From 37a6f03f3550321f96200b1357078b308a45f6cd Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 27 May 2003 13:20:26 +0000 Subject: Very large number of markup fixes, layout updates, etc. (This used to be commit 8dfbaafb843d17b865855ba1fef1e62cd38d3964) --- docs/docbook/Makefile.in | 12 +- docs/docbook/projdoc/AccessControls.xml | 165 +++++++------ docs/docbook/projdoc/AdvancedNetworkAdmin.xml | 6 +- docs/docbook/projdoc/Bugs.xml | 3 +- docs/docbook/projdoc/Compiling.xml | 15 +- docs/docbook/projdoc/DOMAIN_MEMBER.xml | 58 ++--- docs/docbook/projdoc/Diagnosis.xml | 52 ++-- docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml | 42 ++-- docs/docbook/projdoc/Integrating-with-Windows.xml | 8 +- docs/docbook/projdoc/InterdomainTrusts.xml | 52 ++-- docs/docbook/projdoc/IntroSMB.xml | 42 ++-- docs/docbook/projdoc/NT4Migration.xml | 123 ++++------ docs/docbook/projdoc/NetworkBrowsing.xml | 190 ++++++++------- docs/docbook/projdoc/Other-Clients.xml | 98 ++++---- .../projdoc/PAM-Authentication-And-Samba.xml | 85 +++---- docs/docbook/projdoc/PolicyMgmt.xml | 23 +- docs/docbook/projdoc/Portability.xml | 32 +-- docs/docbook/projdoc/Problems.xml | 62 ++--- docs/docbook/projdoc/ProfileMgmt.xml | 119 ++++----- docs/docbook/projdoc/locking.xml | 41 ++-- docs/docbook/projdoc/msdfs_setup.xml | 12 +- docs/docbook/projdoc/passdb.xml | 270 +++++++++------------ docs/docbook/projdoc/printer_driver2.xml | 179 ++++++-------- 23 files changed, 801 insertions(+), 888 deletions(-) (limited to 'docs') diff --git a/docs/docbook/Makefile.in b/docs/docbook/Makefile.in index 523a2e42ad..4d90e2ba27 100644 --- a/docs/docbook/Makefile.in +++ b/docs/docbook/Makefile.in @@ -127,17 +127,17 @@ $(PDFDIR)/Samba-Developers-Guide.pdf: dev-doc.tex # DVI files $(DVIDIR)/Samba-HOWTO-Collection.dvi: samba-doc.tex @echo "Building LaTeX sources via $(LATEX)..." - @$(LATEX) $< | grep 'Rerun to get cross-references right' && \ - $(LATEX) $< | grep 'Rerun to get cross-references right' && \ - $(LATEX) $< || echo + @$(LATEX) $< 2>&1 | grep 'Rerun to get cross-references right' && \ + $(LATEX) $< 2>&1 | grep 'Rerun to get cross-references right' && \ + $(LATEX) $< 2>&1 || echo @echo "done" @mv samba-doc.dvi $@ $(DVIDIR)/Samba-Developers-Guide.dvi: dev-doc.tex @echo "Building LaTeX sources via $(LATEX)..." - @$(LATEX) $< | grep 'Rerun to get cross-references right' && \ - $(LATEX) $< | grep 'Rerun to get cross-references right' && \ - $(LATEX) $< || echo + @$(LATEX) $< 2>&1 | grep 'Rerun to get cross-references right' && \ + $(LATEX) $< 2>&1 | grep 'Rerun to get cross-references right' && \ + $(LATEX) $< 2>&1 || echo @echo "done" @mv dev-doc.dvi $@ diff --git a/docs/docbook/projdoc/AccessControls.xml b/docs/docbook/projdoc/AccessControls.xml index 74269616aa..661cc1ca86 100644 --- a/docs/docbook/projdoc/AccessControls.xml +++ b/docs/docbook/projdoc/AccessControls.xml @@ -146,10 +146,11 @@ at how Samba helps to bridge the differences. to depths of control ability should review the &smb.conf; man page. - - File System Feature Comparison - - Name Space + + File System Feature Comparison + + Name Space + MS Windows NT4 / 200x/ XP files names may be up to 254 characters long, Unix file names may be 1023 characters long. In MS Windows file extensions indicate particular file types, @@ -158,10 +159,12 @@ at how Samba helps to bridge the differences. What MS Windows calls a Folder, Unix calls a directory, - + + - - Case Sensitivity + + Case Sensitivity + MS Windows file names are generally Upper Case if made up of 8.3 (ie: 8 character file name and 3 character extension. If longer than 8.3 file names are Case Preserving, and Case @@ -186,18 +189,22 @@ at how Samba helps to bridge the differences. first will be accessible to MS Windows users, the others are invisible and unaccessible - any other solution would be suicidal. - + + - - Directory Separators + + Directory Separators + MS Windows and DOS uses the back-slash '\' as a directory delimiter, Unix uses the forward-slash '/' as it's directory delimiter. This is transparently handled by Samba. - + + - - Drive Identification + + Drive Identification + MS Windows products support a notion of drive letters, like C: to represent disk partitions. Unix has NO concept if separate identifiers for file partitions since each @@ -205,20 +212,24 @@ at how Samba helps to bridge the differences. The Unix directory tree begins at '/', just like the root of a DOS drive is specified like C:\. - + + - - File Naming Conventions + + File Naming Conventions + MS Windows generally never experiences file names that begin with a '.', while in Unix these are commonly found in a user's home directory. Files that begin with a '.' are typically either start up files for various Unix applications, or they may be files that contain start-up configuration data. - - - - Links and Short-Cuts + + + + + Links and Short-Cuts + MS Windows make use of "links and Short-Cuts" that are actually special types of files that will redirect an attempt to execute the file to the real location of the file. Unix knows of file and directory @@ -230,8 +241,9 @@ at how Samba helps to bridge the differences. referred to as 'soft links'. A hard link is something that MS Windows is NOT familiar with. It allows one physical file to be known simulataneously by more than one file name. - - + + + There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort @@ -312,7 +324,7 @@ at how Samba helps to bridge the differences. The permissions field is made up of: - + JRV: Put this into a diagram of some sort [ type ] [ users ] [ group ] [ others ] [File, Directory Permissions] [ d | l ] [ r w x ] [ r w x ] [ r w x ] | | | | | | | | | | | @@ -332,13 +344,16 @@ at how Samba helps to bridge the differences. Any bit flag may be unset. An unset bit flag is the equivalent of 'Can NOT' and is represented as a '-' character. - - - Example File + + + Example File + -rwxr-x--- Means: The owner (user) can read, write, execute the group can read and execute everyone else can NOT do anything with it - + + + @@ -346,7 +361,7 @@ at how Samba helps to bridge the differences. - The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),r + The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),r execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), sticky (t). @@ -365,7 +380,7 @@ at how Samba helps to bridge the differences. - When a directory is set drw-r----- this means that the owner can read and create (write) files in it, but because + When a directory is set drw-r----- this means that the owner can read and create (write) files in it, but because the (x) execute flags are not set files can not be listed (seen) in the directory by anyone. The group can read files in the directory but can NOT create new files. NOTE: If files in the directory are set to be readable and writable for the group, then group members will be able to write to (or delete) them. @@ -388,10 +403,10 @@ Before using any of the following options please refer to the man page for &smb. User and group based controls can prove very useful. In some situations it is distinctly desirable to affect all - file system operations as if a single user is doing this, the use of the force user and - force group behaviour will achieve this. In other situations it may be necessary to affect a + file system operations as if a single user is doing this, the use of the force user and + force group behaviour will achieve this. In other situations it may be necessary to affect a paranoia level of control to ensure that only particular authorised persons will be able to access a share or - it's contents, here the use of the valid users or the invalid users may + it's contents, here the use of the valid users or the invalid users may be most useful. @@ -665,7 +680,7 @@ Before using any of the following options please refer to the man page for &smb. By default samba sets no restrictions on the share itself. Restrictions on the share itself can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can connect to a share. In the absence of specific restrictions the default setting