SAMBA Project Documentation

How to Install and Test SAMBA
1.1. Step 0: Read the man pages
Step 0: Read the man pages
The man pages distributed with SAMBA contain lots of useful info that will help to get you started. @@ -1452,12 +1415,10 @@ TARGET="_top" >
1.2. Step 1: Building the Binaries
Step 1: Building the Binaries
To do this, first run the program
1.3. Step 2: The all important step
Step 2: The all important step
At this stage you must fetch yourself a coffee or other drink you find stimulating. Getting the rest @@ -1568,12 +1527,10 @@ NAME="AEN56" >
1.4. Step 3: Create the smb configuration file.
Step 3: Create the smb configuration file.
There are sample configuration files in the examples subdirectory in the distribution. I suggest you read them @@ -1633,16 +1590,14 @@ CLASS="FILENAME" >
1.5. Step 4: Test your config file with +NAME="AEN74">Step 4: Test your config file with testparm
It's important that you test the validity of your
1.6. Step 5: Starting the smbd and nmbd
Step 5: Starting the smbd and nmbdYou must choose to start smbd and nmbd either as daemons or from 1.6.1. Step 5a: Starting from inetd.conf Step 5a: Starting from inetd.confNOTE; The following will be different if you use NIS or NIS+ to distributed services maps. 1.6.2. Step 5b. Alternative: starting it as a daemon Step 5b. Alternative: starting it as a daemonTo start the server as a daemon you should create a script something like this one, perhaps calling @@ -1876,13 +1825,11 @@ CLASS="FILENAME" > 1.7. Step 6: Try listing the shares available on your - server Step 6: Try listing the shares available on your + server 1.8. Step 7: Try connecting with the unix client Step 7: Try connecting with the unix client 1.9. Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, - Win2k, OS/2, etc... client Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, + Win2k, OS/2, etc... clientTry mounting disks. eg: 1.10. What If Things Don't Work? What If Things Don't Work?If nothing works and you start to think "who wrote this pile of trash" then I suggest you do step 2 again (and @@ -2052,12 +1993,10 @@ NAME="AEN174" easier. 1.10.1. Diagnosing Problems Diagnosing ProblemsIf you have installation problems then go to 1.10.2. Scope IDs Scope IDsBy default Samba uses a blank scope ID. This means all your windows boxes must also have a blank scope ID. @@ -2084,12 +2021,10 @@ NAME="AEN183" > 1.10.3. Choosing the Protocol Level Choosing the Protocol LevelThe SMB protocol has many dialects. Currently Samba supports 5, called CORE, COREPLUS, LANMAN1, @@ -2125,30 +2060,29 @@ CLASS="FILENAME" > 1.10.4. Printing from UNIX to a Client PC Printing from UNIX to a Client PCTo use a printer that is available via a smb-based - server from a unix host you will need to compile the + server from a unix host with LPR you will need to compile the smbclient program. You then need to install the script "smbprint". Read the instruction in smbprint for more details. There is also a SYSV style script that does much the same thing called smbprint.sysv. It contains instructions. See the CUPS manual for information about setting up + printing from a unix host with CUPS to a smb-based server. 1.10.5. Locking LockingOne area which sometimes causes trouble is locking. 1.10.6. Mapping Usernames Mapping UsernamesIf you have different usernames on the PCs and the unix server then take a look at the "username map" option. @@ -2220,17 +2152,13 @@ NAME="AEN208" CLASS="CHAPTER" > Chapter 2. Diagnosing your samba server Diagnosing your samba server 2.1. Introduction IntroductionThis file contains a list of tests you can perform to validate your Samba server. It also tells you what the likely cause of the problem @@ -2247,12 +2175,10 @@ ignore your email. 2.2. Assumptions AssumptionsIn all of the tests I assume you have a Samba server called BIGSERVER and a PC called ACLIENT both in workgroup TESTGROUP. I also assume the @@ -2297,20 +2223,16 @@ best way to check this is with "testparm smb.conf" 2.3. Tests Tests 2.3.1. Test 1 Test 1In the directory in which you store your smb.conf file, run the command "testparm smb.conf". If it reports any errors then your smb.conf @@ -2327,12 +2249,10 @@ CLASS="FILENAME" > 2.3.2. Test 2 Test 2Run the command "ping BIGSERVER" from the PC and "ping ACLIENT" from the unix box. If you don't get a valid response then your TCP/IP @@ -2353,12 +2273,10 @@ this is done via the ipfwadm program.) 2.3.3. Test 3 Test 3Run the command "smbclient -L BIGSERVER" on the unix box. You should get a list of available shares back. 2.3.4. Test 4 Test 4Run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the IP address of your Samba server back. 2.3.5. Test 5 Test 5run the command 2.3.6. Test 6 Test 6Run the command 2.3.7. Test 7 Test 7Run the command 2.3.8. Test 8 Test 8On the PC type the command 2.3.9. Test 9 Test 9Run the command 2.3.10. Test 10 Test 10Run the command 2.3.11. Test 11 Test 11From file manager try to browse the server. Your samba server should appear in the browse list of your local workgroup (or the one you @@ -2745,12 +2647,10 @@ for encrypted passwords (refer to the Makefile). 2.4. Still having troubles? Still having troubles?Try the mailing list or newsgroup, or use the ethereal utility to sniff the problem. The official samba mailing list can be reached at @@ -2774,17 +2674,13 @@ TARGET="_top" CLASS="CHAPTER" > Chapter 3. Integrating MS Windows networks with Samba Integrating MS Windows networks with Samba 3.1. Agenda AgendaTo identify the key functional mechanisms of MS Windows networking to enable the deployment of Samba as a means of extending and/or @@ -2846,12 +2742,10 @@ TYPE="a" > 3.2. Name Resolution in a pure Unix/Linux world Name Resolution in a pure Unix/Linux worldThe key configuration files covered in this section are: 3.2.1. /etc/hosts Contains a static list of IP Addresses and names. eg: 3.2.2. /etc/resolv.conf This file tells the name resolution libraries: 3.2.3. /etc/host.conf 3.2.4. /etc/nsswitch.conf This file controls the actual name resolution targets. The file typically has resolver object specifications as follows: 3.3. Name resolution as used within MS Windows networking Name resolution as used within MS Windows networkingMS Windows networking is predicated about the name each machine is given. This name is known variously (and inconsistently) as @@ -3226,12 +3110,10 @@ Since we are primarily concerned with TCP/IP this demonstration is limited to this area. 3.3.1. The NetBIOS Name Cache The NetBIOS Name CacheAll MS Windows machines employ an in memory buffer in which is stored the NetBIOS names and IP addresses for all external @@ -3253,12 +3135,10 @@ is called "nmblookup". 3.3.2. The LMHOSTS file The LMHOSTS fileThis file is usually located in MS Windows NT 4.0 or 2000 in 3.3.3. HOSTS file HOSTS fileThis file is usually located in MS Windows NT 4.0 or 2000 in 3.3.4. DNS Lookup DNS LookupThis capability is configured in the TCP/IP setup area in the network configuration facility. If enabled an elaborate name resolution sequence @@ -3407,12 +3283,10 @@ lookup is used. 3.3.5. WINS Lookup WINS LookupA WINS (Windows Internet Name Server) service is the equivaent of the rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores @@ -3468,13 +3342,11 @@ of the WINS server. 3.4. How browsing functions and how to deploy stable and -dependable browsing using Samba How browsing functions and how to deploy stable and +dependable browsing using SambaAs stated above, MS Windows machines register their NetBIOS names (i.e.: the machine name for each service type in operation) on start @@ -3535,13 +3407,11 @@ and so on. 3.5. MS Windows security options and how to configure -Samba for seemless integration MS Windows security options and how to configure +Samba for seemless integrationMS Windows clients may use encrypted passwords as part of a challenege/response authentication model (a.k.a. NTLMv1) or @@ -3657,8 +3527,9 @@ CLASS="PARAMETER" >password level must be set to the maximum -number of upper case letter which couldcould appear is a password. Note that is the server OS uses the traditional DES version of crypt(), then a 3.5.1. Use MS Windows NT as an authentication server Use MS Windows NT as an authentication serverThis method involves the additions of the following parameters in the smb.conf file: 3.5.2. Make Samba a member of an MS Windows NT security domain Make Samba a member of an MS Windows NT security domainThis method involves additon of the following paramters in the smb.conf file: 3.5.3. Configure Samba as an authentication server Configure Samba as an authentication serverThis mode of authentication demands that there be on the Unix/Linux system both a Unix style account as well as an @@ -3840,12 +3705,10 @@ to be created for each user, as well as for each MS Windows NT/2000 machine. The following structure is required. 