC" 14.2.2. Setting Drivers for Existing Printers12.2.2. Setting Drivers for Existing Printers The initial listing of printers in the Samba host's @@ -515,8 +514,8 @@ CLASS="SECT2" > 14.2.3. Support a large number of printers12.2.3. Support a large number of printers One issue that has arisen during the development @@ -535,13 +534,16 @@ setdriver command -$ rpcclient pogo -U root%secret -c "enumdrivers" +>rpcclient pogo -U root%secret -c "enumdrivers" + Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] [Windows NT x86] @@ -552,27 +554,34 @@ Printer Driver Info 1: Driver Name: [HP LaserJet 2100 Series PS] Printer Driver Info 1: - Driver Name: [HP LaserJet 4Si/4SiMX PS] - + Driver Name: [HP LaserJet 4Si/4SiMX PS] $ rpcclient pogo -U root%secret -c "enumprinters" -Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] +>rpcclient pogo -U root%secret -c "enumprinters" +Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] flags:[0x800000] name:[\\POGO\hp-print] description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,] comment:[] - + $ rpcclient pogo -U root%secret \ -> -c "setdriver hp-print \"HP LaserJet 4000 Series PS\"" -Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] +>rpcclient pogo -U root%secret -c "setdriver hp-print \"HP LaserJet 4000 Series PS\"" +Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] Successfully set hp-print to driver HP LaserJet 4000 Series PS. 14.2.4. Adding New Printers via the Windows NT APW12.2.4. Adding New Printers via the Windows NT APW By default, Samba offers all printer shares defined in 14.2.5. Samba and Printer Ports12.2.5. Samba and Printer Ports Windows NT/2000 print servers associate a port with each printer. These normally @@ -771,8 +780,8 @@ CLASS="SECT1" > 14.3. The Imprints Toolset12.3. The Imprints Toolset The Imprints tool set provides a UNIX equivalent of the @@ -789,8 +798,8 @@ CLASS="SECT2" > 14.3.1. What is Imprints?12.3.1. What is Imprints? Imprints is a collection of tools for supporting the goals @@ -821,8 +830,8 @@ CLASS="SECT2" > 14.3.2. Creating Printer Driver Packages12.3.2. Creating Printer Driver Packages The process of creating printer driver packages is beyond @@ -837,8 +846,8 @@ CLASS="SECT2" > 14.3.3. The Imprints server12.3.3. The Imprints server The Imprints server is really a database server that @@ -861,8 +870,8 @@ CLASS="SECT2" > 14.3.4. The Installation Client12.3.4. The Installation Client More information regarding the Imprints installation client @@ -955,16 +964,16 @@ CLASS="SECT1" > 14.4. Diagnosis12.4. Diagnosis 14.4.1. Introduction12.4.1. Introduction This is a short description of how to debug printing problems with @@ -1038,8 +1047,8 @@ CLASS="SECT2" > 14.4.2. Debugging printer problems12.4.2. Debugging printer problems One way to debug printing problems is to start by replacing these @@ -1095,8 +1104,8 @@ CLASS="SECT2" > 14.4.3. What printers do I have?12.4.3. What printers do I have? You can use the 'testprns' program to check to see if the printer @@ -1124,8 +1133,8 @@ CLASS="SECT2" > 14.4.4. Setting up printcap and print servers12.4.4. Setting up printcap and print servers You may need to set up some printcaps for your Samba system to use. @@ -1208,8 +1217,8 @@ CLASS="SECT2" > 14.4.5. Job sent, no output12.4.5. Job sent, no output This is the most frustrating part of printing. You may have sent the @@ -1253,8 +1262,8 @@ CLASS="SECT2" > 14.4.6. Job sent, strange output12.4.6. Job sent, strange output Once you have the job printing, you can then start worrying about @@ -1299,8 +1308,8 @@ CLASS="SECT2" > 14.4.7. Raw PostScript printed12.4.7. Raw PostScript printed This is a problem that is usually caused by either the print spooling @@ -1314,8 +1323,8 @@ CLASS="SECT2" > 14.4.8. Advanced Printing12.4.8. Advanced Printing Note that you can do some pretty magic things by using your @@ -1330,8 +1339,8 @@ CLASS="SECT2" > 14.4.9. Real debugging12.4.9. Real debugging If the above debug tips don't help, then maybe you need to bring in @@ -1355,7 +1364,7 @@ WIDTH="33%" ALIGN="left" VALIGN="top" >PrevConfiguring PAM for distributed but centrally -managed authenticationConfiguring Group Mapping. -A|--authfile=filename -c|--command='command string'This option allows - you to specify a file from which to read the username and - password used in the connection. The format of the file is - execute semicolon separated commands (listed + below)) -I IP-address username = <value> -password = <value> -domain = <value> IP address is the address of the server to connect to. + It should be specified in standard "a.b.c.d" notation. Make certain that the permissions on the file restrict - access from unwanted users. Normally the client would attempt to locate a named + SMB/CIFS server by looking it up via the NetBIOS name resolution + mechanism described above in the name resolve order + parameter above. Using this parameter will force the client + to assume that the server is on the machine with the specified IP + address and the NetBIOS name component of the resource being + connected to will be ignored. There is no default for this parameter. If not supplied, + it will be determined automatically by the client as described + above. -c|--command='command string' -Vexecute semicolon separated commands (listed - below)) Prints the version number for +smbd. -h|--help -s <configuration file>Print a summary of command line options.The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See smb.conf(5) for more information. +The default configuration file name is determined at +compile time. -d|--debug=debuglevel file. -I IP-address -l|--logfile=logbasenameIP address is the address of the server to connect to. - It should be specified in standard "a.b.c.d" notation. Normally the client would attempt to locate a named - SMB/CIFS server by looking it up via the NetBIOS name resolution - mechanism described above in the name resolve order - parameter above. Using this parameter will force the client - to assume that the server is on the machine with the specified IP - address and the NetBIOS name component of the resource being - connected to will be ignored. There is no default for this parameter. If not supplied, - it will be determined automatically by the client as described - above. File name for log/debug files. The extension +".client" will be appended. The log file is +never removed by the client. -l|--logfile=logbasename -NFile name for log/debug files. The extension - '.client' will be appended. The log file is - never removed by the client. - If specified, this parameter suppresses the normal +password prompt from the client to the user. This is useful when +accessing a service that does not require a password. Unless a password is specified on the command line or +this parameter is specified, the client will request a +password. -N|--nopass -kinstruct rpcclient not to ask - for a password. By default, rpcclient will - prompt for a password. See also the -U - option.Try to authenticate with kerberos. Only useful in +an Active Directory environment. -s|--conf=smb.conf -A|--authfile=filenameSpecifies the location of the all-important - smb.conf file. This option allows +you to specify a file from which to read the username and +password used in the connection. The format of the file is username = <value> +password = <value> +domain = <value> Make certain that the permissions on the file restrict +access from unwanted users. -U|--user=username[%password] Sets the SMB username or username and password. If %password is not specified, the user will be prompted. The - client will first check the If %password is not specified, the user will be prompted. The +client will first check the USER environment variable, then the - environment variable, then the +LOGNAME variable and if either exists, the - string is uppercased. If these environmental variables are not - found, the username variable and if either exists, the +string is uppercased. If these environmental variables are not +found, the username GUEST is used. A third option is to use a credentials file which - contains the plaintext of the username and password. This - option is mainly provided for scripts where the admin does not - wish to pass the credentials on the command line or via environment - variables. If this method is used, make certain that the permissions - on the file restrict access from unwanted users. See the - A third option is to use a credentials file which +contains the plaintext of the username and password. This +option is mainly provided for scripts where the admin does not +wish to pass the credentials on the command line or via environment +variables. If this method is used, make certain that the permissions +on the file restrict access from unwanted users. See the +-A for more details. Be cautious about including passwords in scripts. Also, on - many systems the command line of a running process may be seen - via the Be cautious about including passwords in scripts. Also, on +many systems the command line of a running process may be seen +via the ps command. To be safe always allow - command. To be safe always allow +rpcclient to prompt for a password and type - it in directly. to prompt for a password and type +it in directly. -n <primary NetBIOS name> This option allows you to override +the NetBIOS name that Samba uses for itself. This is identical +to setting the NetBIOS +name parameter in the smb.conf(5) file. However, a command +line setting will take precedence over settings in +smb.conf(5). -i <scope> This specifies a NetBIOS scope that +nmblookup will use to communicate with when +generating NetBIOS names. For details on the use of NetBIOS +scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes are +very rarely used, only set this parameter +if you are the system administrator in charge of all the +NetBIOS systems you communicate with. -W|--workgroup=domain Set the SMB domain of the username. This - overrides the default domain which is the domain defined in - smb.conf. If the domain specified is the same as the server's NetBIOS name, - it causes the client to log on using the server's local SAM (as - opposed to the Domain SAM). Set the SMB domain of the username. This +overrides the default domain which is the domain defined in +smb.conf. If the domain specified is the same as the servers +NetBIOS name, it causes the client to log on using the servers local +SAM (as opposed to the Domain SAM). -O socket options TCP socket options to set on the client +socket. See the socket options parameter in +the smb.conf(5) manual page for the list of valid +options. -h|--help Print a summary of command line options. COMMANDS LSARPC LSARPC lsaquery lsaquery Query info policy lookupsids lookupsids - Resolve a list +>Resolve a list of SIDs to usernames. lookupnames lookupnames - Resolve a list +>Resolve a list of usernames to SIDs. enumtrusts Enumerate trusted domains enumprivs Enumerate privileges getdispname Get the privilege name lsaenumsid Enumerate the LSA SIDS lsaenumprivsaccount Enumerate the privileges of an SID lsaenumacctrights Enumerate the rights of an SID lsaenumacctwithright Enumerate accounts with a right lsaaddacctrights Add rights to an account lsaremoveacctrights Remove rights from an account lsalookupprivvalue Get a privilege value given its name lsaquerysecobj Query LSA security object LSARPC-DS enumtrusts dsroledominfo Get Primary Domain Information SAMRDFS dfsexist Query DFS support dfsadd Add a DFS share dfsremove Remove a DFS share dfsgetinfo Query DFS share info dfsenum Enumerate dfs shares REG queryuser shutdown Remote Shutdown abortshutdown Abort Shutdown SRVSVC srvinfo Server query info netshareenum Enumerate shares netfileenum Enumerate open files netremotetod Fetch remote time of day SAMR querygroup queryuser Query user info querygroup Query group info queryusergroups Query user groups querygroupmem Query group membership queryaliasmem Query alias membership querydispinfo Query display info querydominfo Query domain info enumdomusers queryusergroups Enumerate domain users enumdomgroups querygroupmem Enumerate domain groups enumalsgroups queryaliasmem Enumerate alias groups createdomuser querydispinfo Create domain user samlookupnames querydominfo Look up names samlookuprids enumdomgroups Look up names deletedomuser Delete domain user samquerysecobj SPOOLSS Query SAMR security object getdompwinfo Retrieve domain password info SPOOLSS adddriver <arch> <config> adddriver <arch> <config> - - Execute an AddPrinterDriver() RPC to install the printer driver +> Execute an AddPrinterDriver() RPC to install the printer driver information on the server. Note that the driver files should already exist in the directory returned by addprinter <printername> - <sharename> <drivername> <port> - - Add a printer on the remote server. This printer + <sharename> <drivername> <port> Add a printer on the remote server. This printer will be automatically shared. Be aware that the printer driver must already be installed on the server (see enumports. deldriver deldriver - Delete the +>Delete the specified printer driver for all architectures. This does not delete the actual driver files from the server, only the entry from the server's list of drivers. enumdata enumdata - Enumerate all +>Enumerate all printer setting data stored on the server. On Windows NT clients, these values are stored in the registry, while Samba servers store them in the printers TDB. This command corresponds to the MS Platform SDK GetPrinterData() function (* This command is currently unimplemented). enumdataex enumjobs <printer> - - List the jobs and status of a given printer. +>Enumerate printer data for a key enumjobs <printer> List the jobs and status of a given printer. This command corresponds to the MS Platform SDK EnumJobs() - function (* This command is currently unimplemented). enumkey enumports [level] - - Executes an EnumPorts() call using the specified +>Enumerate printer keys enumports [level] Executes an EnumPorts() call using the specified info level. Currently only info levels 1 and 2 are supported. enumdrivers [level] enumdrivers [level] - - Execute an EnumPrinterDrivers() call. This lists the various installed +> Execute an EnumPrinterDrivers() call. This lists the various installed printer drivers for all architectures. Refer to the MS Platform SDK documentation for more details of the various flags and calling options. Currently supported info levels are 1, 2, and 3. enumprinters [level] enumprinters [level] - - Execute an EnumPrinters() call. This lists the various installed +>Execute an EnumPrinters() call. This lists the various installed and share printers. Refer to the MS Platform SDK documentation for more details of the various flags and calling options. Currently supported info levels are 0, 1, and 2. getdata <printername> <valuename;> getdata <printername> - - Retrieve the data for a given printer setting. See +>Retrieve the data for a given printer setting. See the enumdata command for more information. This command corresponds to the GetPrinterData() MS Platform - SDK function (* This command is currently unimplemented). getdataex getdriver <printername> - - Retrieve the printer driver information (such as driver file, +>Get printer driver data with keyname getdriver <printername> Retrieve the printer driver information (such as driver file, config file, dependent files, etc...) for the given printer. This command corresponds to the GetPrinterDriver() MS Platform SDK function. Currently info level 1, 2, and 3 are supported. getdriverdir <arch> getdriverdir <arch> - - Execute a GetPrinterDriverDirectory() +> Execute a GetPrinterDriverDirectory() RPC to retrieve the SMB share name and subdirectory for storing printer driver files for a given architecture. Possible values for are "Windows 4.0" (for Windows 95/98), "Windows NT x86", "Windows NT PowerPC", "Windows Alpha_AXP", and "Windows NT R4000". getprinter <printername> getprinter <printername> - - Retrieve the current printer information. This command +>Retrieve the current printer information. This command corresponds to the GetPrinter() MS Platform SDK function. getprintprocdir openprinter <printername> - - Execute an OpenPrinterEx() and ClosePrinter() RPC - against a given printer. Get print processor directory openprinter <printername> Execute an OpenPrinterEx() and ClosePrinter() RPC + against a given printer. setdriver <printername> - <drivername> - - Execute a SetPrinter() command to update the printer driver + <drivername>Execute a SetPrinter() command to update the printer driver associated with an installed printer. The printer driver must already be correctly installed on the print server. enumdrivers commands for obtaining a list of of installed printers and drivers. addform Add form setform Set form getform Get form deleteform Delete form enumforms Enumerate form setprinter Set printer comment setprinterdata Set REG_SZ printer data rffpcnex Rffpcnex test NETLOGON GENERAL OPTIONS logonctrl2 Logon Control 2 logonctrl Logon Control samsync Sam Synchronisation samdeltas Query Sam Deltas samlogon Sam Logon GENERAL COMMANDS debuglevel debuglevel - Set the current +>Set the current debug level used to log information. help (?) help (?) - Print a listing of all +>Print a listing of all known commands or extended help on a particular command. quit (exit) quit (exit) - Exit Exit rpcclient . BUGS VERSION AUTHOR 7.1. Prerequisite Reading 7.2. Background 7.3. What qualifies a Domain Controller on the network? 7.3.1. How does a Workstation find its domain controller? 7.3.2. When is the PDC needed? 7.4. Can Samba be a Backup Domain Controller to an NT PDC? 7.5. How do I set up a Samba BDC? 7.5.1. How do I replicate the smbpasswd file? 7.5.2. Can I do this all with LDAP? SAMBA Team <samba@samba.org> Edited by John H Terpstra Jelmer Vernooij Gerald (Jerry) Carter AbstractLast Update : Wed Jan 15 This book is a collection of HOWTOs added to Samba documentation over the years. I try to ensure that all are current, but sometimes the is a larger job @@ -69,6 +90,17 @@ TARGET="_top" >jelmer@samba.org. This documentation is distributed under the GNU General Public License (GPL) version 2. A copy of the license is included with the Samba source distribution. A copy can be found on-line at http://www.fsf.org/licenses/gpl.txt Cheers, jerry 1.1. Obtaining and installing samba 1.2. Configuring samba 1.3. Try listing the shares available on your server 1.4. Try connecting with the unix client 1.5. Try connecting from a DOS, WfWg, Win9x, WinNT, Win2k, OS/2, etc... client 1.6. What If Things Don't Work? 2.1. Discussion 2.2. How browsing functions and how to deploy stable and dependable browsing using Samba 2.3. Use of the "Remote Announce" parameterUse of the Remote Announce parameter 2.4. Use of the "Remote Browse Sync" parameterUse of the Remote Browse Sync parameter 2.5. Use of WINS 2.6. Do NOT use more than one (1) protocol on MS Windows machines 2.7. Name Resolution Order 3.1. Introduction 3.2. Important Notes About Security 3.3. The smbpasswd Command 3.4. Plain text 3.5. TDB 3.6. LDAP 3.7. MySQL 3.8. Passdb XML pluginXML 4.1. Stand Alone Server 4.2. Domain Member Server 4.3. Domain Controller 5.1. User and Share security level 6.1. Prerequisite Reading 6.2. Background 6.3. Configuring the Samba Domain Controller 6.4. Creating Machine Trust Accounts and Joining Clients to the Domain 6.5. Common Problems and Errors 6.6. What other help can I get? 6.7. Domain Control for Windows 9x/ME 7.1. Prerequisite Reading 7.2. Background 7.3. What qualifies a Domain Controller on the network? 7.4. Can Samba be a Backup Domain Controller to an NT PDC? 7.5. How do I set up a Samba BDC? 8.1. Setup your smb.conf 8.2. Setup your /etc/krb5.conf 8.3. Create the computer account 8.4. Test your server setup 8.5. Testing with smbclient 8.6. Notes 9.1. Joining an NT Domain with Samba 3.0 9.2. Why is this better than security = server? 10. System Policies 10.1. Basic System Policy Info 10.2. Roaming Profiles 11. UNIX Permission Bits and Windows NT Access Control Lists 11.1. 10.1. Viewing and changing UNIX permissions using the NT security dialogs 11.2. 10.2. How to view file security on a Samba share 11.3. 10.3. Viewing file ownership 11.4. 10.4. Viewing file or directory permissions 11.5. 10.5. Modifying file or directory permissions 11.6. 10.6. Interaction with the standard Samba create mask parameters 11.7. 10.7. Interaction with the standard Samba file attribute mapping 12. 11. Group mapping HOWTO 13. Configuring PAM for distributed but centrally -managed authenticationConfiguring Group Mapping 13.1. Samba and PAM 13.2. Distributed Authentication 13.3. PAM Configuration in smb.conf 14. 12. Printing Support 14.1. 12.1. Introduction 14.2. 12.2. Configuration 14.3. 12.3. The Imprints Toolset 14.4. 12.4. Diagnosis 15. 13. CUPS Printing Support 15.1. 13.1. Introduction 15.2. CUPS - RAW Print Through Mode13.2. Configuring smb.conf for CUPS 15.3. 