From ca12d82eaf4c6bd498208a246ca8a1ca9f47c58b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 24 Jan 2002 17:04:30 +0000 Subject: merge from 2.2 (This used to be commit 2137c7163475691056fe1701b75128e238520b05) --- docs/htmldocs/nmbd.8.html | 60 +++--- docs/htmldocs/smb.conf.5.html | 212 ++++++++++++++++----- docs/htmldocs/smbd.8.html | 409 +++-------------------------------------- docs/htmldocs/smbpasswd.8.html | 93 ++-------- docs/htmldocs/winbindd.8.html | 38 +++- 5 files changed, 271 insertions(+), 541 deletions(-) (limited to 'docs/htmldocs') diff --git a/docs/htmldocs/nmbd.8.html b/docs/htmldocs/nmbd.8.html index f926e46a75..4e5993f3bc 100644 --- a/docs/htmldocs/nmbd.8.html +++ b/docs/htmldocs/nmbd.8.html @@ -399,7 +399,12 @@ CLASS="COMMAND" >inetd meta-daemon, this file must contain suitable startup information for the - meta-daemon. See the section INSTALLATION below. + meta-daemon. See the UNIX_INSTALL.html document + for details.

If running the server as a daemon at startup, this file will need to contain an appropriate startup - sequence for the server. See the section INSTALLATION - below.

UNIX_INSTALL.html document + for details.

, this file must contain a mapping of service name (e.g., netbios-ssn) to service port (e.g., 139) and protocol type (e.g., tcp). - See the section INSTALLATION below.

UNIX_INSTALL.html + document for details.

When run as a WINS server (see the wins support - parameter in the smb.conf(5) man page), smb.conf(5) man page), + nmbd +> will store the WINS database in the file wins.dat is acting as a browse master (see the local master - parameter in the smb.conf(5) man page), smb.conf(5) man page, + nmbd +> will store the browsing database in the file browse.dat @@ -524,7 +532,7 @@ CLASS="FILENAME" >

SIGNALS

VERSION

SEE ALSO

AUTHOR

  • auth methods

  • nt pipe supportnon unix account range

  • nt smb supportnt pipe support

  • passdb backend

  • winbind use default domain

  • COMPLETE LIST OF SERVICE PARAMETERS

    EXPLANATION OF EACH PARAMETER

    auth methods (G)

    This option allows the administrator to chose what + authentication methods smbd will use when authenticating + a user. This option defaults to sensible values based on security. + + Each entry in the list attempts to authenticate the user in turn, until + the user authenticates. In practice only one method will ever actually + be able to complete the authentication. +

    Default: auth methods = <empty string>

    Example: auth methods = guest sam ntdomain

    available (S)
    program for information on how to set up and maintain this file), or set the security = [server|domain]security = [server|domain|ads] parameter which causes
    non unix account range (G)

    The non unix account range parameter specifies + the range of 'user ids' that are allocated by the various 'non unix + account' passdb backends. These backends allow + the storage of passwords for users who don't exist in /etc/passwd. + This is most often used for machine account creation. + This range of ids should have no existing local or NIS users within + it as strange conflicts can occur otherwise.

    NOTE: These userids never appear on the system and Samba will never + 'become' these users. They are used only to ensure that the algorithmic + RID mapping does not conflict with normal users. +

    Default: non unix account range = <empty string> +

    Example: non unix account range = 10000-20000

    nt acl support (S)
    nt smb support (G)

    This boolean parameter controls whether smbd(8) will negotiate NT specific SMB - support with Windows NT clients. Although this is a developer - debugging option and should be left alone, benchmarking has discovered - that Windows NT clients give faster performance with this option - set to no. This is still being investigated. - If this option is set to no then Samba offers - exactly the same SMB calls that versions prior to Samba 2.0 offered. - This information may be of use if any users are having problems - with NT SMB support.

    You should not need to ever disable this parameter.

    Default: nt smb support = yes

    null passwords (G)
    passdb backend (G)

    This option allows the administrator to chose what + backend in which to store passwords. This allows (for example) both + smbpasswd and tdbsam to be used without a recompile. Only one can + be used at a time however, and experimental backends must still be selected + (eg --with-tdbsam) at configure time. +

    Default: passdb backend = smbpasswd

    Example: passdb backend = tdbsam

    passwd chat (G)

    winbind use default domain, winbind use default domain

    This parameter specifies whether the winbindd(8) + daemon should operate on users without domain component in their username. + Users without a domain component are treated as is part of the winbindd server's + own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail + function in a way much closer to the way they would in a native unix system.