is to allow - the global user Everyone Full Control (ie: Full control, Change and Read). + the global user Everyone Full Control (ie: Full control, Change and Read). @@ -701,13 +716,13 @@ Before using any of the following options please refer to the man page for &smb. Instructions - Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu - select Computer, then click on the Shared Directories entry. + Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu + select Computer, then click on the Shared Directories entry. - Now click on the share that you wish to manage, then click on the Properties tab, next click on - the Permissions tab. Now you can Add or change access control settings as you wish. + Now click on the share that you wish to manage, then click on the Properties tab, next click on + the Permissions tab. Now you can add or change access control settings as you wish. @@ -717,14 +732,14 @@ Before using any of the following options please refer to the man page for &smb. Windows 200x/XP - On MS Windows NT4/200x/XP system access control lists on the share itself are set using native + On MS Windows NT4/200x/XP system access control lists on the share itself are set using native tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder, - then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows - Everyone Full Control on the Share. + then select Sharing, then click on Permissions. The default + Windows NT4/200x permission allows Everyone Full Control on the Share. - MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the + MS Windows 200x and later all comes with a tool called the Computer Management snap-in for the Microsoft Management Console (MMC). This tool is located by clicking on Control Panel -> Administrative Tools -> Computer Management. @@ -732,21 +747,22 @@ Before using any of the following options please refer to the man page for &smb. Instructions - After launching the MMC with the Computer Management snap-in, click on the menu item 'Action', - select 'Connect to another computer'. If you are not logged onto a domain you will be prompted + After launching the MMC with the Computer Management snap-in, click on the menu item Action, + select Connect to another computer. If you are not logged onto a domain you will be prompted to enter a domain login user identifier and a password. This will authenticate you to the domain. If you where already logged in with administrative privilidge this step is not offered. - If the Samba server is not shown in the Select Computer box, then type in the name of the target - Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+] - next to 'Shared Folders' in the left panel. + If the Samba server is not shown in the Select Computer box, then type in the name of the target + Samba server in the field Name:. Now click on the [+] next to + System Tools, then on the [+] next to Shared Folders in the + left panel. Now in the right panel, double-click on the share you wish to set access control permissions on. - Then click on the tab 'Share Permissions'. It is now possible to add access control entities + Then click on the tab Share Permissions. It is now possible to add access control entities to the shared folder. Do NOT forget to set what type of access (full control, change, read) you wish to assign for each entry. @@ -754,10 +770,10 @@ Before using any of the following options please refer to the man page for &smb. - Be careful. If you take away all permissions from the Everyone user without removing this user + Be careful. If you take away all permissions from the Everyone user without removing this user then effectively no user will be able to access the share. This is a result of what is known as - ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone - will have no access even if this user is given explicit full control access. + ACL precidence. ie: Everyone with no access means that MaryK who is part of the group + Everyone will have no access even if this user is given explicit full control access. @@ -798,19 +814,19 @@ Before using any of the following options please refer to the man page for &smb. From an NT4/2000/XP client, single-click with the right mouse button on any file or directory in a Samba mounted drive letter or UNC path. When the menu pops-up, click - on the Properties entry at the bottom of + on the Properties entry at the bottom of the menu. This brings up the file properties dialog - box. Click on the tab Security and you - will see three buttons, Permissions, - Auditing, and Ownership. - The Auditing button will cause either + box. Click on the tab Security and you + will see three buttons, Permissions, + Auditing, and Ownership. + The Auditing button will cause either an error message A requested privilege is not held by the client to appear if the user is not the NT Administrator, or a dialog which is intended to allow an Administrator to add auditing requirements to a file if the user is logged on as the NT Administrator. This dialog is non-functional with a Samba share at this time, as the only - useful button, the Add button will not currently + useful button, the Add button will not currently allow a list of users to be seen. @@ -849,8 +865,8 @@ Before using any of the following options please refer to the man page for &smb. and allow a user with Administrator privilege connected to a Samba server as root to change the ownership of files on both a local NTFS filesystem or remote mounted NTFS - or Samba drive. This is available as part of the Seclib - NT security library written by Jeremy Allison of + or Samba drive. This is available as part of the Seclib + NT security library written by Jeremy Allison of the Samba Team, available from the main Samba ftp site. @@ -921,7 +937,7 @@ Before using any of the following options please refer to the man page for &smb. Directories on an NT NTFS file system have two different sets of permissions. The first set of permissions is the ACL set on the directory itself, this is usually displayed - in the first set of parentheses in the normal "RW" + in the first set of parentheses in the normal "RW" NT style. This first set of permissions is created by Samba in exactly the same way as normal file permissions are, described above, and is displayed in the same way. @@ -995,12 +1011,16 @@ Before using any of the following options please refer to the man page for &smb. There are four parameters to control interaction with the standard Samba create mask parameters. - These are : + These are : + + + security mask + force security mode + directory security mask + force directory security mode + - security mask - force security mode - directory security mask - force directory security mode + Once a user clicks OK to apply the permissions Samba maps the given permissions into a user/group/world @@ -1061,12 +1081,15 @@ Before using any of the following options please refer to the man page for &smb. If you want to set up a share that allows users full control in modifying the permission bits on their files and directories and doesn't force any particular bits to be set 'on', then set the following - parameters in the &smb.conf; file in that share specific section : + parameters in the &smb.conf; file in that share specific section : + - security mask = 0777 - force security mode = 0 - directory security mask = 0777 - force directory security mode = 0 + + security mask = 0777 + force security mode = 0 + directory security mask = 0777 + force directory security mode = 0 + @@ -1193,7 +1216,7 @@ are examples taken from the mailing list in recent times. - You should see that the file 'Afile' created by Jill will have ownership + You should see that the file Afile created by Jill will have ownership and permissions of Jack, as follows: -rw-r--r-- 1 jack engr 0 2003-02-04 09:57 Afile @@ -1211,7 +1234,7 @@ are examples taken from the mailing list in recent times. - The above are only needed IF your users are NOT members of the group + The above are only needed if your users are not members of the group you have used. ie: Within the OS do not have