13.3. CUPS - RAW Print Through Mode 13.4. CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe +PostScript driver with CUPS-PPDs downloaded to clients 13.5. Windows Terminal Servers (WTS) as CUPS clients 13.6. Setting up CUPS for driver download 13.7. Sources of CUPS drivers / PPDs 13.8. The CUPS Filter Chains 15.4. 13.9. CUPS Print Drivers and Devices 15.5. 13.10. Limiting the number of pages users can print 15.6. 13.11. Advanced Postscript Printing from MS Windows 15.7. 13.12. Auto-Deletion of CUPS spool files 16. 14. Unified Logons between Windows NT and UNIX using Winbind 16.1. 14.1. Abstract 16.2. 14.2. Introduction 16.3. 14.3. What Winbind Provides 16.4. 14.4. How Winbind Works 16.5. 14.5. Installation and Configuration 16.6. 14.6. Limitations 16.7. 14.7. Conclusion 17. Integrating MS Windows networks with Samba15. Advanced Network Manangement 17.1. Name Resolution in a pure Unix/Linux world15.1. Configuring Samba Share Access Controls 17.2. Name resolution as used within MS Windows networking15.2. Remote Server Administration 15.3. Network Logon Script Magic 18. Improved browsing in samba16. System and Account Policies 18.1. Overview of browsing16.1. Creating and Managing System Policies 18.2. Browsing support in samba16.2. Managing Account/User Policies 18.3. Problem resolution17. Desktop Profile Management 18.4. Browsing across subnets17.1. Roaming Profiles 18.5. Setting up a WINS server17.2. Mandatory profiles 18.6. Setting up Browsing in a WORKGROUP17.3. Creating/Managing Group Profiles 18.7. Setting up Browsing in a DOMAIN17.4. Default Profile for Windows Users 18.8. Forcing samba to be the master18. PAM Configuration for Centrally Managed Authentication 18.9. Making samba the domain master18.1. Samba and PAM 18.10. Note about broadcast addresses18.2. Distributed Authentication 18.11. Multiple interfaces18.3. PAM Configuration in smb.conf 19. Hosting a Microsoft Distributed File System tree on SambaStackable VFS modules 19.1. InstructionsIntroduction and configuration 19.2. Included modules 19.3. VFS modules available elsewhere 20. Stackable VFS modulesHosting a Microsoft Distributed File System tree on Samba 20.1. Introduction and configurationInstructions 21. Integrating MS Windows networks with Samba 20.2. Included modules21.1. Name Resolution in a pure Unix/Linux world 20.3. VFS modules available elsewhere21.2. Name resolution as used within MS Windows networking 21. 22. Improved browsing in samba 22.1. Overview of browsing 22.2. Browsing support in samba 22.3. Problem resolution 22.4. Browsing across subnets 22.5. Setting up a WINS server 22.6. Setting up Browsing in a WORKGROUP 22.7. Setting up Browsing in a DOMAIN 22.8. Forcing samba to be the master 22.9. Making samba the domain master 22.10. Note about broadcast addresses 22.11. Multiple interfaces 23. Securing Samba 21.1. 23.1. Introduction 21.2. 23.2. Using host based protection 21.3. 23.3. Using interface protection 21.4. 23.4. Using a firewall 21.5. 23.5. Using a IPC$ share deny 21.6. 23.6. Upgrading Samba 22. 24. Unicode/Charsets 22.1. 24.1. What are charsets and unicode? 22.2. 24.2. Samba and charsets 23. 25. SWAT - The Samba Web Admininistration Tool 25.1. SWAT Features and Benefits 26. Migration from NT4 PDC to Samba-3 PDC 26.1. Planning and Getting Started 26.2. Managing Samba-3 Domain Control 27. Samba performance issues 23.1. 27.1. Comparisons 23.2. 27.2. Socket options 23.3. 27.3. Read size 23.4. 27.4. Max xmit 23.5. 27.5. Log level 23.6. 27.6. Read raw 23.7. 27.7. Write raw 23.8. 27.8. Slow Clients 23.9. 27.9. Slow Logins 23.10. 27.10. Client tuning 24. 28. Portability 24.1. 28.1. HPUX 24.2. 28.2. SCO Unix 24.3. 28.3. DNIX 24.4. 28.4. RedHat Linux Rembrandt-II 24.5. 28.5. AIX 25. 29. Samba and other CIFS clients 25.1. 29.1. Macintosh clients? 25.2. 29.2. OS2 Client 25.3. 29.3. Windows for Workgroups 25.4. 29.4. Windows '95/'98 25.5. 29.5. Windows 2000 Service Pack 2 29.6. Windows NT 3.1 26. 30. How to compile SAMBA 26.1. 30.1. Access Samba source code via CVS 26.2. 30.2. Accessing the samba sources via rsync and ftp 26.3. 30.3. Building the Binaries 26.4. 30.4. Starting the smbd and nmbd 27. 31. Reporting Bugs 27.1. 31.1. Introduction 27.2. 31.2. General info 27.3. 31.3. Debug levels 27.4. 31.4. Internal errors 27.5. 31.5. Attaching to a running process 27.6. 31.6. Patches 28. 32. The samba checklist 28.1. 32.1. Introduction 28.2. 32.2. Assumptions 28.3. Tests32.3. The tests 28.4. 32.4. Still having troubles? 6.1. Prerequisite Reading 6.2. Background 6.3. Configuring the Samba Domain Controller Encrypted passwords must be enabled. For more details on how to do this, refer to ENCRYPTION.html. 6.4. Creating Machine Trust Accounts and Joining Clients to the Domain 6.4.1. Manual Creation of Machine Trust Accounts 6.4.2. "On-the-Fly" Creation of Machine Trust Accounts 6.4.3. Joining the Client to the Domain 6.5. Common Problems and Errors 6.6. What other help can I get? 6.7. Domain Control for Windows 9x/ME 6.7.1. Configuration Instructions: Network Logons PrevChapter 21. Securing SambaChapter 23. Securing Samba 21.1. Introduction23.1. Introduction This note was attached to the Samba 2.2.8 release notes as it contained an @@ -93,8 +93,8 @@ CLASS="SECT1" > 21.2. Using host based protection23.2. Using host based protection In many installations of Samba the greatest threat comes for outside @@ -125,8 +125,8 @@ CLASS="SECT1" > 21.3. Using interface protection23.3. Using interface protection By default Samba will accept connections on any network interface that @@ -161,8 +161,8 @@ CLASS="SECT1" > 21.4. Using a firewall23.4. Using a firewall Many people use a firewall to deny access to services that they don't @@ -191,8 +191,8 @@ CLASS="SECT1" > 21.5. Using a IPC$ share deny23.5. Using a IPC$ share deny If the above methods are not suitable, then you could also place a @@ -230,8 +230,8 @@ CLASS="SECT1" > 21.6. Upgrading Samba23.6. Upgrading Samba Please check regularly on http://www.samba.org/ for updates and @@ -256,7 +256,7 @@ WIDTH="33%" ALIGN="left" VALIGN="top" >PrevStackable VFS modulesImproved browsing in samba 5.1. User and Share security level 5.1.1. User Level Security 5.1.2. Share Level Security 5.1.3. Server Level Security 5.1.3.1. Configuring Samba for Seemless Windows Network Integration 5.1.3.2. Use MS Windows NT as an authentication server 5.1.4. Domain Level Security 5.1.4.1. Samba as a member of an MS Windows NT security domain 5.1.5. ADS Level Security NOTE: On SYSV systems which use lpstat to determine what +> On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use "printcap name = lpstat" to automatically obtain a list of printers. See the "printcap name" option for more details.PARAMETERSVARIABLE SUBSTITUTIONSNAME MANGLINGNOTE ABOUT USERNAME/PASSWORD VALIDATIONCOMPLETE LIST OF GLOBAL PARAMETERS ldap delete dn preload modules server schannel set primary group scriptCOMPLETE LIST OF SERVICE PARAMETERS EXPLANATION OF EACH PARAMETER See the discussion in the section NAME MANGLING. See the section on NAME MANGLING. Also note the The default depends on which charsets you have instaled. +>The default depends on which charsets you have installed. Samba tries to use charset 850 but falls back to ASCII in case it is not available. Run NOTE :A working NIS client is required on the system for this option to work. See also hosts equiv may be useful for NT clients which will not supply passwords to Samba. NOTE : The use of The use of hosts equiv trust them :-). Default: smbpasswd(8) man page for more information on how - to accmplish this. + to accmplish this. >ldap delete dn (G) This parameter specifies whether a delete + operation in the ldapsam deletes the complete entry or only the attributes + specific to Samba. Default : noneldap delete dn = no See the section on NAME MANGLING See the section on NAME MANGLING for details on how to control the mangling process. magic character in name mangling. The default is a '~' but this may interfere with some software. Use this option to set @@ -11958,11 +12069,35 @@ NAME="NONUNIXACCOUNTRANGE" This is most often used for machine account creation. This range of ids should have no existing local or NIS users within it as strange conflicts can occur otherwise. NOTE: These userids never appear on the system and Samba will never +> These userids never appear on the system and Samba will never 'become' these users. They are used only to ensure that the algorithmic RID mapping does not conflict with normal users. Default: and so may resolved by any method and order described in that parameter. The password server much be a machine capable of using +>The password server must be a machine capable of using the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user level security mode. NOTE: Using a password server +> Using a password server means your UNIX box (running Samba) is only as secure as your password server. . Never point a Samba server at itself for password serving. This will cause a loop and could lock up your Samba @@ -13631,6 +13784,30 @@ CLASS="COMMAND" > >preload modules (G) This is a list of paths to modules that should + be loaded into smbd before a client connects. This improves + the speed of smbd when reacting to new connections somewhat. It is recommended to only use this option on heavy-performance + servers. Default: preload modules = Example: preload modules = /usr/lib/samba/passdb/mysql.so >preserve case (S) See the section on NAME MANGLING for a fuller discussion. where the '|' separates aliases of a printer. The fact that the second alias has a space in it gives a hint to Samba that it's a comment. NOTE: Under AIX the default printcap +> Under AIX the default printcap name is /etc/qconfigqconfig appears in the printcap filename. Default: See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. parameter for details on doing this. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. parameter for details on doing this. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. parameter for details on doing this. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. >server schannel (G) This controls whether the server offers or even + demands the use of the netlogon schannel. + server schannel = no does not + offer the schannel, server schannel = + auto offers the schannel but does not + enforce it, and server schannel = + yes denies access if the client is not + able to speak netlogon schannel. This is only the case + for Windows NT4 before SP4. Please note that with this set to + no you will have to apply the + WindowsXP requireSignOrSeal-Registry patch found in + the docs/Registry subdirectory. Default: server schannel = auto Example: server schannel = yes/para> + >server string (G) >set primary group script (G) Thanks to the Posix subsystem in NT a + Windows User has a primary group in addition to the + auxiliary groups. This script sets the primary group + in the unix userdatase when an administrator sets the + primary group from the windows user manager or when + fetching a SAM with net rpc + vampire. %u will be + replaced with the user whose primary group is to be + set. %g will be replaced with + the group to set. + + Default: No default value Example: set primary group script = /usr/sbin/usermod -g '%g' '%u' >set directory (S) See the section on NAME MANGLING. See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how @@ -17868,22 +18150,45 @@ CLASS="REFENTRYTITLE" >You should point this at your WINS server if you have a multi-subnetted network. NOTE. You need to set up Samba to point +>If you want to work in multiple namespaces, you can + give every wins server a 'tag'. For each tag, only one + (working) server will be queried for a name. The tag should be + seperated from the ip address by a colon. + You need to set up Samba to point to a WINS server if you have multiple subnets and wish cross-subnet browsing to work correctly. See the documentation file BROWSING - in the docs/ directory of your Samba source distribution. Browsing in the samba howto collection. Default: Example: wins server = 192.9.200.1wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61 For this example when querying a certain name, 192.19.200.1 will + be asked first and if that doesn't respond 192.168.2.61. If either + of those doesn't know the name 192.168.3.199 will be queried. + Example: wins server = 192.9.200.1 192.168.2.61 WARNINGS VERSION SEE ALSO AUTHOR smbcacls {//server/share} {filename} [-U username] [-A acls] [-M acls] [-D acls] [-S acls] [-C name] [-G name] [-n] [-h] {//server/share} {filename} [-D acls] [-M acls] [-A acls] [-S acls] [-C name] [-G name] [-n] [-t] [-U username] [-h] [-d] DESCRIPTION OPTIONS -h -tPrint usage information on the Don't actually do anything, only validate the correctness of + the arguments. + -h|--help Print a summary of command line options. -V Prints the version number for +smbcacls - program. smbd. -s <configuration file> The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See smb.conf(5) for more information. +The default configuration file name is determined at +compile time. -d|--debug=debuglevel debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero. The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day to day running - it generates a small amount of +information about operations carried out. Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic. Note that specifying this parameter here will +override the log +level parameter in the smb.conf(5) file. -l|--logfile=logbasename File name for log/debug files. The extension +".client" will be appended. The log file is +never removed by the client.ACL FORMATEXIT STATUS VERSION This man page is correct for version 2.2 of the Samba suite. This man page is correct for version 3.0 of the Samba suite.AUTHOR -s smb.conf Specifies the location of the all - important smb.conf(5) file. -O socket options TCP socket options to set on the client - socket. See the socket options parameter in - the smb.conf(5) manual page for the list of valid - options. -R <name resolve order> -i scope This specifies a NetBIOS scope that smbclient will - use to communicate with when generating NetBIOS names. For details - on the use of NetBIOS scopes, see rfc1001.txt - and rfc1002.txt. - NetBIOS scopes are very rarely used, only set - this parameter if you are the system administrator in charge of all - the NetBIOS systems you communicate with. -N If specified, this parameter suppresses the normal - password prompt from the client to the user. This is useful when - accessing a service that does not require a password. Unless a password is specified on the command line or - this parameter is specified, the client will request a - password. -n NetBIOS name By default, the client will use the local - machine's hostname (in uppercase) as its NetBIOS name. This parameter - allows you to override the host name and use whatever NetBIOS - name you wish. -d debuglevel debuglevel is an integer from 0 to 10, or - the letter 'A'. The default value if this parameter is not specified - is zero. The higher this value, the more detail will be logged to - the log files about the activities of the - client. At level 0, only critical errors and serious warnings will - be logged. Level 1 is a reasonable level for day to day running - - it generates a small amount of information about operations - carried out. Levels above 1 will generate considerable amounts of log - data, and should only be used when investigating a problem. - Levels above 3 are designed for use only by developers and - generate HUGE amounts of log data, most of which is extremely - cryptic. If debuglevel is set to the letter 'A', then all - debug messages will be printed. This setting - is for developers only (and people who really want - to know how the code works internally). Note that specifying this parameter here will override - the log level parameter in the smb.conf (5) - file. -p port -h -h|--helpPrint the usage message for the client. Print a summary of command line options. -I IP-address -U username[%pass] Sets the SMB username or username and password. - If %pass is not specified, The user will be prompted. The client - will first check the USER environment variable, then the - LOGNAME variable and if either exists, the - string is uppercased. Anything in these variables following a '%' - sign will be treated as the password. If these environment - variables are not found, the username GUEST - is used. If the password is not included in these environment - variables (using the %pass syntax), smbclient will look for - a PASSWD environment variable from which - to read the password. A third option is to use a credentials file which - contains the plaintext of the domain name, username and password. This - option is mainly provided for scripts where the admin doesn't - wish to pass the credentials on the command line or via environment - variables. If this method is used, make certain that the permissions - on the file restrict access from unwanted users. See the - -A for more details. Be cautious about including passwords in scripts or in - the PASSWD environment variable. Also, on - many systems the command line of a running process may be seen - via the ps command to be safe always allow - smbclient to prompt for a password and type - it in directly. -A filename This option allows - you to specify a file from which to read the username, domain name, and - password used in the connection. The format of the file is - username = <value> -password = <value> -domain = <value> If the domain parameter is missing the current workgroup name - is used instead. Make certain that the permissions on the file restrict - access from unwanted users. -L -W WORKGROUP -VPrints the version number for +smbd. -s <configuration file> The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See smb.conf(5) for more information. +The default configuration file name is determined at +compile time. -d|--debug=debuglevel debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero. The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day to day running - it generates a small amount of +information about operations carried out. Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic. Note that specifying this parameter here will +override the log +level parameter in the smb.conf(5) file. -l|--logfile=logbasename File name for log/debug files. The extension +".client" will be appended. The log file is +never removed by the client. -N If specified, this parameter suppresses the normal +password prompt from the client to the user. This is useful when +accessing a service that does not require a password. Unless a password is specified on the command line or +this parameter is specified, the client will request a +password. -k Try to authenticate with kerberos. Only useful in +an Active Directory environment. -A|--authfile=filename Override the default workgroup (domain) specified - in the workgroup parameter of the This option allows +you to specify a file from which to read the username and +password used in the connection. The format of the file is username = <value> +password = <value> +domain = <value> Make certain that the permissions on the file restrict +access from unwanted users. -U|--user=username[%password] Sets the SMB username or username and password. If %password is not specified, the user will be prompted. The +client will first check the USER environment variable, then the +LOGNAME variable and if either exists, the +string is uppercased. If these environmental variables are not +found, the username GUEST is used. A third option is to use a credentials file which +contains the plaintext of the username and password. This +option is mainly provided for scripts where the admin does not +wish to pass the credentials on the command line or via environment +variables. If this method is used, make certain that the permissions +on the file restrict access from unwanted users. See the +-A for more details. Be cautious about including passwords in scripts. Also, on +many systems the command line of a running process may be seen +via the ps command. To be safe always allow +rpcclient to prompt for a password and type +it in directly. -n <primary NetBIOS name> This option allows you to override +the NetBIOS name that Samba uses for itself. This is identical +to setting the NetBIOS +name parameter in the smb.conf(5) file for this connection. This may be - needed to connect to some servers. file. However, a command +line setting will take precedence over settings in +smb.conf(5). -i <scope> This specifies a NetBIOS scope that +nmblookup will use to communicate with when +generating NetBIOS names. For details on the use of NetBIOS +scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes are +very rarely used, only set this parameter +if you are the system administrator in charge of all the +NetBIOS systems you communicate with. -W|--workgroup=domain Set the SMB domain of the username. This +overrides the