3.5.3.1. Users UsersA user account that may provide a home directory should be created. The following Linux system commands are typical of @@ -3872,12 +3735,10 @@ CLASS="PROGRAMLISTING" > 3.5.3.2. MS Windows NT Machine Accounts MS Windows NT Machine AccountsThese are required only when Samba is used as a domain controller. Refer to the Samba-PDC-HOWTO for more details. 3.6. Conclusions ConclusionsSamba provides a flexible means to operate as... Chapter 4. Configuring PAM for distributed but centrally -managed authenticationConfiguring PAM for distributed but centrally +managed authentication 4.1. Samba and PAM Samba and PAMA number of Unix systems (eg: Sun Solaris), as well as the xxxxBSD family and Linux, now utilize the Pluggable Authentication @@ -4187,7 +4042,7 @@ password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba. > Note: PAM allows stacking of authentication mechanisms. It is -also possible to pass information obtained within on PAM module through +also possible to pass information obtained within one PAM module through to the next module in the PAM stack. Please refer to the documentation for your particular system implementation for details regarding the specific capabilities of PAM in this environment. Some Linux implmentations also @@ -4206,12 +4061,10 @@ PAM documentation for further helpful information. 4.2. Distributed Authentication Distributed AuthenticationThe astute administrator will realize from this that the combination of 4.3. PAM Configuration in smb.conf PAM Configuration in smb.confThere is an option in smb.conf called Chapter 5. Hosting a Microsoft Distributed File System tree on Samba Hosting a Microsoft Distributed File System tree on Samba 5.1. Instructions InstructionsThe Distributed File System (or Dfs) provides a means of separating the logical view of files and directories that users @@ -4444,12 +4291,10 @@ CLASS="USERINPUT" takes users directly to the appropriate shares on the network. 5.1.1. Notes Notes Chapter 6. UNIX Permission Bits and Windows NT Access Control Lists UNIX Permission Bits and Windows NT Access Control Lists 6.1. Viewing and changing UNIX permissions using the NT - security dialogsViewing and changing UNIX permissions using the NT + security dialogsNew in the Samba 2.0.4 release is the ability for Windows NT clients to use their native security settings dialog box to @@ -4524,34 +4365,38 @@ CLASS="CONSTANT" > 6.2. How to view file security on a Samba share How to view file security on a Samba shareFrom an NT 4.0 client, single-click with the right mouse button on any file or directory in a Samba mounted drive letter or UNC path. When the menu pops-up, click - on the PropertiesProperties entry at the bottom of the menu. This brings up the normal file properties dialog box, but with Samba 2.0.4 this will have a new tab along the top - marked SecuritySecurity. Click on this tab and you - will see three buttons, PermissionsPermissions, - Auditing, and OwnershipAuditing, and Ownership. - The AuditingAuditing button will cause either an error message 6.3. Viewing file ownership Viewing file ownershipClicking on the rootroot user. As clicking on this button causes NT to attempt to change the ownership of a file to the current user logged into the NT @@ -4648,20 +4492,19 @@ CLASS="COMMAND" and allow a user with Administrator privilege connected to a Samba 2.0.4 server as root to change the ownership of files on both a local NTFS filesystem or remote mounted NTFS - or Samba drive. This is available as part of the Seclib - NT security library written by Jeremy Allison of the Samba Team, available from the main Samba ftp site. 6.4. Viewing file or directory permissions Viewing file or directory permissionsThe third button is the 6.4.1. File Permissions File PermissionsThe standard UNIX user/group/world triple and the corresponding "read", "write", "execute" permissions @@ -4780,12 +4621,10 @@ CLASS="COMMAND" > 6.4.2. Directory Permissions Directory PermissionsDirectories on an NT NTFS file system have two different sets of permissions. The first set of permissions @@ -4812,12 +4651,10 @@ CLASS="COMMAND" > 6.5. Modifying file or directory permissions Modifying file or directory permissionsModifying file and directory permissions is as simple as changing the displayed permissions in the dialog box, and @@ -4910,13 +4747,11 @@ CLASS="COMMAND" > 6.6. Interaction with the standard Samba create mask - parameters Interaction with the standard Samba create mask + parametersNote that with Samba 2.0.5 there are four new parameters to control this interaction. These are : security mask - mask may be treated as a set of bits the user is notnot allowed to change, and one bits are those the user is allowed to change. 6.7. Interaction with the standard Samba file attribute - mapping Interaction with the standard Samba file attribute + mappingSamba maps some of the DOS attribute bits (such as "read only") into the UNIX permissions of a file. This means there can @@ -5233,17 +5067,13 @@ CLASS="COMMAND" CLASS="CHAPTER" > Chapter 7. Printing Support in Samba 2.2.x Printing Support in Samba 2.2.x 7.1. Introduction IntroductionBeginning with the 2.2.0 release, Samba supports the native Windows NT printing mechanisms implemented via @@ -5309,9 +5139,10 @@ As a side note, Samba does not use these drivers in any way to process spooled files. They are utilized entirely by the clients. The following MS KB article, may be of some help if you are dealing with -Windows 2000 clients: How to Add Printers with No User -Interaction in Windows 2000 7.2. Configuration Configuration [print$] vs. [printer$] Previous versions of Samba recommended using a share named [printer$]. This name was taken from the printer$ service created by Windows 9x @@ -5377,7 +5218,7 @@ CLASS="PARAMETER" >printer driver file parameter, are being depreciated and should not +> parameter, are being deprecated and should not be used in new installations. For more information on this change, you should refer to the 7.2.1. Creating [print$] Creating [print$]In order to support the uploading of printer driver files, you must first configure a file share named [print$]. @@ -5471,11 +5310,35 @@ site is configured. If users will be guaranteed to have an account on the Samba host, then this is a non-issue. Author's Note: Author's Note The non-issue is that if all your Windows NT users are guaranteed to be authenticated by the Samba server (such as a domain member server and the NT user has already been validated by the Domain Controller in @@ -5493,7 +5356,9 @@ CLASS="COMMAND" > in the [global] section as well. Make sure you understand what this parameter does before using it though. --jerry In order for a Windows NT print server to support @@ -5529,18 +5394,30 @@ CLASS="WARNING" > ATTENTION! REQUIRED PERMISSIONS In order to currently add a new driver to you Samba host, one of two conditions must hold true: 7.2.2. Setting Drivers for Existing Printers Setting Drivers for Existing PrintersThe initial listing of printers in the Samba host's Printers folder will have no real printer driver assigned to them. By default, in Samba 2.2.0 this driver name was set to -NO PRINTER DRIVER AVAILABLE FOR THIS PRINTERNO PRINTER DRIVER AVAILABLE FOR THIS PRINTER. Later versions changed this to a NULL string to allow the use tof the local Add Printer Wizard on NT/2000 clients. @@ -5612,15 +5488,16 @@ Attempting to view the printer properties for a printer which has this default driver assigned will result in the error message: Device settings cannot be displayed. The driver for the specified printer is not installed, only spooler properties will be displayed. Do you want to install the -driver now? Click "No" in the error dialog and you will be presented with -the printer properties window. The way assign a driver to a +the printer properties window. The way to assign a driver to a printer is to either 7.2.3. Support a large number of printers Support a large number of printersOne issue that has arisen during the development phase of Samba 2.2 is the need to support driver downloads for @@ -5740,12 +5615,10 @@ Successfully set hp-print to driver HP LaserJet 4000 Series PS. 7.2.4. Adding New Printers via the Windows NT APW Adding New Printers via the Windows NT APWBy default, Samba offers all printer shares defined in is executed under the context of the connected user, not necessarily a root account. There is a complementing There is a complementary for removing entries from the "Printers..." folder. The following is an example add printer command script. It adds the appropriate entries to /etc/printcap.local (change that to what you need) and returns a line of 'Done' which is needed for the whole process to work. #!/bin/sh + +# Script to insert a new printer entry into printcap.local +# +# $1, printer name, used as the descriptive name +# $2, share name, used as the printer name for Linux +# $3, port name +# $4, driver name +# $5, location, used for the device file of the printer +# $6, win9x location + +# +# Make sure we use the location that RedHat uses for local printer defs +PRINTCAP=/etc/printcap.local +DATE=`date +%Y%m%d-%H%M%S` +LP=lp +RESTART="service lpd restart" + +# Keep a copy +cp $PRINTCAP $PRINTCAP.