    Default: winbind use default domain = <falseg> +

    Example: winbind use default domain = true

    WARNINGS

    VERSION

    SEE ALSO

    AUTHOR

    inetd     meta-daemon, this file must contain suitable startup information for the - meta-daemon. See the section INSTALLATION below. + meta-daemon. See the UNIX_INSTALL.html + document for details.

    If running the server as a daemon at startup, this file will need to contain an appropriate startup - sequence for the server. See the section INSTALLATION - below.

    UNIX_INSTALL.html + document for details.

    , this file must contain a mapping of service name (e.g., netbios-ssn) to service port (e.g., 139) and protocol type (e.g., tcp). - See the section INSTALLATION below.

    UNIX_INSTALL.html + document for details.

    LIMITATIONS

    ENVIRONMENT VARIABLES

    INSTALLATION

    The location of the server and its support files - is a matter for individual system administrators. The following - are thus suggestions only.

    It is recommended that the server software be installed - under the /usr/local/samba/ hierarchy, - in a directory readable by all, writeable only by root. The server - program itself should be executable by all, as users may wish to - run the server themselves (in which case it will of course run - with their privileges). The server should NOT be setuid. On some - systems it may be worthwhile to make smbd setgid to an empty group. - This is because some systems may have a security hole where daemon - processes that become a user can be attached to with a debugger. - Making the smbd file setgid to an empty group may prevent - this hole from being exploited. This security hole and the suggested - fix has only been confirmed on old versions (pre-kernel 2.0) of Linux - at the time this was written. It is possible that this hole only - exists in Linux, as testing on other systems has thus far shown them - to be immune.

    The server log files should be put in a directory readable and - writeable only by root, as the log files may contain sensitive - information.

    The configuration file should be placed in a directory - readable and writeable only by root, as the configuration file - controls security for the services offered by the server. The - configuration file can be made readable by all if desired, but - this is not necessary for correct operation of the server and is - not recommended. A sample configuration file smb.conf.sample - is supplied with the source to the server - this may - be renamed to smb.conf and modified to suit - your needs.

    The remaining notes will assume the following:

    • smbd (the server program) - installed in /usr/local/samba/bin

    • smb.conf (the configuration - file) installed in /usr/local/samba/lib

    • log files stored in /var/adm/smblogs -

    The server may be run either as a daemon by users - or at startup, or it may be run from a meta-daemon such as - inetd upon request. If run as a daemon, - the server will always be ready, so starting sessions will be - faster. If run from a meta-daemon some memory will be saved and - utilities such as the tcpd TCP-wrapper may be used for extra - security. For serious use as file server it is recommended - that smbd be run as a daemon.

    When you've decided, continue with either

    • RUNNING THE SERVER AS A DAEMON or

    • RUNNING THE SERVER ON REQUEST.

    RUNNING THE SERVER AS A DAEMON

    To run the server as a daemon from the command - line, simply put the -D option on the - command line. There is no need to place an ampersand at - the end of the command line - the -D - option causes the server to detach itself from the tty - anyway.

    Any user can run the server as a daemon (execute - permissions permitting, of course). This is useful for - testing purposes, and may even be useful as a temporary - substitute for something like ftp. When run this way, however, - the server will only have the privileges of the user who ran - it.

    To ensure that the server is run as a daemon whenever - the machine is started, and to ensure that it runs as root - so that it can serve multiple clients, you will need to modify - the system startup files. Wherever appropriate (for example, in - /etc/rc), insert the following line, - substituting port number, log file location, configuration file - location and debug level as desired:

    /usr/local/samba/bin/smbd -D -l /var/adm/smblogs/log - -s /usr/local/samba/lib/smb.conf

    (The above should appear in your initialization script - as a single line. Depending on your terminal characteristics, - it may not appear that way in this man page. If the above appears - as more than one line, please treat any newlines or indentation - as a single space or TAB character.)

    If the options used at compile time are appropriate for - your system, all parameters except -D may - be omitted. See the section OPTIONS above.

    RUNNING THE SERVER ON REQUEST

    If your system uses a meta-daemon such as inetd - , you can arrange to have the smbd server started - whenever a process attempts to connect to it. This requires several - changes to the startup files on the host machine. If you are - experimenting as an ordinary user rather than as root, you will - need the assistance of your system administrator to modify the - system files.