default domain which is the domain defined in +smb.conf. If the domain specified is the same as the servers +NetBIOS name, it causes the client to log on using the servers local +SAM (as opposed to the Domain SAM). -O socket options TCP socket options to set on the client +socket. See the socket options parameter in +the smb.conf(5) manual page for the list of valid +options. -T tar options -c 'print -'. -k Try to authenticate with kerberos. Only useful in - an Active Directory environment. - OPERATIONS NOTES ENVIRONMENT VARIABLES INSTALLATION DIAGNOSTICS VERSION AUTHOR smbcontrol [-i] [-i] [-s] DESCRIPTION OPTIONS -h|--help Print a summary of command line options. -s <configuration file> The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See smb.conf(5) for more information. +The default configuration file name is determined at +compile time. -i message-type One of: close-share, - debug, - force-election, ping - , Type of message to send. See + the section profile, debuglevel, profilelevel, - or printnotify. MESSAGE-TYPES for details. + parameters The close-share message-type sends a - message to smbd which will then close the client connections to - the named share. Note that this doesn't affect client connections - to any other shares. This message-type takes an argument of the - share name for which client connections will be closed, or the - "*" character which will close all currently open shares. - This may be useful if you made changes to the access controls on the share. - This message can only be sent to any parameters required for the message-type MESSAGE-TYPES Available message types are: close-share Order smbd to close the client + connections to the named share. Note that this doesn't affect client + connections to any other shares. This message-type takes an argument of the + share name for which client connections will be closed, or the + "*" character which will close all currently open shares. + This may be useful if you made changes to the access controls on the share. + This message can only be sent to smbd. debug The debug message-type allows - the debug level to be set to the value specified by the - parameter. This can be sent to any of the destinations.Set debug level to the value specified by the + parameter. This can be sent to any of the destinations. force-election The force-election message-type can only be - sent to the nmbd destination. This message - causes the This message causes the nmbd daemon to force a new browse - master election. daemon to + force a new browse master election. ping The ping message-type sends the - number of "ping" messages specified by the parameter and waits - for the same number of reply "pong" messages. This can be sent to - any of the destinations. Send specified number of "ping" messages and + wait for the same number of reply "pong" messages. This can be sent to + any of the destinations. profile The profile message-type sends a - message to an smbd to change the profile settings based on the - parameter. The parameter can be "on" to turn on profile stats - collection, "off" to turn off profile stats collection, "count" - to enable only collection of count stats (time stats are - disabled), and "flush" to zero the current profile stats. This can - be sent to any smbd or nmbd destinations. The debuglevel message-type sends - a "request debug level" message. The current debug level setting - is returned by a "debuglevel" message. This can be - sent to any of the destinations. Change profile settings of a daemon, based on the + parameter. The parameter can be "on" to turn on profile stats + collection, "off" to turn off profile stats collection, "count" + to enable only collection of count stats (time stats are + disabled), and "flush" to zero the current profile stats. This can + be sent to any smbd or nmbd destinations. debuglevel The profilelevel message-type sends - a "request profile level" message. The current profile level - setting is returned by a "profilelevel" message. This can be sent - to any smbd or nmbd destinations. Request debuglevel of a certain daemon and write it to stdout. This + can be sent to any of the destinations. profilelevel Request profilelevel of a certain daemon and write it to stdout. + This can be sent to any smbd or nmbd destinations. printnotify Order smbd to send a printer notify message to any Windows NT clients + connected to a printer. This message-type takes the following arguments: + The printnotify message-type sends a - message to smbd which in turn sends a printer notify message to - any Windows NT clients connected to a printer. This message-type - takes the following arguments: - - Send a queue pause change notify - message to the printer specified. queueresume printername Send a queue resume change notify - message for the printer specified. jobpause printername unixjobid Send a job pause change notify - message for the printer and unix jobid - specified. jobresume printername unixjobid Send a job resume change notify - message for the printer and unix jobid - specified. jobdelete printername unixjobid Send a job delete change notify - message for the printer and unix jobid - specified. - - Note that this message only sends notification that an - event has occured. It doesn't actually cause the - event to happen. - - This message can only be sent to Note that this message only sends notification that an + event has occured. It doesn't actually cause the + event to happen. + This message can only be sent to smbd. - . parameters samsyncany parameters required for the message-type Order smbd to synchronise sam database from PDC (being BDC). Can only be sent to smbd. Not working at the moment samrepl Send sam replication message, with specified serial. Can only be sent to smbd. Should not be used manually. dmalloc-mark Set a mark for dmalloc. Can be sent to both smbd and nmbd. Only available if samba is built with dmalloc support. dmalloc-log-changed Dump the pointers that have changed since the mark set by dmalloc-mark. + Can be sent to both smbd and nmbd. Only available if samba is built with dmalloc support. shutdown Shut down specified daemon. Can be sent to both smbd and nmbd. tallocdump and pool-usage Print a human-readable description of all + talloc(pool) memory usage by the specified daemon/process. Available + for both smbd and nmbd. drvupgrade Force clients of printers using specified driver + to update their local version of the driver. Can only be + sent to smbd. VERSION This man page is correct for version 2.2 of +>This man page is correct for version 3.0 of the Samba suite. SEE ALSO AUTHOR -h Prints the help information (usage) - for smbd. -V Prints the version number for - smbd. -b -s <configuration file>Prints information about how - Samba was built.The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See smb.conf(5) for more information. +The default configuration file name is determined at +compile time. -d <debug level> -d|--debug=debugleveldebuglevel is an integer - from 0 to 10. The default value if this parameter is - not specified is zero. The higher this value, the more detail will be - logged to the log files about the activities of the - server. At level 0, only critical errors and serious - warnings will be logged. Level 1 is a reasonable level for - day to day running - it generates a small amount of - information about operations carried out. Levels above 1 will generate considerable - amounts of log data, and should only be used when - investigating a problem. Levels above 3 are designed for - use only by developers and generate HUGE amounts of log - data, most of which is extremely cryptic. Note that specifying this parameter here will - override the log - level parameter in the smb.conf(5) parameter in the smb.conf(5) file. -l|--logfile=logbasename File name for log/debug files. The extension +".client" will be appended. The log file is +never removed by the client. -h|--help Print a summary of command line options. -b Prints information about how + Samba was built. -l <log directory> -O <socket options> See the socket options - parameter in the smb.conf(5) file for details. -p <port number> This parameter is not normally specified except in the above situation. -s <configuration file> The file specified contains the - configuration details required by the server. The - information in this file includes server-specific - information such as what printcap file to use, as well - as descriptions of all the services that the server is - to provide. See smb.conf(5) for more information. - The default configuration file name is determined at - compile time. FILESLIMITATIONSENVIRONMENT VARIABLESPAM INTERACTIONVERSIONDIAGNOSTICSSIGNALSSEE ALSO AUTHOR smbmnt {mount-point} [-s <share>] [-r] [-u <uid>] [-g <gid>] [-f <mask>] [-d <mask>] [-o <options>] {mount-point} [-s <share>] [-r] [-u <uid>] [-g <gid>] [-f <mask>] [-d <mask>] [-o <options>] [-h] DESCRIPTION OPTIONS -h|--help Print a summary of command line options.AUTHOR krb Use kerberos (Active Directory). netbiosname=<arg> dmask=<arg> sets the directory mask. This determines the +>Sets the directory mask. This determines the permissions that remote directories have in the local filesystem. The default is based on the current umask. debug=<arg>sets the debug level. This is useful for +>Sets the debug level. This is useful for tracking down SMB connection problems. A suggested value to start with is 4. If set too high there will be a lot of output, possibly hiding the useful output. ip=<arg> sets the destination host or IP address. +>Sets the destination host or IP address. workgroup=<arg> sets the workgroup on the destination Sets the workgroup on the destination sockopt=<arg> sets the TCP socket options. See the Sets the TCP socket options. See the scope=<arg> sets the NetBIOS scope Sets the NetBIOS scope guest don't prompt for a password Don't prompt for a password roENVIRONMENT VARIABLESBUGSSEE ALSOAUTHOR -s <configuration file> The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See smb.conf(5) for more information. +The default configuration file name is determined at +compile time. -d|--debug=debuglevel debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero. The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day to day running - it generates a small amount of +information about operations carried out. Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic. Note that specifying this parameter here will +override the log +level parameter in the smb.conf(5) file. -R <name resolve order>This option is used to determine what naming - services and in what order to resolve - host names to IP addresses. The option takes a space-separated - string of different name resolution options. The options are: "lmhosts", "host", "wins" and "bcast". - They cause names to be resolved as follows : lmhosts: - Lookup an IP address in the Samba lmhosts file. If the - line in lmhosts has no name type attached to the - NetBIOS name - (see the lmhosts(5) for details) - then any name type matches for lookup. - host: - Do a standard host name to IP address resolution, using - the system /etc/hosts, NIS, or DNS - lookups. This method of name resolution is operating - system dependent, for instance on IRIX or Solaris this - may be controlled by the /etc/nsswitch.conf - /etc/nsswitch.conf file). Note that this method is only used - if the NetBIOS name type being queried is the 0x20 - (server) name type, otherwise it is ignored. - wins: - Query a name with the IP address listed in the - wins server parameter. If no - WINS server has been specified this method will be - ignored. - bcast: - Do a broadcast on each of the known local interfaces - listed in the interfaces - parameter. This is the least reliable of the name - resolution methods as it depends on the target host - being on a locally connected subnet. - If this parameter is not set then the name resolve order - defined in the smb.conf(5) file parameter - (name resolve order) will be used. The default order is lmhosts, host, wins, bcast. Without - this parameter or any entry in the name resolve order - name resolve order parameter of the smb.conf(5) file, the name resolution methods - will be attempted in this order. -d <debug level> debug level is an integer from 0 to 10. The default value if this parameter is not specified - is zero. The higher this value, the more detail will be logged - about the activities of nmblookup(1). At level - 0, only critical errors and serious warnings will be logged. - -l logfilename If specified causes all debug messages to be - written to the file specified by logfilename - . If not specified then all messages will be - written tostderr. - -L libdirEXAMPLESVERSIONBUGSSEE ALSO AUTHOR smbspool [job] [user] [title] [copies] [options] [filename] {job} {user} {title} {copies} {options} [filename] VERSION This man page is correct for version 2.2 of the Samba suite. This man page is correct for version 3.0 of the Samba suite. gives brief output. -d|--debug=<debuglevel> -Vsets debugging to specified levelPrints the version number for +smbd. -s <configuration file> The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See smb.conf(5) for more information. +The default configuration file name is determined at +compile time. -d|--debug=debuglevel debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero. The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day to day running - it generates a small amount of +information about operations carried out. Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic. Note that specifying this parameter here will +override the log +level parameter in the smb.conf(5) file. -l|--logfile=logbasename File name for log/debug files. The extension +".client" will be appended. The log file is +never removed by the client. -v|--verbose causes smbstatus to only list shares. -s|--conf=<configuration file> -h|--helpThe default configuration file name is - determined at compile time. The file specified contains the - configuration details required by the server. See smb.conf(5) for more information. Print a summary of command line options. -u|--user=<username> VERSION SEE ALSO AUTHOR smbtar {-s server} [-p password] [-x services] [-X] [-d directory] [-u user] [-t tape] [-t tape] [-b blocksize] [-N filename] [-i] [-r] [-l loglevel] [-v] {filenames} [-r] [-i] [-a] [-v] {-s server} [-p password] [-x services] [-X] [-N filename] [-b blocksize] [-d directory] [-l loglevel] [-u user] [-t tape] {filenames} -a Reset DOS archive bit mode to + indicate file has been archived. -t tape ENVIRONMENT VARIABLES BUGS CAVEATS DIAGNOSTICS VERSION SEE ALSO AUTHOR PrevChapter 23. Samba performance issuesChapter 27. Samba performance issues23.1. Comparisons27.1. Comparisons The Samba server uses TCP to talk to the client. Thus if you are @@ -111,8 +111,8 @@ CLASS="SECT1" > 23.2. Socket options27.2. Socket options There are a number of socket options that can greatly affect the @@ -139,8 +139,8 @@ CLASS="SECT1" > 23.3. Read size27.3. Read size The option "read size" affects the overlap of disk reads/writes with @@ -165,8 +165,8 @@ CLASS="SECT1" > 23.4. Max xmit27.4. Max xmit At startup the client and server negotiate a "maximum transmit" size, @@ -188,8 +188,8 @@ CLASS="SECT1" > 23.5. Log level27.5. Log level If you set the log level (also known as "debug level") higher than 2 @@ -202,8 +202,8 @@ CLASS="SECT1" > 23.6. Read raw27.6. Read raw The "read raw" operation is designed to be an optimised, low-latency @@ -224,8 +224,8 @@ CLASS="SECT1" > 23.7. Write raw27.7. Write raw The "write raw" operation is designed to be an optimised, low-latency @@ -241,8 +241,8 @@ CLASS="SECT1" > 23.8. Slow Clients27.8. Slow Clients One person has reported that setting the protocol to COREPLUS rather @@ -258,8 +258,8 @@ CLASS="SECT1" > 23.9. Slow Logins27.9. Slow Logins Slow logins are almost always due to the password checking time. Using @@ -271,8 +271,8 @@ CLASS="SECT1" > 23.10. Client tuning27.10. Client tuning Often a speed problem can be traced to the client. The client (for @@ -389,7 +389,7 @@ WIDTH="33%" ALIGN="left" VALIGN="top" >PrevAppendixesMigration from NT4 PDC to Samba-3 PDC -V Prints the version number for +smbd. -s <configuration file> The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See smb.conf(5) for more information. +The default configuration file name is determined at +compile time. -d|--debug=debuglevel debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero. The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day to day running - it generates a small amount of +information about operations carried out. Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic. Note that specifying this parameter here will +override the log +level parameter in the smb.conf(5) file. -l|--logfile=logbasename File name for log/debug files. The extension +".client" will be appended. The log file is +never removed by the client. -h|--help Print a summary of command line options. INSTALLATION Swat is included as binary package with most distributions. The + package manager in this case takes care of the installation and + configuration. This section is only for those who have compiled + swat from scratch. + After you compile SWAT you need to run make install @@ -185,7 +277,7 @@ CLASS="COMMAND" > Inetd Installation swat 901/tcp Note for NIS/YP users - you may need to rebuild the +>Note for NIS/YP and LDAP users - you may need to rebuild the NIS service maps rather than alter your local /etc/services where PID is the process ID of the inetd daemon. Launching LAUNCHING To launch SWAT just run your favorite web browser and - point it at "http://localhost:901/". Note that you can attach to SWAT from any IP connected - machine but connecting from a remote machine leaves your - connection open to password sniffing as passwords will be sent - in the clear over the wire. FILES WARNINGS VERSION This man page is correct for version 2.2 of the Samba suite. This man page is correct for version 3.0 of the Samba suite. SEE ALSO AUTHOR -h -h|--helpPrint usage message Print a summary of command line options. -V Prints the version number for +smbd. -L servername FILES DIAGNOSTICS VERSION SEE ALSO AUTHOR VERSION This man page is correct for version 2.2 of +>This man page is correct for version 3.0 of the Samba suite. Introduction 4.1. Stand Alone Server 4.2. Domain Member Server 4.3. Domain Controller 4.3.1. Domain Controller Types 5.1. User and Share security level 5.1.1. User Level Security 5.1.2. Share Level Security 5.1.3. Server Level Security 5.1.4. Domain Level Security 5.1.5. ADS Level Security 6.1. Prerequisite Reading 6.2. Background 6.3. Configuring the Samba Domain Controller 6.4. Creating Machine Trust Accounts and Joining Clients to the Domain 6.4.1. Manual Creation of Machine Trust Accounts 6.4.2. "On-the-Fly" Creation of Machine Trust Accounts 6.4.3. Joining the Client to the Domain 6.5. Common Problems and Errors 6.6. What other help can I get? 6.7. Domain Control for Windows 9x/ME 6.7.1. Configuration Instructions: Network Logons 7.1. Prerequisite Reading 7.2. Background 7.3. What qualifies a Domain Controller on the network? 7.3.1. How does a Workstation find its domain controller? 7.3.2. When is the PDC needed? 7.4. Can Samba be a Backup Domain Controller to an NT PDC? 7.5. How do I set up a Samba BDC? 7.5.1. How do I replicate the smbpasswd file? 7.5.2. Can I do this all with LDAP? 8.1. Setup your smb.conf 8.2. Setup your /etc/krb5.conf 8.3. Create the computer account 8.3.1. Possible errors 8.4. Test your server setup 8.5. Testing with smbclient 8.6. Notes 9.1. Joining an NT Domain with Samba 3.0 9.2. Why is this better than security = server? PrevChapter 11. UNIX Permission Bits and Windows NT Access Control ListsChapter 10. UNIX Permission Bits and Windows NT Access Control Lists11.1. Viewing and changing UNIX permissions using the NT +NAME="AEN1499" +>10.1. Viewing and changing UNIX permissions using the NT security dialogs All access to Unix/Linux system file via Samba is controlled at + the operating system file access control level. When trying to + figure out file access problems it is vitally important to identify + the identity of the Windows user as it is presented by Samba at + the point of file access. This can best be determined from the + Samba log files. + 11.2. How to view file security on a Samba share10.2. How to view file security on a Samba share From an NT4/2000/XP client, single-click with the right @@ -167,8 +199,8 @@ CLASS="SECT1" > 11.3. Viewing file ownership10.3. Viewing file ownership Clicking on the 11.4. Viewing file or directory permissions10.4. Viewing file or directory permissions The third button is the 11.4.1. File Permissions10.4.1. File Permissions The standard UNIX user/group/world triple and @@ -369,8 +401,8 @@ CLASS="SECT2" > 11.4.2. Directory Permissions10.4.2. Directory Permissions Directories on an NT NTFS file system have two @@ -401,8 +433,8 @@ CLASS="SECT1" > 11.5. Modifying file or directory permissions10.5. Modifying file or directory permissions Modifying file and directory permissions is as simple @@ -497,8 +529,8 @@ CLASS="SECT1" > 11.6. Interaction with the standard Samba create mask +NAME="AEN1594" +>10.6. Interaction with the standard Samba create mask parameters 11.7. Interaction with the standard Samba file attribute +NAME="AEN1648" +>10.7. Interaction with the standard Samba file attribute mapping PrevSystem PoliciesAdvanced ConfigurationGroup mapping HOWTOConfiguring Group Mapping PrevNextChapter 20. Stackable VFS modulesChapter 19. Stackable VFS modules20.1. Introduction and configuration19.1. Introduction and configuration Since samba 3.0, samba supports stackable VFS(Virtual File System) modules. @@ -121,16 +121,16 @@ CLASS="SECT1" > 20.2. Included modules19.2. Included modules 20.2.1. audit19.2.1. audit A simple module to audit file access to the syslog @@ -167,8 +167,30 @@ CLASS="SECT2" > 20.2.2. recycle19.2.2. extd_audit This module is identical with the audit module above except +that it sends audit logs to both syslog as well as the smbd log file/s. The +loglevel for this module is set in the smb.conf file. At loglevel = 0, only file +and directory deletions and directory and file creations are logged. At loglevel = 1 +file opens are renames and permission changes are logged , while at loglevel = 2 file +open and close calls are logged also. 19.2.3. recycle A recycle-bin like modules. When used any unlink call @@ -238,8 +260,8 @@ CLASS="SECT2" > 20.2.3. netatalk19.2.4. netatalk A netatalk module, that will ease co-existence of samba and @@ -271,8 +293,8 @@ CLASS="SECT1" > 20.3. VFS modules available elsewhere19.3. VFS modules available elsewhere This section contains a listing of various other VFS modules that @@ -287,8 +309,8 @@ CLASS="SECT2" > 20.3.1. DatabaseFS19.3.1. DatabaseFS URL: 20.3.2. vscan19.3.2. vscan URL: PrevNextHosting a Microsoft Distributed File System tree on SambaPAM Configuration for Centrally Managed AuthenticationSecuring SambaHosting a Microsoft Distributed File System tree on Samba -h|--help Print a summary of command line options. -l|--logfile=logbasename File name for log/debug files. The extension + '.client' will be appended. The log file is never removed + by the client. + -V Prints the version number for +smbd. -s <configuration file> The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See smb.conf(5) for more information. +The default configuration file name is determined at +compile time. -d|--debug=debuglevel file. -h|--help Print a summary of command line options. -l|--logfile=logbasename File name for log/debug files. The extension - '.client' will be appended. The log file is never removed - by the client. - ".client" will be appended. The log file is +never removed by the client. COMMANDS VERSION AUTHOR wbinfo [-u] [-g] [-i ip] [-N netbios-name] [-n name] [-s sid] [-U uid] [-G gid] [-S sid] [-Y sid] [-t] [-m] [-r user] [-a user%password] [-A user%password] [-p] [-u] [-g] [-N netbios-name] [-I ip] [-n name] [-s sid] [-U uid] [-G gid] [-S sid] [-Y sid] [-t] [-m] [--sequence] [-r user] [-a user%password] [-A user%password] [--get-auth-user] [-p] DESCRIPTION OPTIONS --sequence Show sequence numbers of + all known domains -r username --get-auth-user Print username and password used by winbindd + during session setup to a domain controller. Username + and password can be set using '-A'. Only available for + root. -p Check whether winbindd is still alive. + Prints out either 'succeeded' or 'failed'. + -V Prints the version number for +smbd. -h|--help Print a summary of command line options. EXIT STATUS VERSION SEE ALSO AUTHOR NextChapter 16. Unified Logons between Windows NT and UNIX using WinbindChapter 14. Unified Logons between Windows NT and UNIX using Winbind16.1. Abstract14.1. Abstract Integration of UNIX and Microsoft Windows NT through @@ -107,8 +107,8 @@ CLASS="SECT1" > 16.2. Introduction14.2. Introduction It is well known that UNIX and Microsoft Windows NT have @@ -161,8 +161,8 @@ CLASS="SECT1" > 16.3. What Winbind Provides14.3. What Winbind Provides Winbind unifies UNIX and Windows NT account management by @@ -203,8 +203,8 @@ CLASS="SECT2" > 16.3.1. Target Uses14.3.1. Target Uses Winbind is targeted at organizations that have an @@ -227,8 +227,8 @@ CLASS="SECT1" > 16.4. How Winbind Works14.4. How Winbind Works The winbind system is designed around a client/server @@ -247,8 +247,8 @@ CLASS="SECT2" > 16.4.1. Microsoft Remote Procedure Calls14.4.1. Microsoft Remote Procedure Calls Over the last few years, efforts have been underway @@ -273,8 +273,8 @@ CLASS="SECT2" > 16.4.2. Microsoft Active Directory Services14.4.2. Microsoft Active Directory Services Since late 2001, Samba has gained the ability to @@ -292,8 +292,8 @@ CLASS="SECT2" > 16.4.3. Name Service Switch14.4.3. Name Service Switch The Name Service Switch, or NSS, is a feature that is @@ -372,8 +372,8 @@ CLASS="SECT2" > 16.4.4. Pluggable Authentication Modules14.4.4. Pluggable Authentication Modules Pluggable Authentication Modules, also known as PAM, @@ -421,8 +421,8 @@ CLASS="SECT2" > 16.4.5. User and Group ID Allocation14.4.5. User and Group ID Allocation When a user or group is created under Windows NT @@ -447,8 +447,8 @@ CLASS="SECT2" > 16.4.6. Result Caching14.4.6. Result Caching An active system can generate a lot of user and group @@ -470,8 +470,8 @@ CLASS="SECT1" > 16.5. Installation and Configuration14.5. Installation and Configuration Many thanks to John Trostel 16.5.1. Introduction14.5.1. Introduction This HOWTO describes the procedures used to get winbind up and @@ -548,8 +548,8 @@ CLASS="SECT2" > 16.5.2. Requirements14.5.2. Requirements If you have a samba configuration file that you are currently @@ -618,8 +618,8 @@ CLASS="SECT2" > 16.5.3. Testing Things Out14.5.3. Testing Things Out Before starting, it is probably best to kill off all the SAMBA @@ -663,8 +663,8 @@ CLASS="SECT3" > 16.5.3.1. Configure and compile SAMBA14.5.3.1. Configure and compile SAMBA The configuration and compilation of SAMBA is pretty straightforward. @@ -729,8 +729,8 @@ CLASS="SECT3" > 16.5.3.2. Configure 14.5.3.2. Configure nsswitch.conf and the @@ -834,8 +834,8 @@ CLASS="SECT3" >16.5.3.3. Configure smb.conf14.5.3.3. Configure smb.conf Several parameters are needed in the smb.conf file to control @@ -909,8 +909,8 @@ CLASS="SECT3" > 16.5.3.4. Join the SAMBA server to the PDC domain14.5.3.4. Join the SAMBA server to the PDC domain Enter the following command to make the SAMBA server join the @@ -947,8 +947,8 @@ CLASS="SECT3" > 16.5.3.5. Start up the winbindd daemon and test it!14.5.3.5. Start up the winbindd daemon and test it! Eventually, you will want to modify your smb startup script to @@ -1083,16 +1083,16 @@ CLASS="SECT3" > 16.5.3.6. Fix the init.d startup scripts14.5.3.6. Fix the init.d startup scripts 16.5.3.6.1. Linux14.5.3.6.1. Linux The 16.5.3.6.2. Solaris14.5.3.6.2. Solaris On solaris, you need to modify the @@ -1285,8 +1285,8 @@ CLASS="SECT4" > 16.5.3.6.3. Restarting14.5.3.6.3. Restarting If you restart the 16.5.3.7. Configure Winbind and PAM14.5.3.7. Configure Winbind and PAM If you have made it this far, you know that winbindd and samba are working @@ -1367,8 +1367,8 @@ CLASS="SECT4" > 16.5.3.7.1. Linux/FreeBSD-specific PAM configuration14.5.3.7.1. Linux/FreeBSD-specific PAM configuration The 16.5.3.7.2. Solaris-specific configuration14.5.3.7.2. Solaris-specific configuration The /etc/pam.conf needs to be changed. I changed this file so that my Domain @@ -1583,8 +1583,8 @@ CLASS="SECT1" > 16.6. Limitations14.6. Limitations Winbind has a number of limitations in its current @@ -1625,8 +1625,8 @@ CLASS="SECT1" > 16.7. Conclusion14.7. Conclusion The winbind system, through the use of the Name Service @@ -1671,7 +1671,7 @@ WIDTH="33%" ALIGN="right" VALIGN="top" >NextIntegrating MS Windows networks with SambaAdvanced Network Manangement -d debuglevel -VSets the debuglevel to an integer between - 0 and 100. 0 is for no debugging and 100 is for reams and - reams. To submit a bug report to the Samba Team, use debug - level 100 (see BUGS.txt). Prints the version number for +smbd. -s <configuration file> The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See smb.conf(5) for more information. +The default configuration file name is determined at +compile time. -d|--debug=debuglevel debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero. The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day to day running - it generates a small amount of +information about operations carried out. Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic. Note that specifying this parameter here will +override the log +level parameter in the smb.conf(5) file. -l|--logfile=logbasename File name for log/debug files. The extension +".client" will be appended. The log file is +never removed by the client. -h|--help Print a summary of command line options. -i -s|--conf=smb.conf Specifies the location of the all-important - smb.conf(5) file. NAME AND ID RESOLUTIONCONFIGURATIONEXAMPLE SETUPThe next step is to join the domain. To do that use the smbpasswdnet program like this: NOTES to become aware of new trust relationships between servers, it must be sent a SIGHUP signal. Client processes resolving names through the winbindd - nsswitch module read an environment variable named $WINBINDD_DOMAIN. If this variable contains a comma separated - list of Windows NT domain names, then winbindd will only resolve users - and groups within those Windows NT domains. PAM is really easy to misconfigure. Make sure you know what you are doing when modifying PAM configuration files. It is possible to set up PAM such that you can no longer log into your system. SIGNALS FILES $LOCKDIR/winbindd_privilaged/pipe The UNIX pipe over which 'privilaged' clients + communicate with the winbindd program. For security + reasons, access to some winbindd functions - like those needed by + the ntlm_auth utility - is restricted. By default, + only users in the 'root' group will get this access, however the administrator + may change the group permissions on $LOCKDIR/winbindd_privilaged to allow + programs like 'squid' to use ntlm_auth. + Note that the winbind client will only attempt to connect to the winbindd daemon + if both the $LOCKDIR/winbindd_privilaged directory + and $LOCKDIR/winbindd_privilaged/pipe file are owned by + root. /lib/libnss_winbind.so.X VERSION SEE ALSO AUTHOR