$DATE +# Add the printer to $PRINTCAP +echo "" >> $PRINTCAP +echo "$2|$1:\\" >> $PRINTCAP +echo " :sd=/var/spool/lpd/$2:\\" >> $PRINTCAP +echo " :mx=0:ml=0:sh:\\" >> $PRINTCAP +echo " :lp=/usr/local/samba/var/print/$5.prn:" >> $PRINTCAP + +touch "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1 +chown $LP "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1 + +mkdir /var/spool/lpd/$2 +chmod 700 /var/spool/lpd/$2 +chown $LP /var/spool/lpd/$2 +#echo $1 >> "/usr/local/samba/var/print/$5.prn" +#echo $2 >> "/usr/local/samba/var/print/$5.prn" +#echo $3 >> "/usr/local/samba/var/print/$5.prn" +#echo $4 >> "/usr/local/samba/var/print/$5.prn" +#echo $5 >> "/usr/local/samba/var/print/$5.prn" +#echo $6 >> "/usr/local/samba/var/print/$5.prn" +$RESTART >> "/usr/local/samba/var/print/$5.prn" +# Not sure if this is needed +touch /usr/local/samba/lib/smb.conf +# +# You need to return a value, but I am not sure what it means. +# +echo "Done" +exit 0 7.2.5. Samba and Printer Ports Samba and Printer PortsWindows NT/2000 print servers associate a port with each printer. These normally take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the @@ -5883,12 +5826,10 @@ that generates a listing of ports on a system. 7.3. The Imprints Toolset The Imprints ToolsetThe Imprints tool set provides a UNIX equivalent of the Windows NT Add Printer Wizard. For complete information, please @@ -5901,12 +5842,10 @@ TARGET="_top" only provide a brief introduction to the features of Imprints. 7.3.1. What is Imprints? What is Imprints?Imprints is a collection of tools for supporting the goals of 7.3.2. Creating Printer Driver Packages Creating Printer Driver PackagesThe process of creating printer driver packages is beyond the scope of this document (refer to Imprints.txt also included @@ -5949,12 +5886,10 @@ NAME="AEN1044" > 7.3.3. The Imprints server The Imprints serverThe Imprints server is really a database server that may be queried via standard HTTP mechanisms. Each printer @@ -5962,19 +5897,18 @@ NAME="AEN1047" downloading of the package. Each package is digitally signed via GnuPG which can be used to verify that package downloaded is actually the one referred in the Imprints database. It is - notnot recommended that this security check be disabled. 7.3.4. The Installation Client The Installation ClientMore information regarding the Imprints installation client is available in the 7.4. Migration to from Samba 2.0.x to 2.2.x Migration to from Samba 2.0.x to 2.2.xGiven that printer driver management has changed (we hope improved) in 2.2 over prior releases, migration from an existing setup to 2.2 can @@ -6151,18 +6083,30 @@ CLASS="WARNING" > Achtung! The following Chapter 8. Debugging Printing Problems Debugging Printing Problems 8.1. Introduction IntroductionThis is a short description of how to debug printing problems with Samba. This describes how to debug problems with printing from a SMB @@ -6338,12 +6278,10 @@ the lpq output. 8.2. Debugging printer problems Debugging printer problemsOne way to debug printing problems is to start by replacing these command with shell scripts that record the arguments and the contents @@ -6413,12 +6351,10 @@ various print queues. 8.3. What printers do I have? What printers do I have?You can use the 'testprns' program to check to see if the printer name you are using is recognized by Samba. For example, you can @@ -6460,12 +6396,10 @@ CLASS="PROGRAMLISTING" > 8.4. Setting up printcap and print servers Setting up printcap and print serversYou may need to set up some printcaps for your Samba system to use. It is strongly recommended that you use the facilities provided by @@ -6553,12 +6487,10 @@ it reread the printcap information. 8.5. Job sent, no output Job sent, no outputThis is the most frustrating part of printing. You may have sent the job, verified that the job was forwarded, set up a wrapper around @@ -6616,12 +6548,10 @@ convert the file to a format appropriate for your printer. 8.6. Job sent, strange output Job sent, strange outputOnce you have the job printing, you can then start worrying about making it print nicely. 8.7. Raw PostScript printed Raw PostScript printedThis is a problem that is usually caused by either the print spooling system putting information at the start of the print job that makes @@ -6695,12 +6623,10 @@ Format Detection' on your printer. 8.8. Advanced Printing Advanced PrintingNote that you can do some pretty magic things by using your imagination with the "print command" option and some shell scripts. @@ -6711,12 +6637,10 @@ printer. 8.9. Real debugging Real debuggingIf the above debug tips don't help, then maybe you need to bring in the bug guns, system tracing. See Tracing.txt in this directory. Chapter 9. Security levels Security levels 9.1. Introduction IntroductionSamba supports the following options to the global smb.conf parameter 9.2. More complete description of security levels More complete description of security levelsA SMB server tells the client at startup what "security level" it is running. There are two options "share level" and "user level". Which @@ -6883,17 +6801,13 @@ schemes by which the two could be kept in sync. Chapter 10. security = domain in Samba 2.x security = domain in Samba 2.x 10.1. Joining an NT Domain with Samba 2.2 Joining an NT Domain with Samba 2.2Assume you have a Samba 2.x server with a NetBIOS name of 10.2. Samba and Windows 2000 Domains Samba and Windows 2000 DomainsMany people have asked regarding the state of Samba's ability to participate in a Windows 2000 Domain. Samba 2.2 is able to act as a member server of a Windows @@ -7144,12 +7056,10 @@ Computers" MMC (Microsoft Management Console) plugin. 10.3. Why is this better than security = server? Why is this better than security = server?Currently, domain security in Samba doesn't free you from having to create local Unix users to represent the users attaching @@ -7213,8 +7123,9 @@ CLASS="COMMAND" user is authenticated, making a Samba server truly plug and play in an NT domain environment. Watch for this code soon. NOTE:NOTE: Much of the text of this document was first published in the Web magazine Chapter 11. Unified Logons between Windows NT and UNIX using Winbind Unified Logons between Windows NT and UNIX using Winbind 11.1. Abstract AbstractIntegration of UNIX and Microsoft Windows NT through a unified logon has been considered a "holy grail" in heterogeneous computing environments for a long time. We present - winbindwinbind, a component of the Samba suite of programs as a solution to the unified logon problem. Winbind uses a UNIX implementation @@ -7261,12 +7169,10 @@ NAME="AEN1388" > 11.2. Introduction IntroductionIt is well known that UNIX and Microsoft Windows NT have different models for representing user and group information and @@ -7315,12 +7221,10 @@ NAME="AEN1392" > 11.3. What Winbind Provides What Winbind ProvidesWinbind unifies UNIX and Windows NT account management by allowing a UNIX box to become a full member of a NT domain. Once @@ -7357,12 +7261,10 @@ NAME="AEN1405" location (on the domain controller). 11.3.1. Target Uses Target UsesWinbind is targeted at organizations that have an existing NT based domain infrastructure into which they wish @@ -7381,12 +7283,10 @@ NAME="AEN1412" > 11.4. How Winbind Works How Winbind WorksThe winbind system is designed around a client/server architecture. A long running 11.4.1. Microsoft Remote Procedure Calls Microsoft Remote Procedure CallsOver the last two years, efforts have been underway by various Samba Team members to decode various aspects of @@ -7427,12 +7325,10 @@ NAME="AEN1421" > 11.4.2. Name Service Switch Name Service SwitchThe Name Service Switch, or NSS, is a feature that is present in many UNIX operating systems. It allows system @@ -7507,12 +7403,10 @@ CLASS="FILENAME" > 11.4.3. Pluggable Authentication Modules Pluggable Authentication ModulesPluggable Authentication Modules, also known as PAM, is a system for abstracting authentication and authorization @@ -7556,12 +7450,10 @@ CLASS="FILENAME" > 11.4.4. User and Group ID Allocation User and Group ID AllocationWhen a user or group is created under Windows NT is it allocated a numerical relative identifier (RID). This is @@ -7582,12 +7474,10 @@ NAME="AEN1449" > 11.4.5. Result Caching Result CachingAn active system can generate a lot of user and group name lookups. To reduce the network cost of these lookups winbind @@ -7605,12 +7495,10 @@ NAME="AEN1453" > 11.5. Installation and Configuration Installation and ConfigurationMany thanks to John Trostel 11.5.1. Introduction IntroductionThis HOWTO describes the procedures used to get winbind up and running on my RedHat 7.1 system. Winbind is capable of providing access @@ -7653,8 +7539,9 @@ somewhat to fit the way your distribution works. Why should I to this? Why should I to this? Who should be reading this document? Who should be reading this document? 