    You will probably want to set up the NetBIOS name server - nmbd at - the same time as smbd. To do this refer to the - man page for nmbd(8) - .

    First, ensure that a port is configured in the file - /etc/services. The well-known port 139 - should be used if possible, though any port may be used.

    Ensure that a line similar to the following is in - /etc/services:

    netbios-ssn 139/tcp

    Note for NIS/YP users - you may need to rebuild the - NIS service maps rather than alter your local /etc/services - file.

    Next, put a suitable line in the file /etc/inetd.conf - (in the unlikely event that you are using a meta-daemon - other than inetd, you are on your own). Note that the first item - in this line matches the service name in /etc/services - . Substitute appropriate values for your system - in this line (see inetd(8)):

    netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd - -d1 -l/var/adm/smblogs/log -s/usr/local/samba/lib/smb.conf

    (The above should appear in /etc/inetd.conf - as a single line. Depending on your terminal characteristics, it may - not appear that way in this man page. If the above appears as more - than one line, please treat any newlines or indentation as a single - space or TAB character.)

    Note that there is no need to specify a port number here, - even if you are using a non-standard port number.

    Lastly, edit the configuration file to provide suitable - services. To start with, the following two services should be - all you need:

    		[homes]
-		writeable = yes
-
-	[printers]
-		writeable = no
-		printable = yes
-		path = /tmp
-		public = yes
-	
-

    This will allow you to connect to your home directory - and print to any printer supported by the host (user privileges - permitting).

    PAM INTERACTION

    TESTING THE INSTALLATION

    If running the server as a daemon, execute it before - proceeding. If using a meta-daemon, either restart the system - or kill and restart the meta-daemon. Some versions of - inetd will reread their configuration - tables if they receive a HUP signal.

    If your machine's name is fred and your - name is mary, you should now be able to connect - to the service \\fred\mary. -

    To properly test and experiment with the server, we - recommend using the smbclient program (see - smbclient(1)) - and also going through the steps outlined in the file - DIAGNOSIS.txt in the docs/ - directory of your Samba installation.

    VERSION

    DIAGNOSTICS

    SIGNALS

    SEE ALSO

    AUTHOR

    /etc/passwd) - else the request to add the user will fail.

    ), else the request to add the + user will fail.

    This option is only available when running smbpasswd as root.

    If the smbpasswd file is in the 'old' format (pre-Samba 2.0 format) there is no space in the user's password entry to write - this information and so the user is disabled by writing 'X' characters - into the password space in the smbpasswd file. See smbpasswd(5) If the smbpasswd file is in the 'old' format, then smbpasswd will prompt for a new password for this user, - otherwise the account will be enabled by removing the 'D' - flag from account control space in the smbpasswd file. See will FAIL to enable the account. + See smbpasswd (5) for @@ -410,66 +403,6 @@ CLASS="FILENAME"

    -j DOMAIN

    This option is used to add a Samba server - into a Windows NT Domain, as a Domain member capable of authenticating - user accounts to any Domain Controller in the same way as a Windows - NT Server. See the security = domain option in - the smb.conf(5) man page.

    In order to be used in this way, the Administrator for - the Windows NT Domain must have used the program "Server Manager - for Domains" to add the primary NetBIOS name of the Samba server - as a member of the Domain.

    After this has been done, to join the Domain invoke smbpasswd with this parameter. smbpasswd will then - look up the Primary Domain Controller for the Domain (found in - the smb.conf file in the parameter - password server and change the machine account - password used to create the secure Domain communication. This - password is then stored by smbpasswd in a TDB, writeable only by root, - called secrets.tdb

    Once this operation has been performed the smb.conf file may be updated to set the security = domain option and all future logins - to the Samba server will be authenticated to the Windows NT - PDC.

    Note that even though the authentication is being - done to the PDC all users accessing the Samba server must still - have a valid UNIX account on that machine.

    This option is only available when running smbpasswd as root. -

    -U username

    NOTES

    VERSION

    This man page is correct for version 2.2 of +>This man page is correct for version 3.0 of the Samba suite.

    SEE ALSO

    AUTHOR

    winbind use default domain

    This parameter specifies whether the winbindd + daemon should operate on users without domain component in their username. + Users without a domain component are treated as is part of the winbindd server's + own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail + function in a way much closer to the way they would in a native unix system.

    Default: winbind use default domain = <falseg> +

    Example: winbind use default domain = true

    EXAMPLE SETUP

    NOTES

    SIGNALS

    FILES

    VERSION

    SEE ALSO

    AUTHOR