2.3. Use of the "Remote Announce" parameter2.3. Use of the Remote Announce parameter

2.4. Use of the "Remote Browse Sync" parameter2.4. Use of the Remote Browse Sync parameter

27.1. Introduction31.1. Introduction

27.2. General info31.2. General info

27.3. Debug levels31.3. Debug levels

27.4. Internal errors31.4. Internal errors

27.5. Attaching to a running process31.5. Attaching to a running process

27.6. Patches31.6. Patches

26.1. Access Samba source code via CVS30.1. Access Samba source code via CVS

26.1.1. Introduction30.1.1. Introduction

26.1.2. CVS Access to samba.org30.1.2. CVS Access to samba.org

26.1.2.1. Access via CVSweb30.1.2.1. Access via CVSweb

26.1.2.2. Access via cvs30.1.2.2. Access via cvs

26.2. Accessing the samba sources via rsync and ftp30.2. Accessing the samba sources via rsync and ftp

26.3. Building the Binaries30.3. Building the Binaries

26.3.1. Compiling samba with Active Directory support30.3.1. Compiling samba with Active Directory support

26.3.1.1. Installing the required packages for Debian30.3.1.1. Installing the required packages for Debian

26.3.1.2. Installing the required packages for RedHat30.3.1.2. Installing the required packages for RedHat

26.4. Starting the smbd and nmbd30.4. Starting the smbd and nmbd

26.4.1. Starting from inetd.conf30.4.1. Starting from inetd.conf

26.4.2. Alternative: starting it as a daemon30.4.2. Alternative: starting it as a daemon

28.1. Introduction32.1. Introduction

28.2. Assumptions32.2. Assumptions

28.3. Tests32.3. The tests

28.4. Still having troubles?32.4. Still having troubles?

18.1. Overview of browsing22.1. Overview of browsing

18.2. Browsing support in samba22.2. Browsing support in samba

18.3. Problem resolution22.3. Problem resolution

18.4. Browsing across subnets22.4. Browsing across subnets

18.4.1. How does cross subnet browsing work ?22.4.1. How does cross subnet browsing work ?

18.5. Setting up a WINS server22.5. Setting up a WINS server

18.6. Setting up Browsing in a WORKGROUP22.6. Setting up Browsing in a WORKGROUP

18.7. Setting up Browsing in a DOMAIN22.7. Setting up Browsing in a DOMAIN

18.8. Forcing samba to be the master22.8. Forcing samba to be the master

18.9. Making samba the domain master22.9. Making samba the domain master

18.10. Note about broadcast addresses22.10. Note about broadcast addresses

18.11. Multiple interfaces22.11. Multiple interfaces

17.1. Name Resolution in a pure Unix/Linux world21.1. Name Resolution in a pure Unix/Linux world

17.2. Name resolution as used within MS Windows networking21.2. Name resolution as used within MS Windows networking

17.2.1. The NetBIOS Name Cache21.2.1. The NetBIOS Name Cache

17.2.2. The LMHOSTS file21.2.2. The LMHOSTS file

17.2.3. HOSTS file21.2.3. HOSTS file

17.2.4. DNS Lookup21.2.4. DNS Lookup

17.2.5. WINS Lookup21.2.5. WINS Lookup

Introduction

19.1. Instructions20.1. Instructions

19.1.1. Notes20.1.1. Notes

FILES

SIGNALS

VERSION

SEE ALSO

AUTHOR

EXAMPLES

VERSION

SEE ALSO

AUTHOR

Introduction

25.1. Macintosh clients?29.1. Macintosh clients?

25.2. OS2 Client29.2. OS2 Client

25.3. Windows for Workgroups29.3. Windows for Workgroups

25.3.1. Use latest TCP/IP stack from Microsoft29.3.1. Use latest TCP/IP stack from Microsoft

25.3.2. Delete .pwl files after password change29.3.2. Delete .pwl files after password change

25.3.3. Configure WfW password handling29.3.3. Configure WfW password handling

25.3.4. Case handling of passwords29.3.4. Case handling of passwords

25.3.5. Use TCP/IP as default protocol29.3.5. Use TCP/IP as default protocol

25.4. Windows '95/'9829.4. Windows '95/'98

25.5. Windows 2000 Service Pack 229.5. Windows 2000 Service Pack 2

13.1. Samba and PAM18.1. Samba and PAM

13.2. Distributed Authentication18.2. Distributed Authentication

13.3. PAM Configuration in smb.conf18.3. PAM Configuration in smb.conf

3.7.2. Creating the database3.7.1. Creating the database

3.7.3. Configuring3.7.2. Configuring

3.7.4. Using plaintext passwords or encrypted password3.7.3. Using plaintext passwords or encrypted password

3.7.5. Getting non-column data from the table3.7.4. Getting non-column data from the table

3.8. Passdb XML plugin3.8. XML

DESCRIPTION

OPTIONS

NOTES

VERSION

SEE ALSO

`26.4.1. Starting from inetd.conf30.4.1. Starting from inetd.conf`

`26.4.2. Alternative: starting it as a daemon30.4.2. Alternative: starting it as a daemon`

`17.2. Name resolution as used within MS Windows networking21.2. Name resolution as used within MS Windows networking`

`17.2.1. The NetBIOS Name Cache21.2.1. The NetBIOS Name Cache`

`17.2.2. The LMHOSTS file21.2.2. The LMHOSTS file`

`17.2.3. HOSTS file21.2.3. HOSTS file`

`17.2.4. DNS Lookup21.2.4. DNS Lookup`

`17.2.5. WINS Lookup21.2.5. WINS Lookup`

`19.1. Instructions20.1. Instructions`

`19.1.1. Notes20.1.1. Notes`

`3.7.2. Creating the database3.7.1. Creating the database`

`3.7.3. Configuring3.7.2. Configuring`