11.5.2. Requirements RequirementsIf you have a samba configuration file that you are currently -using... BACK IT UP!BACK IT UP! If your system already uses PAM, -back up the /etc/pam.d directory -contents! If you haven't already made a boot disk, -MAKE ONE NOW!MAKE ONE NOW! Messing with the pam configuration files can make it nearly impossible @@ -7741,12 +7630,10 @@ CLASS="FILENAME" > 11.5.3. Testing Things Out Testing Things OutBefore starting, it is probably best to kill off all the SAMBA related daemons running on your server. Kill off all RPMs installed. 11.5.3.1. Configure and compile SAMBA Configure and compile SAMBAThe configuration and compilation of SAMBA is pretty straightforward. The first three steps may not be necessary depending upon @@ -7861,16 +7746,14 @@ It will also build the winbindd executable and libraries. 11.5.3.2. Configure Configure nsswitch.conf and the -winbind libraries The libraries needed to run the 11.5.3.3. Configure smb.conf Configure smb.confSeveral parameters are needed in the smb.conf file to control the behavior of 11.5.3.4. Join the SAMBA server to the PDC domain Join the SAMBA server to the PDC domainEnter the following command to make the SAMBA server join the PDC domain, where 11.5.3.5. Start up the winbindd daemon and test it! Start up the winbindd daemon and test it!Eventually, you will want to modify your smb startup script to automatically invoke the winbindd daemon when the other parts of @@ -8246,20 +8123,16 @@ CLASS="COMMAND" > 11.5.3.6. Fix the init.d startup scripts Fix the init.d startup scripts 11.5.3.6.1. Linux LinuxThe 11.5.3.6.2. Solaris SolarisOn solaris, you need to modify the 11.5.3.6.3. Restarting RestartingIf you restart the 11.5.3.7. Configure Winbind and PAM Configure Winbind and PAMIf you have made it this far, you know that winbindd and samba are working together. If you want to use winbind to provide authentication for other @@ -8530,12 +8397,10 @@ CLASS="COMMAND" > 11.5.3.7.1. Linux/FreeBSD-specific PAM configuration Linux/FreeBSD-specific PAM configurationThe 11.5.3.7.2. Solaris-specific configuration Solaris-specific configurationThe /etc/pam.conf needs to be changed. I changed this file so that my Domain users can logon both locally as well as telnet.The following are the changes @@ -8800,12 +8663,10 @@ configured in the pam.conf. 11.6. Limitations LimitationsWinbind has a number of limitations in its current released version that we hope to overcome in future @@ -8841,12 +8702,10 @@ NAME="AEN1705" > 11.7. Conclusion ConclusionThe winbind system, through the use of the Name Service Switch, Pluggable Authentication Modules, and appropriate @@ -8860,17 +8719,13 @@ NAME="AEN1715" CLASS="CHAPTER" > Chapter 12. How to Configure Samba 2.2 as a Primary Domain Controller How to Configure Samba 2.2 as a Primary Domain Controller 12.1. Prerequisite Reading Prerequisite ReadingBefore you continue reading in this chapter, please make sure that you are comfortable with configuring basic files services @@ -8893,25 +8748,40 @@ of this HOWTO Collection. 12.2. Background Background Note: Author's Note:Author's Note: This document is a combination of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ". Both documents are superseded by this one. Versions of Samba prior to release 2.2 had marginal capabilities to act @@ -9025,12 +8895,10 @@ concepts. They will be mentioned only briefly here. 12.3. Configuring the Samba Domain Controller Configuring the Samba Domain ControllerThe first step in creating a working Samba PDC is to understand the parameters necessary in smb.conf. I will not @@ -9246,13 +9114,11 @@ Admins" style accounts. 12.4. Creating Machine Trust Accounts and Joining Clients to the -DomainCreating Machine Trust Accounts and Joining Clients to the +DomainA machine trust account is a Samba account that is used to authenticate a client machine (rather than a user) to the Samba @@ -9320,12 +9186,10 @@ CLASS="FILENAME" > 12.4.1. Manual Creation of Machine Trust Accounts Manual Creation of Machine Trust AccountsThe first step in manually creating a machine trust account is to manually create the corresponding Unix account in @@ -9458,18 +9322,30 @@ CLASS="WARNING" > Join the client to the domain immediately Manually creating a machine trust account using this method is the equivalent of creating a machine trust account on a Windows NT PDC using @@ -9487,12 +9363,10 @@ ALIGN="LEFT" > 12.4.2. "On-the-Fly" Creation of Machine Trust Accounts "On-the-Fly" Creation of Machine Trust AccountsThe second (and recommended) way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the client @@ -9533,12 +9407,10 @@ CLASS="PROGRAMLISTING" > 12.4.3. Joining the Client to the Domain Joining the Client to the DomainThe procedure for joining a client to the domain varies with the version of Windows. Windows 2000Windows 2000 When the user elects to join the client to a domain, Windows prompts for @@ -9571,8 +9444,9 @@ CLASS="FILENAME" > Windows NTWindows NT If the machine trust account was created manually, on the @@ -9593,12 +9467,10 @@ CLASS="FILENAME" > 12.5. Common Problems and Errors Common Problems and Errors I cannot include a '$' in a machine name. I cannot include a '$' in a machine name. I get told "You already have a connection to the Domain...." or "Cannot join domain, the credentials supplied conflict with an - existing set.." when creating a machine trust account. The system can not log you on (C000019B).... The system can not log you on (C000019B).... The machine trust account for this computer either does not - exist or is not accessible. When I attempt to login to a Samba Domain from a NT4/W2K workstation, - I get a message about my account being disabled. 12.6. System Policies and Profiles System Policies and ProfilesMuch of the information necessary to implement System Policies and Roving User Profiles in a Samba domain is the same as that for @@ -9815,8 +9690,9 @@ Profiles and Policies in Windows NT 4.0 What about Windows NT Policy Editor? What about Windows NT Policy Editor? poledit.exe which - is included with NT Server but not NT Workstationnot NT Workstation. There is a Policy Editor on a NTws - but it is not suitable for creating Domain PoliciesDomain Policies. Further, although the Windows 95 Policy Editor can be installed on an NT Workstation/Server, it will not @@ -9874,8 +9752,9 @@ CLASS="COMMAND" > Can Win95 do Policies? Can Win95 do Policies? How do I get 'User Manager' and 'Server Manager' How do I get 'User Manager' and 'Server Manager' 12.7. What other help can I get? What other help can I get?There are many sources of information available in the form of mailing lists, RFC's and documentation. The docs that come @@ -9965,9 +9843,10 @@ general SMB topics such as browsing. What are some diagnostics tools I can use to debug the domain logon - process and where can I find them? How do I install 'Network Monitor' on an NT Workstation - or a Windows 9x box? The Development The Development document on the Samba mirrors might mention your problem. If so, it might mean that the developers are working on it. How do I get help from the mailing lists? How do I get help from the mailing lists? You might include partialYou might include partial log files written at a debug level set to as much as 20. Please don't send the entire log but enough to give the context of the @@ -10311,8 +10194,9 @@ TARGET="_top" > How do I get off the mailing lists? How do I get off the mailing lists? 12.8. Domain Control for Windows 9x/ME Domain Control for Windows 9x/ME Note: The following section contains much of the original DOMAIN.txt file previously included with Samba. Much of -the material is based on what went into the book Special -Edition, Using Samba, by Richard Sharpe. A domain and a workgroup are exactly the same thing in terms of network @@ -10459,12 +10358,10 @@ TYPE="1" > 12.8.1. Configuration Instructions: Network Logons Configuration Instructions: Network LogonsThe main difference between a PDC and a Windows 9x logon server configuration is that security mode and master browsers There are a few comments to make in order to tie up some loose ends. There has been much debate over the issue of whether @@ -10553,33 +10462,34 @@ for its domain. 12.8.2. Configuration Instructions: Setting up Roaming User Profiles Configuration Instructions: Setting up Roaming User Profiles 12.8.2.1. Windows NT Configuration Windows NT ConfigurationTo support WinNT clients, in the [global] section of smb.conf set the following (for example): Warning NOTE!NOTE! Roaming profiles support is different for Win9X and WinNT. Note: [lkcl 26aug96 - we have discovered a problem where Windows clients can maintain a connection to the [homes] share in between logins. The [homes] share must NOT therefore be used in a profile path.] 12.8.2.2. Windows 9X Configuration Windows 9X ConfigurationTo support Win9X clients, you must use the "logon home" parameter. Samba has now been fixed so that "net use/home" now works as well, and it, too, relies @@ -10684,12 +10606,10 @@ specified \\%L\%U for "logon home". 