write permission on the directory. diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.xml b/docs/docbook/projdoc/AdvancedNetworkAdmin.xml index 5f29f32448..15b8836962 100644 --- a/docs/docbook/projdoc/AdvancedNetworkAdmin.xml +++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.xml @@ -326,9 +326,9 @@ Those wishing to use more elaborate or capable logon processing system should ch - http://www.craigelachie.org/rhacer/ntlogon - http://www.kixtart.org - http://support.microsoft.com/default.asp?scid=kb;en-us;189105 + http://www.craigelachie.org/rhacer/ntlogon + http://www.kixtart.org + http://support.microsoft.com/default.asp?scid=kb;en-us;189105 diff --git a/docs/docbook/projdoc/Bugs.xml b/docs/docbook/projdoc/Bugs.xml index 03a60b6ce5..b2ff6d3d96 100644 --- a/docs/docbook/projdoc/Bugs.xml +++ b/docs/docbook/projdoc/Bugs.xml @@ -15,7 +15,8 @@ Introduction -Please report bugs using bugzilla. +Please report bugs using + bugzilla. Please take the time to read this file before you submit a bug diff --git a/docs/docbook/projdoc/Compiling.xml b/docs/docbook/projdoc/Compiling.xml index fb59dead02..f392efb32b 100644 --- a/docs/docbook/projdoc/Compiling.xml +++ b/docs/docbook/projdoc/Compiling.xml @@ -14,7 +14,8 @@ How to compile SAMBA -You can obtain the samba source from the samba website. To obtain a development version, +You can obtain the samba source from the +samba website. To obtain a development version, you can download samba from CVS or using rsync. @@ -243,28 +244,28 @@ example of what you would not want to see would be: configure Samba for your operating system. If you have unusual needs then you may wish to run - root# ./configure --help + &rootprompt;./configure --help first to see what special options you can enable. Then executing - root# make + &rootprompt;make will create the binaries. Once it's successfully compiled you can use - root# make install + &rootprompt;make install to install the binaries and manual pages. You can separately install the binaries and/or man pages using - root# make installbin + &rootprompt;make installbin and - root# make installman + &rootprompt;make installman Note that if you are upgrading for a previous version @@ -272,7 +273,7 @@ example of what you would not want to see would be: the binaries will be renamed with a ".old" extension. You can go back to the previous version with - root# make revert + &rootprompt;make revert if you find this version a disaster! diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.xml b/docs/docbook/projdoc/DOMAIN_MEMBER.xml index 9ad239634b..3042f704a8 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.xml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.xml @@ -190,11 +190,11 @@ that is normally used to create new Unix accounts. The following is an example -root# /usr/sbin/useradd -g 100 -d /dev/null -c "machine nickname" -s /bin/false machine_name$ +&rootprompt;/usr/sbin/useradd -g 100 -d /dev/null -c "machine nickname" -s /bin/false machine_name$ -root# passwd -l machine_name$ +&rootprompt;passwd -l machine_name$ @@ -202,7 +202,7 @@ On *BSD systems, this can be done using the chpass utility: -root# chpass -a "machine_name$:*:101:100::0:0:Workstation machine_name:/dev/null:/sbin/nologin" +&rootprompt;chpass -a "machine_name$:*:101:100::0:0:Workstation machine_name:/dev/null:/sbin/nologin" @@ -212,9 +212,9 @@ home directory. For example a machine named 'doppy' would have an /etc/passwd entry like this: - + doppy$:x:505:501:machine_nickname:/dev/null:/bin/false - + Above, machine_nickname can be any @@ -234,9 +234,9 @@ as shown here: - -root# smbpasswd -a -m machine_name - + +&rootprompt;smbpasswd -a -m machine_name +> @@ -287,7 +287,7 @@ Launch the srvmgr.exe (Server Manager for Domains) and follow Server Manager Account Machine Account Management - From the menu select Computer + From the menu select Computer @@ -375,9 +375,9 @@ with the version of Windows: The name of the account that is used to create domain member machine accounts can be - anything the network administrator may choose. If it is other than root + anything the network administrator may choose. If it is other than root then this is easily mapped to root using the file pointed to be the &smb.conf; parameter - username map = /etc/samba/smbusers. + username map = /etc/samba/smbusers. @@ -394,17 +394,17 @@ with the version of Windows: If the machine trust account was created manually, on the Identification Changes menu enter the domain name, but do not - check the box "Create a Computer Account in the Domain." In this case, - the existing machine trust account is used to join the machine to - the domain. + check the box Create a Computer Account in the Domain. + In this case, the existing machine trust account is used to join the machine + to the domain. If the machine trust account is to be created on-the-fly, on the Identification Changes menu enter the domain - name, and check the box "Create a Computer Account in the Domain." In - this case, joining the domain proceeds as above for Windows 2000 - (i.e., you must supply a Samba administrative account when + name, and check the box Create a Computer Account in the + Domain. In this case, joining the domain proceeds as above + for Windows 2000 (i.e., you must supply a Samba administrative account when prompted). @@ -472,7 +472,7 @@ now use domain security. Change (or add) your -security = line in the [global] section +security line in the [global] section of your &smb.conf; to read: @@ -698,7 +698,7 @@ In case samba can't figure out your ads server using your realm name, use the -You do ¬ need a smbpasswd file, and older clients will be authenticated as +You do not need a smbpasswd file, and older clients will be authenticated as if security = domain, although it won't do any harm and allows you to have local users not in the domain. It is expected that the above required options will change soon when active directory integration will get @@ -734,8 +734,8 @@ requested realm while getting initial credentials error Time between the two servers must be synchronized. You will get a -"kinit(v5): Clock skew too great while getting initial credentials" if the time -difference is more than five minutes. +kinit(v5): Clock skew too great while getting initial credentials +if the time difference is more than five minutes. @@ -750,7 +750,7 @@ followed by the realm. The easiest way to ensure you get this right is to add a /etc/hosts entry mapping the IP address of your KDC to its netbios name. If you don't get this right then you will get a -"local error" when you try to join the realm. +local error when you try to join the realm. @@ -779,12 +779,12 @@ As a user that has write permission on the Samba private directory - ADS support not compiled in + ADS support not compiled in Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed. - net join prompts for user name + net join prompts for user name You need to login to the domain using kinit USERNAME@REALM. USERNAME must be a user who has rights to add a machine @@ -834,7 +834,7 @@ install, to create the right encoding types -w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in +W2k doesn't seem to create the _kerberos._udp and _ldap._tcp in their defaults DNS setup. Maybe fixed in service packs? @@ -877,14 +877,14 @@ the old account and then to add the machine with a new name. Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a -message that, "The machine could not be added at this time, there is a network problem. -Please try again later." Why? +message that, The machine could not be added at this time, there is a network problem. +Please try again later. Why? -You should check that there is an add machine script in your &smb.conf; +You should check that there is an add machine script in your &smb.conf; file. If there is not, please add one that is appropriate for your OS platform. If a script -has been defined you will need to debug it's operation. Increase the log level +has been defined you will need to debug it's operation. Increase the log level in the &smb.conf; file to level 10, then try to rejoin the domain. Check the logs to see which operation is failing. diff --git a/docs/docbook/projdoc/Diagnosis.xml b/docs/docbook/projdoc/Diagnosis.xml index 150f071b78..50c5e1352d 100644 --- a/docs/docbook/projdoc/Diagnosis.xml +++ b/docs/docbook/projdoc/Diagnosis.xml @@ -129,7 +129,7 @@ run ping. -If you get a message saying "host not found" or similar then your DNS +If you get a message saying host not found or similar then your DNS software or /etc/hosts file is not correctly setup. It is possible to run samba without DNS entries for the server and client, but I assume @@ -143,10 +143,12 @@ in question, perhaps by allowing access from another subnet (on Linux this is done via the ipfwadm program.) + -Note: Modern Linux distributions install ipchains/iptables by default. +Modern Linux distributions install ipchains/iptables by default. This is a common problem that is often overlooked. + @@ -165,7 +167,7 @@ temporarily remove any hosts allow, hosts deny -If you get a "connection refused" response then the smbd server may +If you get a connection refused response then the smbd server may not be running. If you installed it in inetd.conf then you probably edited that file incorrectly. If you installed it as a daemon then check that it is running, and check that the netbios-ssn port is in a LISTEN @@ -180,7 +182,7 @@ this network super daemon. -If you get a "session request failed" then the server refused the +If you get a session request failed then the server refused the connection. If it says "Your server software is being unfriendly" then its probably because you have invalid command line parameters to &smbd;, or a similar fatal problem with the initial startup of &smbd;. Also @@ -213,7 +215,7 @@ To solve this problem change these lines to: -Do NOT use the bind interfaces only parameter where you +Do not use the bind interfaces only parameter where you may wish to use the samba password change facility, or where &smbclient; may need to access a local service for name resolution or for local resource @@ -224,7 +226,8 @@ fixed soon). Another common cause of these two errors is having something already running -on port 139, such as Samba (ie: smbd is running from inetd already) or +on port 139, such as Samba +(ie: &smbd; is running from inetd already) or something like Digital's Pathworks. Check your inetd.conf file before trying to start &smbd; as a daemon, it can avoid a lot of frustration! @@ -288,8 +291,8 @@ This time we are trying the same as the previous test but are trying it via a broadcast to the default broadcast address. A number of Netbios/TCPIP hosts on the network should respond, although Samba may not catch all of the responses in the short time it listens. You -should see "got a positive name query response" messages from several -hosts. +should see got a positive name query response +messages from several hosts. @@ -332,12 +335,12 @@ as follows: Once you enter the password you should get the smb> prompt. If you -don't then look at the error message. If it says "invalid network -name" then the service "tmp" is not correctly setup in your &smb.conf;. +don't then look at the error message. If it says invalid network +name then the service "tmp" is not correctly setup in your &smb.conf;. -If it says "bad password" then the likely causes are: +If it says bad password then the likely causes are: @@ -369,8 +372,7 @@ If it says "bad password" then the likely causes are: - you enabled password encryption but didn't create the SMB encrypted - password file + you enabled password encryption but didn't map unix to samba users @@ -394,7 +396,7 @@ list of available shares on the server. -If you get a "network name not found" or similar error then netbios +If you get a network name not found or similar error then netbios name resolution is not working. This is usually caused by a problem in nmbd. To overcome it you could do one of the following (you only need to choose one of them): @@ -421,7 +423,7 @@ to choose one of them): -If you get a "invalid network name" or "bad password error" then the +If you get a invalid network name or bad password error then the same fixes apply as they did for the smbclient -L test above. In particular, make sure your hosts allow line is correct (see the man pages) @@ -436,7 +438,7 @@ name and password. -If you get "specified computer is not receiving requests" or similar +If you get specified computer is not receiving requests or similar it probably means that the host is not contactable via tcp services. Check to see if the host is running tcp wrappers, and if so add an entry in the hosts.allow file for your client (or subnet, etc.) @@ -448,16 +450,16 @@ the hosts.allow file for your client (or subnet, etc.) Run the command net use x: \\BIGSERVER\TMP. You should -be prompted for a password then you should get a "command completed -successfully" message. If not then your PC software is incorrectly +be prompted for a password then you should get a command completed +successfully message. If not then your PC software is incorrectly installed or your smb.conf is incorrect. make sure your hosts allow and other config lines in &smb.conf; are correct. It's also possible that the server can't work out what user name to -connect you as. To see if this is the problem add the line user = -username to the [tmp] section of +connect you as. To see if this is the problem add the line user = +username to the [tmp] section of &smb.conf; where username is the username corresponding to the password you typed. If you find this fixes things you may need the username mapping option. @@ -465,7 +467,7 @@ fixes things you may need the username mapping option. It might also be the case that your client only sends encrypted passwords -and you have encrypt passwords = no in &smb.conf; +and you have encrypt passwords = no in &smb.conf; Turn it back on to fix. @@ -484,7 +486,7 @@ master browser for that workgroup. If you don't then the election process has failed. Wait a minute to see if it is just being slow then try again. If it still fails after that then look at the browsing options you have set in &smb.conf;. Make -sure you have preferred master = yes to ensure that +sure you have preferred master = yes to ensure that an election is held at startup. @@ -500,9 +502,9 @@ of the server and get a list of shares. If you get a "invalid password" error when you do then you are probably running WinNT and it is refusing to browse a server that has no encrypted password capability and is in user level security mode. In this case either set -security = server AND -password server = Windows_NT_Machine in your -&smb.conf; file, or make sure encrypted passwords is +security = server AND +password server = Windows_NT_Machine in your +&smb.conf; file, or make sure encrypted passwords is set to "yes". diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml index 4f7a0869de..d00d241b53 100644 --- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml +++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml @@ -20,7 +20,7 @@ The first immediate reason to use the group mapping on a Samba PDC, is that the domain admin group has been removed and should no longer be specified in &smb.conf;. This parameter was used to give the listed users membership - in the "Domain Admins" Windows group which gave local admin rights on their workstations + in the Domain Admins Windows group which gave local admin rights on their workstations (in default configurations). @@ -40,8 +40,8 @@ Administrators should be aware that where &smb.conf; group interface scripts make - direct calls to the Unix/Linux system tools (eg: the shadow utilities, groupadd, - groupdel, groupmod) then the resulting Unix/Linux group names will be subject + direct calls to the Unix/Linux system tools (eg: the shadow utilities, groupadd, + groupdel, groupmod) then the resulting Unix/Linux group names will be subject to any limits imposed by these tools. If the tool does NOT allow upper case characters or space characters, then the creation of an MS Windows NT4 / 200x style group of Engineering Managers