From ca12d82eaf4c6bd498208a246ca8a1ca9f47c58b Mon Sep 17 00:00:00 2001
From: Gerald Carter
If running the server as a daemon at startup, this file will need to contain an appropriate startup - sequence for the server. See the section INSTALLATION - below.
UNIX_INSTALL.html document + for details.When run as a WINS server (see the wins support - parameter in the smb.conf(5) man page), smb.conf(5)
This option allows the administrator to chose what
+ authentication methods smbd will use when authenticating
+ a user. This option defaults to sensible values based on security.
+
+ Each entry in the list attempts to authenticate the user in turn, until
+ the user authenticates. In practice only one method will ever actually
+ be able to complete the authentication.
+ Default: auth methods = <empty string> Example: auth methods = guest sam ntdomain The non unix account range parameter specifies
+ the range of 'user ids' that are allocated by the various 'non unix
+ account' passdb backends. These backends allow
+ the storage of passwords for users who don't exist in /etc/passwd.
+ This is most often used for machine account creation.
+ This range of ids should have no existing local or NIS users within
+ it as strange conflicts can occur otherwise. NOTE: These userids never appear on the system and Samba will never
+ 'become' these users. They are used only to ensure that the algorithmic
+ RID mapping does not conflict with normal users.
+ Default: non unix account range = <empty string>
+ Example: non unix account range = 10000-20000 This boolean parameter controls whether smbd(8) will negotiate NT specific SMB
- support with Windows NT clients. Although this is a developer
- debugging option and should be left alone, benchmarking has discovered
- that Windows NT clients give faster performance with this option
- set to no. This is still being investigated.
- If this option is set to no then Samba offers
- exactly the same SMB calls that versions prior to Samba 2.0 offered.
- This information may be of use if any users are having problems
- with NT SMB support. You should not need to ever disable this parameter. Default: nt smb support = yes This option allows the administrator to chose what
+ backend in which to store passwords. This allows (for example) both
+ smbpasswd and tdbsam to be used without a recompile. Only one can
+ be used at a time however, and experimental backends must still be selected
+ (eg --with-tdbsam) at configure time.
+ Default: passdb backend = smbpasswd Example: passdb backend = tdbsam This parameter specifies whether the winbindd(8)
+ daemon should operate on users without domain component in their username.
+ Users without a domain component are treated as is part of the winbindd server's
+ own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
+ function in a way much closer to the way they would in a native unix system. Default: winbind use default domain = <falseg>
+ Example: winbind use default domain = true If running the server as a daemon at startup,
this file will need to contain an appropriate startup
- sequence for the server. See the section INSTALLATION
- below. The location of the server and its support files
- is a matter for individual system administrators. The following
- are thus suggestions only. It is recommended that the server software be installed
- under the /usr/local/samba/ hierarchy,
- in a directory readable by all, writeable only by root. The server
- program itself should be executable by all, as users may wish to
- run the server themselves (in which case it will of course run
- with their privileges). The server should NOT be setuid. On some
- systems it may be worthwhile to make smbd setgid to an empty group.
- This is because some systems may have a security hole where daemon
- processes that become a user can be attached to with a debugger.
- Making the smbd file setgid to an empty group may prevent
- this hole from being exploited. This security hole and the suggested
- fix has only been confirmed on old versions (pre-kernel 2.0) of Linux
- at the time this was written. It is possible that this hole only
- exists in Linux, as testing on other systems has thus far shown them
- to be immune. The server log files should be put in a directory readable and
- writeable only by root, as the log files may contain sensitive
- information. The configuration file should be placed in a directory
- readable and writeable only by root, as the configuration file
- controls security for the services offered by the server. The
- configuration file can be made readable by all if desired, but
- this is not necessary for correct operation of the server and is
- not recommended. A sample configuration file smb.conf.sample
- is supplied with the source to the server - this may
- be renamed to smb.conf and modified to suit
- your needs. The remaining notes will assume the following: smbd (the server program)
- installed in /usr/local/samba/bin smb.conf (the configuration
- file) installed in /usr/local/samba/lib log files stored in /var/adm/smblogs
- The server may be run either as a daemon by users
- or at startup, or it may be run from a meta-daemon such as
- inetd upon request. If run as a daemon,
- the server will always be ready, so starting sessions will be
- faster. If run from a meta-daemon some memory will be saved and
- utilities such as the tcpd TCP-wrapper may be used for extra
- security. For serious use as file server it is recommended
- that smbd be run as a daemon. When you've decided, continue with either RUNNING THE SERVER AS A DAEMON or RUNNING THE SERVER ON REQUEST. To run the server as a daemon from the command
- line, simply put the -D option on the
- command line. There is no need to place an ampersand at
- the end of the command line - the -D
- option causes the server to detach itself from the tty
- anyway. Any user can run the server as a daemon (execute
- permissions permitting, of course). This is useful for
- testing purposes, and may even be useful as a temporary
- substitute for something like ftp. When run this way, however,
- the server will only have the privileges of the user who ran
- it. To ensure that the server is run as a daemon whenever
- the machine is started, and to ensure that it runs as root
- so that it can serve multiple clients, you will need to modify
- the system startup files. Wherever appropriate (for example, in
- /etc/rc), insert the following line,