12.8.2.3. Win9X and WinNT Configuration Win9X and WinNT ConfigurationYou can support profiles for both Win9X and WinNT clients by setting both the "logon home" and "logon path" parameters. For example: Note: I have not checked what 'net use /home' does on NT when "logon home" is set as above. 12.8.2.4. Windows 9X Profile Setup Windows 9X Profile SetupWhen a user first logs in on Windows 9X, the file user.DAT is created, as are folders "Start Menu", "Desktop", "Programs" and "Nethood". @@ -10832,8 +10766,9 @@ TYPE="1" > WARNING WARNING - before deleting the contents of the directory listed in the ProfilePath (this is likely to be c:\windows\profiles\username), @@ -10878,30 +10813,44 @@ differences are with the equivalent samba trace. 12.8.2.5. Windows NT Workstation 4.0 Windows NT Workstation 4.0When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile location can be now specified through the "logon path" parameter. Note: [lkcl 10aug97 - i tried setting the path to \\samba-server\homes\profile, and discovered that this fails because a background process maintains the connection to the [homes] share which does _not_ close down in between user logins. you have to have \\samba-server\%L\profile, where user is the username created from the [homes] share]. There is a parameter that is now available for use with NT Profiles: @@ -10932,11 +10881,25 @@ NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN turns a profile into a mandatory one. Note: [lkcl 10aug97 - i notice that NT Workstation tells me that it is downloading a profile from a slow link. whether this is actually the case, or whether there is some configuration issue, as yet unknown, @@ -10955,17 +10918,17 @@ workstation for clear-text passwords].[lkcl 25aug97 - more comments received about NT profiles: the case of the profile _matters_. the file _must_ be called NTuser.DAT or, for a mandatory profile, NTuser.MAN]. 12.8.2.6. Windows NT Server Windows NT ServerThere is nothing to stop you specifying any path that you like for the location of users' profiles. Therefore, you could specify that the @@ -10974,30 +10937,40 @@ that SMB server supports encrypted passwords. 12.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0 Sharing Profiles between W95 and NT Workstation 4.0 Potentially outdated or incorrect material follows I think this is all bogus, but have not deleted it. (Richard Sharpe) Note: [lkcl 25aug97 - there are some issues to resolve with downloading of NT profiles, probably to do with time/date stamps. i have found that NTuser.DAT is never updated on the workstation after the first time that it is copied to the local workstation profile directory. this is in contrast to w95, where it _does_ transfer / update profiles correctly]. 12.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba Possibly Outdated Material This appendix was originally authored by John H Terpstra of the Samba Team and is included here for posterity. @@ -11072,8 +11071,9 @@ ALIGN="LEFT" > NOTE :NOTE : The term "Domain Controller" and those related to it refer to one specific method of authentication that can underly an SMB domain. Domain Controllers @@ -11163,17 +11163,13 @@ within its registry. Chapter 13. How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain 13.1. Prerequisite Reading Prerequisite ReadingBefore you continue reading in this chapter, please make sure that you are comfortable with configuring a Samba PDC @@ -11185,12 +11181,10 @@ TARGET="_top" > 13.2. Background BackgroundWhat is a Domain Controller? It is a machine that is able to answer logon requests from workstations in a Windows NT Domain. Whenever a @@ -11239,12 +11233,10 @@ others. This will not be covered in this document. 13.3. What qualifies a Domain Controller on the network? What qualifies a Domain Controller on the network?Every machine that is a Domain Controller for the domain SAMBA has to register the NetBIOS group name SAMBA#1c with the WINS server and/or @@ -11256,12 +11248,10 @@ Microsoft Domain implementation requires the domain master browser to be on the same machine as the PDC. 13.3.1. How does a Workstation find its domain controller? How does a Workstation find its domain controller?A NT workstation in the domain SAMBA that wants a local user to be authenticated has to find the domain controller for SAMBA. It does @@ -11275,12 +11265,10 @@ the domain controller, asking for approval. 13.3.2. When is the PDC needed? When is the PDC needed?Whenever a user wants to change his password, this has to be done on the PDC. To find the PDC, the workstation does a NetBIOS name query @@ -11291,12 +11279,10 @@ the password change is done. 13.4. Can Samba be a Backup Domain Controller? Can Samba be a Backup Domain Controller?With version 2.2, no. The native NT SAM replication protocols have not yet been fully implemented. The Samba Team is working on @@ -11310,12 +11296,10 @@ service logon requests whenever the PDC is down. 13.5. How do I set up a Samba BDC? How do I set up a Samba BDC?Several things have to be done: The file private/MACHINE.SID identifies the domain. When a samba -server is first started, it is created on the fly and must never be -changed again. This file has to be the same on the PDC and the BDC, -so the MACHINE.SID has to be copied from the PDC to the BDC.The domain SID has to be the same on the PDC and the BDC. This used to +be stored in the file private/MACHINE.SID. This file is not created +anymore since Samba 2.2.5 or even earlier. Nowadays the domain SID is +stored in the file private/secrets.tdb. Simply copying the secrets.tdb +from the PDC to the BDC does not work, as the BDC would +generate a new SID for itself and override the domain SID with this +new BDC SID. To retrieve the domain SID from the PDC or an existing BDC and store it in the +secrets.tdb, execute 'net rpc getsid' on the BDC. 13.5.1. How do I replicate the smbpasswd file? How do I replicate the smbpasswd file?Replication of the smbpasswd file is sensitive. It has to be done whenever changes to the SAM are made. Every user's password change is @@ -11405,17 +11393,13 @@ password. Chapter 14. Storing Samba's User/Machine Account information in an LDAP Directory Storing Samba's User/Machine Account information in an LDAP Directory 14.1. Purpose PurposeThis document describes how to use an LDAP directory for storing Samba user account information traditionally stored in the smbpasswd(5) file. It is @@ -11478,12 +11462,10 @@ TARGET="_top" > 14.2. Introduction IntroductionTraditionally, when configuring 14.3. Supported LDAP Servers Supported LDAP ServersThe LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP 2.0 server and client libraries. The same code should be able to work with @@ -11620,12 +11600,10 @@ TARGET="_top" > 14.4. Schema and Relationship to the RFC 2307 posixAccount Schema and Relationship to the RFC 2307 posixAccountSamba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in 14.5. Configuring Samba with LDAP Configuring Samba with LDAP 14.5.1. OpenLDAP configuration OpenLDAP configurationTo include support for the sambaAccount object in an OpenLDAP directory server, first copy the samba.schema file to slapd's configuration directory. 14.5.2. Configuring Samba Configuring SambaThe following parameters are available in smb.conf only with 14.6. Accounts and Groups management Accounts and Groups managementAs users accounts are managed thru the sambaAccount objectclass, you should modify you existing administration tools to deal with sambaAccount attributes. 14.7. Security and sambaAccount Security and sambaAccountThere are two important points to remember when discussing the security of sambaAccount entries in the directory. NeverNever retrieve the lmPassword or ntPassword attribute values over an unencrypted LDAP session. NeverNever allow non-admin users to view the lmPassword or ntPassword attribute values. 14.8. LDAP specials attributes for sambaAccounts LDAP specials attributes for sambaAccountsThe sambaAccount objectclass is composed of the following attributes: 14.9. Example LDIF Entries for a sambaAccount Example LDIF Entries for a sambaAccountThe following is a working LDIF with the inclusion of the posixAccount objectclass: 14.10. Comments CommentsPlease mail all comments regarding this HOWTO to Chapter 15. Improved browsing in samba Improved browsing in samba 15.1. Overview of browsing Overview of browsingSMB networking provides a mechanism by which clients can access a list of machines in a network, a so-called "browse list". This list @@ -12365,12 +12325,10 @@ that can NOT be provided by any other means of name resolution. 15.2. Browsing support in samba Browsing support in sambaSamba now fully supports browsing. The browsing is supported by nmbd and is also controlled by options in the smb.conf file (see smb.conf(5)). 