will attempt to create an identically named @@ -67,10 +67,11 @@ Discussion - When installing MS Windows NT4 / 200x on a computer, the installation program creates default - users and groups. Notably the 'Administrators' group, and gives to that group privileges necessary - privilidges to perform essential system tasks. eg: Ability to change the date and time or to - kill any process (or close too) running on the local machine. + When installing MS Windows NT4 / 200x on a computer, the installation + program creates default users and groups. Notably the Administrators group, + and gives to that group privileges necessary privilidges to perform essential system tasks. + eg: Ability to change the date and time or to kill any process (or close too) running on the + local machine. @@ -100,9 +101,9 @@ look like: - + domadm:x:502:joe,john,mary - + @@ -155,7 +156,8 @@ - &rootprompt; net groupmap list + + &rootprompt; net groupmap list System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser @@ -180,15 +182,16 @@ - Sample smb.conf add group script + Sample &smb.conf; add group script A script to great complying group names for use by the samba group interfaces: - - -Script name: smbgrpadd.sh + + + smbgrpadd.sh + #!/bin/bash @@ -203,14 +206,15 @@ cat /etc/group | sed s/smbtmpgrp00/$1/g > /etc/group # Now return the GID as would normally happen. echo $thegid exit 0 - + + The &smb.conf; entry for the above script would look like: - + add group script = /path_to_tool/smbgrpadd.sh %g - + @@ -224,7 +228,7 @@ exit 0 - + #!/bin/bash net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin @@ -247,7 +251,7 @@ net groupmap modify ntgroup="Power Users" unixgroup=sys #net groupmap add ntgroup="Engineers" unixgroup=Engineers type=d #net groupmap add ntgroup="Marketoids" unixgroup=Marketoids type=d #net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d - + diff --git a/docs/docbook/projdoc/Integrating-with-Windows.xml b/docs/docbook/projdoc/Integrating-with-Windows.xml index 0ee65a771c..4408595763 100644 --- a/docs/docbook/projdoc/Integrating-with-Windows.xml +++ b/docs/docbook/projdoc/Integrating-with-Windows.xml @@ -108,7 +108,7 @@ Network packets that are sent over the physical network transport layer communicate not via IP addresses but rather using the Media Access Control address, or MAC address. IP Addresses are currently 32 bits in length and are typically presented as four (4) decimal -numbers that are separated by a dot (or period). eg: 168.192.1.1 +numbers that are separated by a dot (or period). eg: 168.192.1.1. @@ -265,8 +265,8 @@ Starting with version 2.2.0 samba has Linux support for extensions to the name service switch infrastructure so that linux clients will be able to obtain resolution of MS Windows NetBIOS names to IP Addresses. To gain this functionality Samba needs to be compiled -with appropriate arguments to the make command (ie: make -nsswitch/libnss_wins.so). The resulting library should +with appropriate arguments to the make command (ie: make +nsswitch/libnss_wins.so). The resulting library should then be installed in the /lib directory and the "wins" parameter needs to be added to the "hosts:" line in the /etc/nsswitch.conf file. At this point it @@ -393,7 +393,7 @@ frustrating for users - but it is a characteristic of the protocol. The MS Windows utility that allows examination of the NetBIOS name cache is called "nbtstat". The Samba equivalent of this -is called "nmblookup". +is called nmblookup. diff --git a/docs/docbook/projdoc/InterdomainTrusts.xml b/docs/docbook/projdoc/InterdomainTrusts.xml index ae780a4b61..416bceca3f 100644 --- a/docs/docbook/projdoc/InterdomainTrusts.xml +++ b/docs/docbook/projdoc/InterdomainTrusts.xml @@ -95,13 +95,15 @@ There are two steps to creating an interdomain trust relationship. NT4 as the Trusting Domain (ie. creating the trusted account) -For MS Windows NT4, all domain trust relationships are configured using the Domain User Manager. -To affect a two way trust relationship it is necessary for each domain administrator to make -available (for use by an external domain) it's security resources. This is done from the Domain -User Manager Policies entry on the menu bar. From the Policy menu, select Trust Relationships, then -next to the lower box that is labelled "Permitted to Trust this Domain" are two buttons, "Add" and -"Remove". The "Add" button will open a panel in which needs to be entered the remote domain that -will be able to assign user rights to your domain. In addition it is necessary to enter a password +For MS Windows NT4, all domain trust relationships are configured using the +Domain User Manager. To affect a two way trust relationship it is +necessary for each domain administrator to make available (for use by an external domain) it's +security resources. This is done from the Domain User Manager Policies entry on the menu bar. +From the Policy menu, select Trust Relationships, then +next to the lower box that is labelled Permitted to Trust this Domain are two +buttons, Add and Remove. The Add +button will open a panel in which needs to be entered the remote domain that will be able to assign +user rights to your domain. In addition it is necessary to enter a password that is specific to this trust relationship. The password needs to be typed twice (for standard confirmation). @@ -115,8 +117,9 @@ typed twice (for standard confirmation). A trust relationship will work only when the other (trusting) domain makes the appropriate connections with the trusted domain. To consumate the trust relationship the administrator will launch the Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the -"Add" button that is next to the box that is labelled "Trusted Domains". A panel will open in -which must be entered the name of the remote domain as well as the password assigned to that trust. +Add button that is next to the box that is labelled +Trusted Domains. A panel will open in which must be entered the name of the remote +domain as well as the password assigned to that trust. @@ -152,14 +155,14 @@ will be to issue this command from your favourite shell: -deity# smbpasswd -a -i rumba +&rootprompt; smbpasswd -a -i rumba New SMB password: XXXXXXXX Retype SMB password: XXXXXXXX Added user rumba$ -where -a means to add a new account into the -passdb database and -i means: ''create this +where means to add a new account into the +passdb database and means: ''create this account with the InterDomain trust flag'' @@ -178,12 +181,15 @@ the trust by establishing it from Windows NT Server. -Open 'User Manager for Domains' and from menu 'Policies' select 'Trust Relationships...'. -Right beside 'Trusted domains' list box press 'Add...' button. You will be prompted for +Open User Manager for Domains and from menu +Policies select Trust Relationships.... +Right beside Trusted domains list box press the +Add... button. You will be prompted for the trusted domain name and the relationship password. Type in SAMBA, as this is your domain name, and the password used at the time of account creation. -Press OK and, if everything went without incident, you will see 'Trusted domain relationship -successfully established' message. +Press OK and, if everything went without incident, you will see +Trusted domain relationship successfully +established message. @@ -200,9 +206,11 @@ The very first thing requirement is to add an account for the SAMBA domain on RU -Launch the Domain User Manager, then from the menu select 'Policies', 'Trust Relationships'. -Now, next to 'Trusted Domains' box press the 'Add' button, and type in the name of the trusted -domain (SAMBA) and password securing the relationship. +Launch the Domain User Manager, then from the menu select +Policies, Trust Relationships. +Now, next to Trusted Domains box press the Add +button, and type in the name of the trusted domain (SAMBA) and password securing +the relationship. @@ -216,7 +224,7 @@ Using your favourite shell while being logged in as root, issue this command: -deity# net rpc trustdom establish rumba +&rootprompt;net rpc trustdom establish