- substituting port number, log file location, configuration file
- location and debug level as desired: /usr/local/samba/bin/smbd -D -l /var/adm/smblogs/log
- -s /usr/local/samba/lib/smb.conf (The above should appear in your initialization script
- as a single line. Depending on your terminal characteristics,
- it may not appear that way in this man page. If the above appears
- as more than one line, please treat any newlines or indentation
- as a single space or TAB character.) If the options used at compile time are appropriate for
- your system, all parameters except -D may
- be omitted. See the section OPTIONS above. If your system uses a meta-daemon such as inetd
- , you can arrange to have the smbd server started
- whenever a process attempts to connect to it. This requires several
- changes to the startup files on the host machine. If you are
- experimenting as an ordinary user rather than as root, you will
- need the assistance of your system administrator to modify the
- system files. You will probably want to set up the NetBIOS name server
- nmbd at
- the same time as smbd. To do this refer to the
- man page for nmbd(8)
- . First, ensure that a port is configured in the file
- /etc/services. The well-known port 139
- should be used if possible, though any port may be used. Ensure that a line similar to the following is in
- /etc/services: netbios-ssn 139/tcp Note for NIS/YP users - you may need to rebuild the
- NIS service maps rather than alter your local /etc/services
- file. Next, put a suitable line in the file /etc/inetd.conf
- (in the unlikely event that you are using a meta-daemon
- other than inetd, you are on your own). Note that the first item
- in this line matches the service name in /etc/services
- . Substitute appropriate values for your system
- in this line (see inetd(8)): netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd
- -d1 -l/var/adm/smblogs/log -s/usr/local/samba/lib/smb.conf (The above should appear in /etc/inetd.conf
- as a single line. Depending on your terminal characteristics, it may
- not appear that way in this man page. If the above appears as more
- than one line, please treat any newlines or indentation as a single
- space or TAB character.) Note that there is no need to specify a port number here,
- even if you are using a non-standard port number. Lastly, edit the configuration file to provide suitable
- services. To start with, the following two services should be
- all you need: This will allow you to connect to your home directory
- and print to any printer supported by the host (user privileges
- permitting). If running the server as a daemon, execute it before
- proceeding. If using a meta-daemon, either restart the system
- or kill and restart the meta-daemon. Some versions of
- inetd will reread their configuration
- tables if they receive a HUP signal. If your machine's name is fred and your
- name is mary, you should now be able to connect
- to the service \\fred\mary.
- To properly test and experiment with the server, we
- recommend using the smbclient program (see
- smbclient(1))
- and also going through the steps outlined in the file
- DIAGNOSIS.txt in the docs/
- directory of your Samba installation. This option is only available when running smbpasswd
as root. If the smbpasswd file is in the 'old' format (pre-Samba 2.0
format) there is no space in the user's password entry to write
- this information and so the user is disabled by writing 'X' characters
- into the password space in the smbpasswd file. See smbpasswd(5)
If the smbpasswd file is in the 'old' format, then smbpasswd will prompt for a new password for this user,
- otherwise the account will be enabled by removing the 'D'
- flag from account control space in the smbpasswd file. See will FAIL to enable the account.
+ See smbpasswd (5) for
@@ -410,66 +403,6 @@ CLASS="FILENAME"
This option is used to add a Samba server
- into a Windows NT Domain, as a Domain member capable of authenticating
- user accounts to any Domain Controller in the same way as a Windows
- NT Server. See the security = domain option in
- the smb.conf(5) man page. In order to be used in this way, the Administrator for
- the Windows NT Domain must have used the program "Server Manager
- for Domains" to add the primary NetBIOS name of the Samba server
- as a member of the Domain. After this has been done, to join the Domain invoke smbpasswd with this parameter. smbpasswd will then
- look up the Primary Domain Controller for the Domain (found in
- the smb.conf file in the parameter
- password server and change the machine account
- password used to create the secure Domain communication. This
- password is then stored by smbpasswd in a TDB, writeable only by root,
- called secrets.tdb Once this operation has been performed the smb.conf file may be updated to set the security = domain option and all future logins
- to the Samba server will be authenticated to the Windows NT
- PDC. Note that even though the authentication is being
- done to the PDC all users accessing the Samba server must still
- have a valid UNIX account on that machine. This option is only available when running smbpasswd as root.
- This man page is correct for version 2.2 of
+>This man page is correct for version 3.0 of
the Samba suite. This parameter specifies whether the winbindd
+ daemon should operate on users without domain component in their username.
+ Users without a domain component are treated as is part of the winbindd server's
+ own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
+ function in a way much closer to the way they would in a native unix system. Default: winbind use default domain = <falseg>
+ Example: winbind use default domain = trueCOMPLETE LIST OF SERVICE PARAMETERS
EXPLANATION OF EACH PARAMETER
WARNINGS
VERSION
SEE ALSO
AUTHOR
inetd meta-daemon, this file
must contain suitable startup information for the
- meta-daemon. See the section INSTALLATION below.
+ meta-daemon. See the UNIX_INSTALL.html
+ document for details.
LIMITATIONS
ENVIRONMENT VARIABLES
INSTALLATION
RUNNING THE SERVER AS A DAEMON
RUNNING THE SERVER ON REQUEST
[homes]
- writeable = yes
-
- [printers]
- writeable = no
- printable = yes
- path = /tmp
- public = yes
-
-
PAM INTERACTION
TESTING THE INSTALLATION
VERSION
DIAGNOSTICS
SIGNALS
SEE ALSO
AUTHOR
/etc/passwd)
- else the request to add the user will fail. ), else the request to add the
+ user will fail. NOTES
VERSION
SEE ALSO
AUTHOR