15.3. Problem resolution Problem resolutionIf something doesn't work then hopefully the log.nmb file will help you track down the problem. Try a debug level of 2 or 3 for finding @@ -12444,12 +12400,10 @@ in smb.conf) 15.4. Browsing across subnets Browsing across subnetsWith the release of Samba 1.9.17(alpha1 and above) Samba has been updated to enable it to support the replication of browse lists @@ -12475,12 +12429,10 @@ of a WINS server given to them by a DHCP server, or by manual configuration settings) for Samba this is in the smb.conf file. 15.4.1. How does cross subnet browsing work ? How does cross subnet browsing work ?Cross subnet browsing is a complicated dance, containing multiple moving parts. It has taken Microsoft several years to get the code @@ -12732,12 +12684,10 @@ TYPE="1" > 15.5. Setting up a WINS server Setting up a WINS serverEither a Samba machine or a Windows NT Server machine may be set up as a WINS server. To set a Samba machine to be a WINS server you must @@ -12815,12 +12765,10 @@ browsing on networks that contain NT Domains. 15.6. Setting up Browsing in a WORKGROUP Setting up Browsing in a WORKGROUPTo set up cross subnet browsing on a network containing machines in up to be in a WORKGROUP, not an NT Domain you need to set up one @@ -12926,12 +12874,10 @@ CLASS="PROGRAMLISTING" > 15.7. Setting up Browsing in a DOMAIN Setting up Browsing in a DOMAINIf you are adding Samba servers to a Windows NT Domain then you must not set up a Samba server as a domain master browser. @@ -12986,12 +12932,10 @@ CLASS="COMMAND" > 15.8. Forcing samba to be the master Forcing samba to be the masterWho becomes the "master browser" is determined by an election process using broadcasts. Each election packet contains a number of parameters @@ -13034,12 +12978,10 @@ the current domain master browser fail. 15.9. Making samba the domain master Making samba the domain masterThe domain master is responsible for collating the browse lists of multiple subnets so that browsing can occur between subnets. You can @@ -13107,12 +13049,10 @@ TYPE="1" > 15.10. Note about broadcast addresses Note about broadcast addressesIf your network uses a "0" based broadcast address (for example if it ends in a 0) then you will strike problems. Windows for Workgroups @@ -13121,12 +13061,10 @@ that browsing and name lookups won't work. 15.11. Multiple interfaces Multiple interfacesSamba now supports machines with multiple network interfaces. If you have multiple interfaces then you will need to use the "interfaces" @@ -13137,17 +13075,13 @@ option in smb.conf to configure them. See smb.conf(5) for details. Chapter 16. Samba performance issues Samba performance issues 16.1. Comparisons ComparisonsThe Samba server uses TCP to talk to the client. Thus if you are trying to see if it performs well you should really compare it to @@ -13173,20 +13107,16 @@ systems. 16.2. Oplocks Oplocks 16.2.1. Overview OverviewOplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an oplock @@ -13217,12 +13147,10 @@ code did follows. 16.2.2. Level2 Oplocks Level2 OplocksWith Samba 2.0.5 a new capability - level2 (read only) oplocks is supported (although the option is off by default - see the smb.conf @@ -13241,12 +13169,10 @@ read-ahread cache copies of these files. 16.2.3. Old 'fake oplocks' option - deprecated Old 'fake oplocks' option - deprecatedSamba can also fake oplocks, by granting a oplock whenever a client asks for one. This is controlled using the smb.conf option "fake @@ -13262,12 +13188,10 @@ at the same time you can get data corruption. 16.3. Socket options Socket optionsThere are a number of socket options that can greatly affect the performance of a TCP based server like Samba. 16.4. Read size Read sizeThe option "read size" affects the overlap of disk reads/writes with network reads/writes. If the amount of data being transferred in @@ -13316,12 +13238,10 @@ pointless and will cause you to allocate memory unnecessarily. 16.5. Max xmit Max xmitAt startup the client and server negotiate a "maximum transmit" size, which limits the size of nearly all SMB commands. You can set the @@ -13339,12 +13259,10 @@ of less than 2048 is likely to cause severe problems. 16.6. Locking LockingBy default Samba does not implement strict locking on each read/write call (although it did in previous versions). If you enable strict @@ -13356,12 +13274,10 @@ filesystems, but could be quite high even on local disks. 16.7. Share modes Share modesSome people find that opening files is very slow. This is often because of the "share modes" code needed to fully implement the dos @@ -13386,12 +13302,10 @@ things much faster. See the Makefile for how to enable this. 16.8. Log level Log levelIf you set the log level (also known as "debug level") higher than 2 then you may suffer a large drop in performance. This is because the @@ -13400,12 +13314,10 @@ expensive. 16.9. Wide lines Wide linesThe "wide links" option is now enabled by default, but if you disable it (for better security) then you may suffer a performance hit in @@ -13414,12 +13326,10 @@ resolving filenames. The performance loss is lessened if you have > 16.10. Read raw Read rawThe "read raw" operation is designed to be an optimised, low-latency file read operation. A server may choose to not support it, @@ -13436,12 +13346,10 @@ testing can really tell. 16.11. Write raw Write rawThe "write raw" operation is designed to be an optimised, low-latency file write operation. A server may choose to not support it, @@ -13453,12 +13361,10 @@ case you may wish to change this option. 16.12. Read prediction Read predictionSamba can do read prediction on some of the SMB commands. Read prediction means that Samba reads some extra data on the last file it @@ -13479,12 +13385,10 @@ as "Write" under NT) which do lots of very small reads on a file. 16.13. Memory mapping Memory mappingSamba supports reading files via memory mapping them. One some machines this can give a large boost to performance, on others it @@ -13500,12 +13404,10 @@ no". 16.14. Slow Clients Slow ClientsOne person has reported that setting the protocol to COREPLUS rather than LANMAN2 gave a dramatic speed improvement (from 10k/s to 150k/s). 16.15. Slow Logins Slow LoginsSlow logins are almost always due to the password checking time. Using the lowest practical "password level" will improve things a lot. You @@ -13530,12 +13430,10 @@ could also enable the "UFC crypt" option in the Makefile. 16.16. Client tuning Client tuningOften a speed problem can be traced to the client. The client (for example Windows for Workgroups) can often be tuned for better TCP @@ -13634,12 +13532,10 @@ staggering. 16.17. My Results My ResultsSome people want to see real numbers in a document like this, so here they are. I have a 486sx33 client running WfWg 3.11 with the 3.11b @@ -13666,38 +13562,78 @@ here someday ... Chapter 17. OS2 Client HOWTO Samba and other CIFS clientsThis chapter contains client-specific information. 17.1. FAQs 17.1.1. How can I configure OS/2 Warp Connect or - OS/2 Warp 4 as a client for Samba? Macintosh clients?A more complete answer to this question can be - found on Yes. http://carol.wins.uva.nl/~leeuw/samba/warp.html. Thursby now have a CIFS Client / Server called DAVE - see Basically, you need three components:They test it against Windows 95, Windows NT and samba for +compatibility issues. At the time of writing, DAVE was at version +1.0.1. The 1.0.0 to 1.0.1 update is available as a free download from +the Thursby web site (the speed of finder copies has been greatly +enhanced, and there are bug-fixes included). +Alternatives - There are two free implementations of AppleTalk for +several kinds of UNIX machnes, and several more commercial ones. +These products allow you to run file services and print services +natively to Macintosh users, with no additional support required on +the Macintosh. The two free omplementations are +Netatalk, and +CAP. +What Samba offers MS +Windows users, these packages offer to Macs. For more info on these +packages, Samba, and Linux (and other UNIX-based systems) see +http://www.eats.com/linux_mac_win.html OS2 Client How can I configure OS/2 Warp Connect or + OS/2 Warp 4 as a client for Samba? A more complete answer to this question can be + found on http://carol.wins.uva.nl/~leeuw/samba/warp.html. Basically, you need three components: The File and Print Client ('IBM Peer') @@ -13738,13 +13674,11 @@ TARGET="_top" > 17.1.2. How can I configure OS/2 Warp 3 (not Connect), - OS/2 1.2, 1.3 or 2.x for Samba?How can I configure OS/2 Warp 3 (not Connect), + OS/2 1.2, 1.3 or 2.x for Samba?You can use the free Microsoft LAN Manager 2.2c Client for OS/2 from @@ -13791,13 +13725,11 @@ TARGET="_top" > 17.1.3. Are there any other issues when OS/2 (any version) - is used as a client?Are there any other issues when OS/2 (any version) + is used as a client?When you do a NET VIEW or use the "File and Print Client Resource Browser", no Samba servers show up. This can @@ -13813,13 +13745,11 @@ TARGET="_top" > 17.1.4. How do I get printer driver download working - for OS/2 clients?How do I get printer driver download working + for OS/2 clients?First, create a share called [PRINTDRV] that is world-readable. Copy your OS/2 driver files there. Note @@ -13828,7 +13758,7 @@ NAME="AEN2890" driver from an OS/2 system. Install the NT driver first for that printer. Then, - add to your smb.conf a parameter, "os2 driver map = + add to your smb.conf a parameter, os2 driver map = <nt driver name> = <os2 driver - name>.