rumba @@ -226,8 +234,8 @@ Do not worry if you see an error message that mentions a returned code of password you gave is correct and the NT4 Server says the account is ready for interdomain connection and not for ordinary connection. After that, be patient it can take a while (especially -in large networks), you should see the 'Success' message. Congratulations! Your trust -relationship has just been established. +in large networks), you should see the Success message. +Congratulations! Your trust relationship has just been established. diff --git a/docs/docbook/projdoc/IntroSMB.xml b/docs/docbook/projdoc/IntroSMB.xml index d5ce43fbdf..730c400ee1 100644 --- a/docs/docbook/projdoc/IntroSMB.xml +++ b/docs/docbook/projdoc/IntroSMB.xml @@ -6,10 +6,10 @@ Introduction to Samba - + "If you understand what you're doing, you're not learning anything." -- Anonymous - + Samba is a file and print server for Windows-based clients using TCP/IP as the underlying @@ -132,7 +132,7 @@ thinking? If you plan on getting help, make sure to subscribe to the Samba Mailing List (available at -http://www.samba.org). Optionally, you could just search mailing.unix.samba at http://groups.google.com +http://www.samba.org). @@ -171,8 +171,9 @@ nothing to do with acting as a file and print server for SMB/CIFS clients. -There are other Open Source CIFS client implementations, such as the jCIFS project -(jcifs.samba.org) which provides an SMB client toolkit written in Java. +There are other Open Source CIFS client implementations, such as the +jCIFS project +which provides an SMB client toolkit written in Java. @@ -226,9 +227,9 @@ up a single file. In general, SMB sessions are established in the following orde -A good way to examine this process in depth is to try out SecurityFriday's SWB program -at http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html. It allows you to -walk through the establishment of a SMB/CIFS session step by step. +A good way to examine this process in depth is to try out +SecurityFriday's SWB program. +It allows you to walk through the establishment of a SMB/CIFS session step by step. @@ -236,8 +237,8 @@ walk through the establishment of a SMB/CIFS session step by step. Epilogue - -"What's fundamentally wrong is that nobody ever had any taste when they + +What's fundamentally wrong is that nobody ever had any taste when they did it. Microsoft has been very much into making the user interface look good, but internally it's just a complete mess. And even people who program for Microsoft and who have had years of experience, just don't know how it works internally. @@ -246,16 +247,16 @@ mess that fixing one bug might just break a hundred programs that depend on that bug. And Microsoft isn't interested in anyone fixing bugs -- they're interested in making money. They don't have anybody who takes pride in Windows 95 as an operating system. - + - + People inside Microsoft know it's a bad operating system and they still continue obviously working on it because they want to get the next version out because they want to have all these new features to sell more copies of the system. - + - + The problem with that is that over time, when you have this kind of approach, and because nobody understands it, because nobody REALLY fixes bugs (other than when they're really obvious), the end result is really messy. You can't trust @@ -265,11 +266,11 @@ fine and then once in a blue moon for some completely unknown reason, it's dead, and nobody knows why. Not Microsoft, not the experienced user and certainly not the completely clueless user who probably sits there shivering thinking "What did I do wrong?" when they didn't do anything wrong at all. - + - + That's what's really irritating to me." - + -- Linus Torvalds, from an interview with BOOT Magazine, Sept 1998 @@ -280,12 +281,7 @@ That's what's really irritating to me." Miscellaneous - -This chapter was lovingly handcrafted on a Dell Latitude C400 laptop running Slackware Linux 9.0, -in case anyone asks. - - - + This chapter is Copyright 2003 David Lechnyr (david at lechnyr dot com). diff --git a/docs/docbook/projdoc/NT4Migration.xml b/docs/docbook/projdoc/NT4Migration.xml index 585cfe6a47..fb136760fa 100644 --- a/docs/docbook/projdoc/NT4Migration.xml +++ b/docs/docbook/projdoc/NT4Migration.xml @@ -44,26 +44,14 @@ should know precisely why the change is important for the o Possible motivations to make a change include: - - - Improve network manageability - - - Obtain better user level functionality - - - Reduce network operating costs - - - Reduce exposure caused by Microsoft withdrawal of NT4 support - - - Avoid MS License 6 implications - - - Reduce organisation's dependency on Microsoft - - + + Improve network manageability + Obtain better user level functionality + Reduce network operating costs + Reduce exposure caused by Microsoft withdrawal of NT4 support + Avoid MS License 6 implications + Reduce organisation's dependency on Microsoft + It is vital that it be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers @@ -77,61 +65,31 @@ MS Windows 2000 and beyond (with or without Active Directory services). What are the features that Samba-3 can NOT provide? - - - Active Directory Server - - - Group Policy Objects (in Active Direcrtory) - - - Machine Policy objects - - - Logon Scripts in Active Directorty - - - Software Application and Access Controls in Active Directory - - + + Active Directory Server + Group Policy Objects (in Active Direcrtory) + Machine Policy objects + Logon Scripts in Active Directorty + Software Application and Access Controls in Active Directory + The features that Samba-3 DOES provide and that may be of compelling interest to your site includes: - - - Lower Cost of Ownership - - - Global availability of support with no strings attached - - - Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system) - - - Creation of on-the-fly logon scripts - - - Creation of on-the-fly Policy Files - - - Greater Stability, Reliability, Performance and Availability - - - Manageability via an ssh connection - - - Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam) - - - Ability to implement a full single-signon architecture - - - Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand - - + + Lower Cost of Ownership + Global availability of support with no strings attached + Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system) + Creation of on-the-fly logon scripts + Creation of on-the-fly Policy Files + Greater Stability, Reliability, Performance and Availability + Manageability via an ssh connection + Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam) + Ability to implement a full single-signon architecture + Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand + Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are @@ -221,11 +179,11 @@ all users gain share and printer connections they need. Logon scripts can be created on-the-fly so that all commands executed are specific to the rights and privilidges granted to the user. The preferred controls should be affected through group membership so that group information can be used to custom create a logong script using -the root preexec parameters to the NETLOGON share. +the root preexec parameters to the NETLOGON share. -Some sites prefer to use a tool such as kixstart to establish a controlled +Some sites prefer to use a tool such as kixstart to establish a controlled user environment. In any case you may wish to do a google search for logon script process controls. In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that deals with how to add printers without user intervention via the logon script process. @@ -241,7 +199,7 @@ Management. -Profiles may also be managed using the Samba-3 tool profiles. This tool allows +Profiles may also be managed using the Samba-3 tool profiles. This tool allows the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file to be changed to the SID of the Samba-3 domain. @@ -283,39 +241,39 @@ Samba-3 set up as a DC with netlogon share, profile share, etc. Samba must NOT be running - rpcclient NT4PDC -U Administrator%passwd + rpcclient NT4PDC -U Administrator%passwd lsaquery Note the SID returned - net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd + net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd Note the SID - net getlocalsid + net getlocalsid Note the SID, now check that all three SIDS reported are the same! - net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd + net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd - net rpc vampire -S NT4PDC -U administrator%passwd + net rpc vampire -S NT4PDC -U administrator%passwd - pdbedit -l + pdbedit -L Note - did the users migrate? - initGrps.sh DOMNAME + initGrps.sh DOMNAME - net groupmap list + net groupmap list Now check that all groups are recognised - net rpc campire -S NT4PDC -U administrator%passwd + net rpc campire -S NT4PDC -U administrator%passwd - pdbedit -lv + pdbedit -Lv Note - check that all group membership has been migrated @@ -440,6 +398,7 @@ No matter what choice you make, the following rules will minimise down-stream pr Samba Implementation Choices + Authentication database back end Winbind (external Samba or NT4/200x server) diff --git a/docs/docbook/projdoc/NetworkBrowsing.xml b/docs/docbook/projdoc/NetworkBrowsing.xml index 8648bfa256..c698756ee5 100644 --- a/docs/docbook/projdoc/NetworkBrowsing.xml +++ b/docs/docbook/projdoc/NetworkBrowsing.xml @@ -103,6 +103,7 @@ called nmbd. The configuration parameters involved in nmbd' + Browsing options: ----------------- * os level @@ -426,7 +427,8 @@ cross subnet browsing possible for a workgroup. In an WORKGROUP environment the domain master browser must be a Samba server, and there must only be one domain master browser per workgroup name. To set up a Samba server as a domain master browser, -set the following option in the [global] section of the &smb.conf; file : +set the following option in the [global] section +of the &smb.conf; file : @@ -438,7 +440,7 @@ set the following option in the [global] section of the &smb.conf; file : The domain master browser should also preferrably be the local master browser for its own subnet. In order to achieve this set the following -options in the [global] section of the &smb.conf; file : +options in the [global] section of the &smb.conf; file : @@ -462,7 +464,7 @@ workgroup. Any MS Windows NT/2K/XP/2003 machine should be able to do this, as will Windows 9x machines (although these tend to get rebooted more often, so it's not such a good idea to use these). To make a Samba server a local master browser -set the following options in the [global] section of the +set the following options in the [global] section of the &smb.conf; file : @@ -482,9 +484,9 @@ master browser. -The local master parameter allows Samba to act as a -local master browser. The preferred master causes nmbd -to force a browser election on startup and the os level +The local master parameter allows Samba to act as a +local master browser. The preferred master causes nmbd +to force a browser election on startup and the os level parameter sets Samba high enough so that it should win any browser elections. @@ -492,7 +494,7 @@ parameter sets Samba high enough so that it should win any browser elections. If you have an NT machine on the subnet that you wish to be the local master browser then you can disable Samba from becoming a local master browser by setting the following -options in the [global] section of the +options in the [global] section of the &smb.conf; file : @@ -539,7 +541,7 @@ of the &smb.conf; file : If you wish to have a Samba server fight the election with machines -on the same subnet you may set the os level parameter +on the same subnet you may set the os level parameter to lower levels. By doing this you can tune the order of machines that will become local master browsers if they are running. For more details on this see the section @@ -552,7 +554,7 @@ If you have Windows NT machines that are members of the domain on all subnets, and you are sure they will always be running then you can disable Samba from taking part in browser elections and ever becoming a local master browser by setting following options -in the [global] section of the &smb.conf; +in the [global] section of the &smb.conf; file : @@ -571,7 +573,7 @@ file : Forcing samba to be the master -Who becomes the master browser is determined by an election +Who becomes the master browser is determined by an election process using broadcasts. Each election packet contains a number of parameters which determine what precedence (bias) a host should have in the election. By default Samba uses a very low precedence and thus loses @@ -579,14 +581,14 @@ elections to just about anyone else. -If you want Samba to win elections then just set the os level global +If you want Samba to win elections then just set the os level global option in &smb.conf; to a higher number. It defaults to 0. Using 34 would make it win all elections over every other system (except other samba systems!) -A os level of 2 would make it beat WfWg and Win95, but not MS Windows +A os level of 2 would make it beat WfWg and Win95, but not MS Windows NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32. @@ -594,18 +596,18 @@ NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32. If you want samba to force an election on startup, then set the -preferred master global option in &smb.conf; to "yes". Samba will +preferred master global option in &smb.conf; to yes. Samba will then have a slight advantage over other potential master browsers that are not preferred master browsers. Use this parameter with care, as if you have two hosts (whether they are windows 95 or NT or -samba) on the same local subnet both set with preferred master to -"yes", then periodically and continually they will force an election +samba) on the same local subnet both set with preferred master to +yes, then periodically and continually they will force an election in order to become the local master browser. -If you want samba to be a domain master browser, then it is -recommended that you also set preferred master to "yes", because + If you want samba to be a domain master browser, then it is +recommended that you also set preferred master to yes, because samba will not become a domain master browser for the whole of your LAN or WAN if it is not also a local master browser on its own broadcast isolated subnet. @@ -629,12 +631,12 @@ the current domain master browser fail. The domain master is responsible for collating the browse lists of multiple subnets so that browsing can occur between subnets. You can -make samba act as the domain master by setting domain master = yes +make samba act as the domain master by setting domain master = yes in &smb.conf;. By default it will not be a domain master. -Note that you should NOT set Samba to be the domain master for a +Note that you should not set Samba to be the domain master for a workgroup that has the same name as an NT Domain. @@ -647,8 +649,8 @@ browse lists. If you want samba to be the domain master then I suggest you also set -the os level high enough to make sure it wins elections, and set -preferred master to "yes", to get samba to force an election on +the os level high enough to make sure it wins elections, and set +preferred master to yes, to get samba to force an election on startup. @@ -723,12 +725,12 @@ option in &smb.conf; to configure them. -Use of the <command>Remote Announce</command> parameter +Use of the Remote Announce parameter -The remote announce parameter of +The remote announce parameter of smb.conf can be used to forcibly ensure that all the NetBIOS names on a network get announced to a remote network. -The syntax of the remote announce parameter is: +The syntax of the remote announce parameter is: remote announce = a.b.c.d [e.f.g.h] ... @@ -769,10 +771,10 @@ name resolution problems and should be avoided. -Use of the <command>Remote Browse Sync</command> parameter +Use of the Remote Browse Sync parameter -The remote browse sync parameter of +The remote browse sync parameter of smb.conf is used to announce to another LMB that