<device name>, e.g.: +>nt driver name = os2 "driver + name"."device name", e.g.: HP LaserJet 5L = LASERJET.HP LaserJet 5L You can have multiple drivers mapped in this file. Windows for Workgroups Use latest TCP/IP stack from Microsoft Use the latest TCP/IP stack from microsoft if you use Windows +for workgroups. The early TCP/IP stacks had lots of bugs. +Microsoft has released an incremental upgrade to their TCP/IP 32-Bit +VxD drivers. The latest release can be found on their ftp site at +ftp.microsoft.com, located in /peropsys/windows/public/tcpip/wfwt32.exe. +There is an update.txt file there that describes the problems that were +fixed. New files include WINSOCK.DLL, TELNET.EXE, WSOCK.386, VNBT.386, +WSTCP.386, TRACERT.EXE, NETSTAT.EXE, and NBTSTAT.EXE. Delete .pwl files after password change WfWg does a lousy job with passwords. I find that if I change my +password on either the unix box or the PC the safest thing to do is to +delete the .pwl files in the windows directory. The PC will complain about not finding the files, but will soon get over it, allowing you to enter the new password. +If you don't do this you may find that WfWg remembers and uses the old +password, even if you told it a new one. +Often WfWg will totally ignore a password you give it in a dialog box. Configure WfW password handling There is a program call admincfg.exe +on the last disk (disk 8) of the WFW 3.11 disk set. To install it +type EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE Then add an icon +for it via the "Progam Manager" "New" Menu. This program allows you +to control how WFW handles passwords. ie disable Password Caching etc +for use with security = user Case handling of passwords Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the smb.conf(5) information on password level to specify what characters samba should try to uppercase when checking. Windows '95/'98 When using Windows 95 OEM SR2 the following updates are recommended where Samba +is being used. Please NOTE that the above change will affect you once these +updates have been installed. +There are more updates than the ones mentioned here. You are referred to the +Microsoft Web site for all currently available updates to your specific version +of Windows 95. Kernel Update: KRNLUPD.EXE Ping Fix: PINGUPD.EXE RPC Update: RPCRTUPD.EXE TCP/IP Update: VIPUPD.EXE Redirector Update: VRDRUPD.EXE Also, if using MS OutLook it is desirable to install the OLEUPD.EXE fix. This +fix may stop your machine from hanging for an extended period when exiting +OutLook and you may also notice a significant speedup when accessing network +neighborhood services. Windows 2000 Service Pack 2 +There are several annoyances with Windows 2000 SP2. One of which +only appears when using a Samba server to host user profiles +to Windows 2000 SP2 clients in a Windows domain. This assumes +that Samba is a member of the domain, but the problem will +likely occur if it is not. +In order to server profiles successfully to Windows 2000 SP2 +clients (when not operating as a PDC), Samba must have +nt acl support = no +added to the file share which houses the roaming profiles. +If this is not done, then the Windows 2000 SP2 client will +complain about not being able to access the profile (Access +Denied) and create multiple copies of it on disk (DOMAIN.user.001, +DOMAIN.user.002, etc...). See the +smb.conf(5) man page +for more details on this option. Also note that the +nt acl support parameter was formally a global parameter in +releases prior to Samba 2.2.2. +The following is a minimal profile share: [profile] + path = /export/profile + create mask = 0600 + directory mask = 0700 + nt acl support = no + read only = no The reason for this bug is that the Win2k SP2 client copies +the security descriptor for the profile which contains +the Samba server's SID, and not the domain SID. The client +compares the SID for SAMBA\user and realizes it is +different that the one assigned to DOMAIN\user. Hence the reason +for the "access denied" message. By disabling the nt acl support parameter, Samba will send +the Win2k client a response to the QuerySecurityDescriptor +trans2 call which causes the client to set a default ACL +for the profile. This default ACL includes DOMAIN\user "Full Control" NOTE : This bug does not occur when using winbind to +create accounts on the Samba host for Domain users. Chapter 18. HOWTO Access Samba source code via CVS HOWTO Access Samba source code via CVS 18.1. Introduction IntroductionSamba is developed in an open environment. Developers use CVS (Concurrent Versioning System) to "checkin" (also known as @@ -13891,12 +14030,10 @@ TARGET="_top" > 18.2. CVS Access to samba.org CVS Access to samba.orgThe machine samba.org runs a publicly accessible CVS repository for access to the source code of several packages, @@ -13904,12 +14041,10 @@ including samba, rsync and jitterbug. There are two main ways of accessing the CVS server on this host. 18.2.1. Access via CVSweb Access via CVSwebYou can access the source code via your favourite WWW browser. This allows you to access the contents of @@ -13925,12 +14060,10 @@ TARGET="_top" > 18.2.2. Access via cvs Access via cvsYou can also access the source code via a normal cvs client. This gives you much more control over you can @@ -14036,17 +14169,13 @@ CLASS="COMMAND" CLASS="CHAPTER" > Chapter 19. Reporting Bugs Reporting Bugs 19.1. Introduction IntroductionThe email address for bug reports is samba@samba.org 19.2. General info General infoBefore submitting a bug report check your config for silly errors. Look in your log files for obvious messages that tell you that @@ -14098,12 +14225,10 @@ time, and exactly what the results were. 19.3. Debug levels Debug levelsIf the bug has anything to do with Samba behaving incorrectly as a server (like refusing to open a file) then the log files will probably @@ -14177,12 +14302,10 @@ large volume of log data. 19.4. Internal errors Internal errorsIf you get a "INTERNAL ERROR" message in your log files it means that Samba got an unexpected signal while running. It is probably a @@ -14221,12 +14344,10 @@ useful. 19.5. Attaching to a running process Attaching to a running processUnfortunately some unixes (in particular some recent linux kernels) refuse to dump a core file if the task has changed uid (which smbd @@ -14238,12 +14359,10 @@ where it occurred. 19.6. Patches PatchesThe best sort of bug report is one that includes a fix! If you send us patches please use Index Primary Domain Controller, - Background - Group mapping HOWTO +Starting with Samba 3.0 alpha 2, a new group mapping function is available. The +current method (likely to change) to manage the groups is a new command called +smbgroupedit. The first immediate reason to use the group mapping on a PDC, is that +the domain admin group of smb.conf is +now gone. This parameter was used to give the listed users local admin rights +on their workstations. It was some magic stuff that simply worked but didn't +scale very well for complex setups. Let me explain how it works on NT/W2K, to have this magic fade away. +When installing NT/W2K on a computer, the installer program creates some users +and groups. Notably the 'Administrators' group, and gives to that group some +privileges like the ability to change the date and time or to kill any process +(or close too) running on the local machine. The 'Administrator' user is a +member of the 'Administrators' group, and thus 'inherit' the 'Administrators' +group privileges. If a 'joe' user is created and become a member of the +'Administrator' group, 'joe' has exactly the same rights as 'Administrator'. When a NT/W2K machine is joined to a domain, during that phase, the "Domain +Administrators' group of the PDC is added to the 'Administrators' group of the +workstation. Every members of the 'Domain Administrators' group 'inherit' the +rights of the 'Administrators' group when logging on the workstation. You are now wondering how to make some of your samba PDC users members of the +'Domain Administrators' ? That's really easy. create a unix group (usually in /etc/group), let's call it domadm add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in /etc/group will look like: domadm:x:502:joe,john,mary Map this domadm group to the domain admins group by running the command: smbgroupedit -c "Domain Admins" -u domadm You're set, joe, john and mary are domain administrators ! Like the Domain Admins group, you can map any arbitrary Unix group to any NT +group. You can also make any Unix group a domain group. For example, on a domain +member machine (an NT/W2K or a samba server running winbind), you would like to +give access to a certain directory to some users who are member of a group on +your samba PDC. Flag that group as a domain group by running: smbgroupedit -a unixgroup -td You can list the various groups in the mapping database like this smbgroupedit -v Portability Samba works on a wide range of platforms but the interface all the +platforms provide is not always compatible. This chapter contains +platform-specific information about compiling and using samba. HPUX HP's implementation of supplementary groups is, er, non-standard (for +hysterical reasons). There are two group files, /etc/group and +/etc/logingroup; the system maps UIDs to numbers using the former, but +initgroups() reads the latter. Most system admins who know the ropes +symlink /etc/group to /etc/logingroup (hard link doesn't work for reasons +too stupid to go into here). initgroups() will complain if one of the +groups you're in in /etc/logingroup has what it considers to be an invalid +ID, which means outside the range [0..UID_MAX], where UID_MAX is (I think) +60000 currently on HP-UX. This precludes -2 and 65534, the usual 'nobody' +GIDs. If you encounter this problem, make sure that the programs that are failing +to initgroups() be run as users not in any groups with GIDs outside the +allowed range. This is documented in the HP manual pages under setgroups(2) and passwd(4). SCO Unix +If you run an old version of SCO Unix then you may need to get important +TCP/IP patches for Samba to work correctly. Without the patch, you may +encounter corrupt data transfers using samba. The patch you need is UOD385 Connection Drivers SLS. It is available from +SCO (ftp.sco.com, directory SLS, files uod385a.Z and uod385a.ltr.Z). DNIX DNIX has a problem with seteuid() and setegid(). These routines are +needed for Samba to work correctly, but they were left out of the DNIX +C library for some reason. For this reason Samba by default defines the macro NO_EID in the DNIX +section of includes.h. This works around the problem in a limited way, +but it is far from ideal, some things still won't work right. +To fix the problem properly you need to assemble the following two +functions and then either add them to your C library or link them into +Samba. +put this in the file setegid.s: .globl _setegid +_setegid: + moveq #47,d0 + movl #100,a0 + moveq #1,d1 + movl 4(sp),a1 + trap #9 + bccs 1$ + jmp cerror +1$: + clrl d0 + rts put this in the file seteuid.s: .globl _seteuid +_seteuid: + moveq #47,d0 + movl #100,a0 + moveq #0,d1 + movl 4(sp),a1 + trap #9 + bccs 1$ + jmp cerror +1$: + clrl d0 + rts after creating the above files you then assemble them using as seteuid.s as setegid.s that should produce the files seteuid.o and +setegid.o then you need to add these to the LIBSM line in the DNIX section of +the Samba Makefile. Your LIBSM line will then look something like this: LIBSM = setegid.o seteuid.o -ln +You should then remove the line: #define NO_EID from the DNIX section of includes.h Unified Logons between Windows NT and UNIX using WinbindSAMBA Project Documentation Prev Next Unified Logons between Windows NT and UNIX using Winbind Chapter 11. Unified Logons between Windows NT and UNIX using WinbindAbstract 11.1. AbstractIntegration of UNIX and Microsoft Windows NT through a unified logon has been considered a "holy grail" in heterogeneous computing environments for a long time. We present - winbind, a component of the Samba suite of programs as a solution to the unified logon problem. Winbind uses a UNIX implementation @@ -49,12 +98,10 @@ CLASS="EMPHASIS" > Introduction 11.2. IntroductionIt is well known that UNIX and Microsoft Windows NT have different models for representing user and group information and @@ -103,12 +150,10 @@ NAME="AEN7" > What Winbind Provides 11.3. What Winbind ProvidesWinbind unifies UNIX and Windows NT account management by allowing a UNIX box to become a full member of a NT domain. Once @@ -145,12 +190,10 @@ NAME="AEN20" location (on the domain controller). Target Uses 11.3.1. Target UsesWinbind is targeted at organizations that have an existing NT based domain infrastructure into which they wish @@ -169,12 +212,10 @@ NAME="AEN27" > How Winbind Works 11.4. How Winbind WorksThe winbind system is designed around a client/server architecture. A long running Microsoft Remote Procedure Calls 11.4.1. Microsoft Remote Procedure CallsOver the last two years, efforts have been underway by various Samba Team members to decode various aspects of @@ -215,12 +254,10 @@ NAME="AEN36" > Name Service Switch 11.4.2. Name Service SwitchThe Name Service Switch, or NSS, is a feature that is present in many UNIX operating systems. It allows system @@ -295,12 +332,10 @@ CLASS="FILENAME" > Pluggable Authentication Modules 11.4.3. Pluggable Authentication ModulesPluggable Authentication Modules, also known as PAM, is a system for abstracting authentication and authorization @@ -344,12 +379,10 @@ CLASS="FILENAME" > User and Group ID Allocation 11.4.4. User and Group ID AllocationWhen a user or group is created under Windows NT is it allocated a numerical relative identifier (RID). This is @@ -370,12 +403,10 @@ NAME="AEN64" > Result Caching 11.4.5. Result CachingAn active system can generate a lot of user and group name lookups. To reduce the network cost of these lookups winbind @@ -393,12 +424,10 @@ NAME="AEN68" > Installation and Configuration 11.5. Installation and ConfigurationMany thanks to John Trostel Introduction 11.5.1. IntroductionThis HOWTO describes the procedures used to get winbind up and running on my RedHat 7.1 system. Winbind is capable of providing access @@ -441,9 +468,12 @@ somewhat to fit the way your distribution works. Why should I to this? Who should be reading this document? Requirements 11.5.2. RequirementsIf you have a samba configuration file that you are currently -using... BACK IT UP! If your system already uses PAM, -back up the /etc/pam.d directory contents! If you haven't already made a boot disk, -MAKE ONE NOW! Messing with the pam configuration files can make it nearly impossible @@ -534,12 +574,10 @@ CLASS="FILENAME" > Testing Things Out 11.5.3. Testing Things OutBefore starting, it is probably best to kill off all the SAMBA related daemons running on your server. Kill off all RPMs installed. Configure and compile SAMBA 11.5.3.1. Configure and compile SAMBAThe configuration and compilation of SAMBA is pretty straightforward. The first three steps may not be necessary depending upon @@ -645,16 +681,14 @@ It will also build the winbindd executable and libraries. Configure 11.5.3.2. Configure nsswitch.conf and the -winbind libraries The libraries needed to run the Configure smb.conf 11.5.3.3. Configure smb.confSeveral parameters are needed in the smb.conf file to control the behavior of Join the SAMBA server to the PDC domain 11.5.3.4. Join the SAMBA server to the PDC domainEnter the following command to make the SAMBA server join the PDC domain, where Start up the winbindd daemon and test it! 11.5.3.5. Start up the winbindd daemon and test it!Eventually, you will want to modify your smb startup script to automatically invoke the winbindd daemon when the other parts of @@ -994,20 +1022,16 @@ CLASS="COMMAND" > Fix the init.d startup scripts 11.5.3.6. Fix the init.d startup scriptsLinux 11.5.3.6.1. LinuxThe Solaris 11.5.3.6.2. SolarisOn solaris, you need to modify the Restarting 11.5.3.6.3. RestartingIf you restart the Configure Winbind and PAM 11.5.3.7. Configure Winbind and PAMIf you have made it this far, you know that winbindd and samba are working together. If you want to use winbind to provide authentication for other @@ -1251,12 +1269,10 @@ CLASS="COMMAND" > Linux/FreeBSD-specific PAM configuration 11.5.3.7.1. Linux/FreeBSD-specific PAM configurationThe Solaris-specific configuration 11.5.3.7.2. Solaris-specific configurationThe /etc/pam.conf needs to be changed. I changed this file so that my Domain users can logon both locally as well as telnet.The following are the changes @@ -1467,12 +1481,10 @@ configured in the pam.conf. Limitations 11.6. LimitationsWinbind has a number of limitations in its current released version that we hope to overcome in future @@ -1508,12 +1520,10 @@ NAME="AEN320" > Conclusion 11.7. ConclusionThe winbind system, through the use of the Name Service Switch, Pluggable Authentication Modules, and appropriate @@ -1523,6 +1533,64 @@ NAME="AEN330" cost of running a mixed UNIX and NT network. Prev Home Next security = domain in Samba 2.x How to Configure Samba 2.2 as a Primary Domain Controller \ No newline at end of file -- cgit