it must synchronise it's NetBIOS name list with our Samba LMB. It works ONLY if the Samba server that has this option is @@ -780,7 +782,7 @@ simultaneously the LMB on it's network segment. -The syntax of the remote browse sync parameter is: +The syntax of the remote browse sync parameter is: remote browse sync = a.b.c.d @@ -848,18 +850,18 @@ errors. To configure Samba as a WINS server just add -wins support = yes to the smb.conf +wins support = yes to the smb.conf file [globals] section. To configure Samba to register with a WINS server just add -"wins server = a.b.c.d" to your smb.conf file [globals] section. +wins server = a.b.c.d to your &smb.conf; file [globals] section. -Never use both wins support = yes together -with wins server = a.b.c.d +Never use both wins support = yes together +with wins server = a.b.c.d particularly not using it's own IP address. Specifying both will cause &nmbd; to refuse to start! @@ -871,7 +873,7 @@ Specifying both will cause &nmbd; to refuse to start! Either a Samba machine or a Windows NT Server machine may be set up as a WINS server. To set a Samba machine to be a WINS server you must add the following option to the &smb.conf; file on the selected machine : -in the [globals] section add the line +in the [globals] section add the line @@ -888,13 +890,13 @@ least set the parameter to 'no' on all these machines. -Machines with wins support = yes will keep a list of +Machines with wins support = yes will keep a list of all NetBIOS names registered with them, acting as a DNS for NetBIOS names. You should set up only ONE wins server. Do NOT set the -wins support = yes option on more than one Samba +wins support = yes option on more than one Samba server. @@ -908,17 +910,17 @@ participate in these replications. It is possible in the future that a Samba->Samba WINS replication protocol may be defined, in which case more than one Samba machine could be set up as a WINS server but currently only one Samba server should have the -wins support = yes parameter set. +wins support = yes parameter set. After the WINS server has been configured you must ensure that all machines participating on the network are configured with the address of this WINS server. If your WINS server is a Samba machine, fill in -the Samba machine IP address in the "Primary WINS Server" field of -the "Control Panel->Network->Protocols->TCP->WINS Server" dialogs +the Samba machine IP address in the Primary WINS Server field of +the Control Panel->Network->Protocols->TCP->WINS Server dialogs in Windows 95 or Windows NT. To tell a Samba server the IP address -of the WINS server add the following line to the [global] section of +of the WINS server add the following line to the [global] section of all &smb.conf; files : @@ -936,8 +938,8 @@ machine or its IP address. Note that this line MUST NOT BE SET in the &smb.conf; file of the Samba server acting as the WINS server itself. If you set both the -wins support = yes option and the -wins server = <name> option then +wins support = yes option and the +wins server = <name> option then nmbd will fail to start. @@ -966,7 +968,7 @@ section of the documentation to provide usage and technical details. Static WINS Entries -New to Samba-3 is a tool called winsedit that may be used to add +New to Samba-3 is a tool called winsedit that may be used to add static WINS entries to the WINS database. This tool can be used also to modify entries existing in the WINS database. @@ -1051,7 +1053,7 @@ are: Alternative means of name resolution includes: -/etc/hosts: is static, hard to maintain, and lacks name_type info +/etc/hosts: is static, hard to maintain, and lacks name_type info DNS: is a good choice but lacks essential name_type info. @@ -1082,7 +1084,7 @@ controlled by /etc/host.conf, /etc/nsswitch.conf< SMB networking provides a mechanism by which clients can access a list -of machines in a network, a so-called browse list. This list +of machines in a network, a so-called browse list. This list contains machines that are ready to offer file and/or print services to other machines within the network. Thus it does not include machines which aren't currently able to do server tasks. The browse @@ -1144,7 +1146,7 @@ recommended that you use one and only one Samba server as your WINS server. To get browsing to work you need to run nmbd as usual, but will need -to use the workgroup option in &smb.conf; +to use the workgroup option in &smb.conf; to control what workgroup Samba becomes a part of. @@ -1152,7 +1154,7 @@ to control what workgroup Samba becomes a part of. Samba also has a useful option for a Samba server to offer itself for browsing on another subnet. It is recommended that this option is only used for 'unusual' purposes: announcements over the internet, for -example. See remote announce in the +example. See remote announce in the &smb.conf; man page. @@ -1175,7 +1177,7 @@ hit enter and filemanager should display the list of available shares. Some people find browsing fails because they don't have the global -guest account set to a valid account. Remember that the +guest account set to a valid account. Remember that the IPC$ connection that lists the shares is done as guest, and thus you must have a valid guest account. @@ -1242,6 +1244,7 @@ Consider a network set up as follows : + (DMB) N1_A N1_B N1_C N1_D N1_E @@ -1312,15 +1315,19 @@ you looked in it on a particular network right now). - -Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D + + + + SubnetBrowse MasterList + -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D - + + Subnet1N1_CN1_A, N1_B, N1_C, N1_D, N1_E + Subnet2N2_BN2_A, N2_B, N2_C, N2_D + Subnet3N3_DN3_A, N3_B, N3_C, N3_D + + +
 @@ -1350,19 +1357,21 @@ are done the browse lists look like : - -Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, - N2_A(*), N2_B(*), N2_C(*), N2_D(*) - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) + + + + SubnetBrowse MasterList + -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D + + Subnet1N1_CN1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*) + Subnet2N2_BN2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) + Subnet3N3_DN3_A, N3_B, N3_C, N3_D + + +
Servers with a (*) after them are non-authoritative names. - @@ -1381,22 +1390,21 @@ the browse lists look like. - -Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, - N2_A(*), N2_B(*), N2_C(*), N2_D(*), - N3_A(*), N3_B(*), N3_C(*), N3_D(*) + + + + SubnetBrowse MasterList + -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) - -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), - N2_A(*), N2_B(*), N2_C(*), N2_D(*) + + Subnet1N1_CN1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*) + Subnet2N2_BN2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) + Subnet3N3_DN3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*) + + +
Servers with a (*) after them are non-authoritative names. - @@ -1413,23 +1421,21 @@ are removed or shut off) the browse lists will look like : - -Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, - N2_A(*), N2_B(*), N2_C(*), N2_D(*), - N3_A(*), N3_B(*), N3_C(*), N3_D(*) - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) - N3_A(*), N3_B(*), N3_C(*), N3_D(*) - -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), - N2_A(*), N2_B(*), N2_C(*), N2_D(*) + + + + SubnetBrowse MasterList + + + + Subnet1N1_CN1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*) + Subnet2N2_BN2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*) + Subnet3N3_DN3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*) + + +
Servers with a (*) after them are non-authoritative names. - diff --git a/docs/docbook/projdoc/Other-Clients.xml b/docs/docbook/projdoc/Other-Clients.xml index b9f4cf3a93..0cf9af7a87 100644 --- a/docs/docbook/projdoc/Other-Clients.xml +++ b/docs/docbook/projdoc/Other-Clients.xml @@ -54,14 +54,11 @@ packages, Samba, and Linux (and other UNIX-based systems) see Basically, you need three components: - - The File and Print Client ('IBM Peer') - - TCP/IP ('Internet support') - - The "NetBIOS over TCP/IP" driver ('TCPBEUI') - - + + The File and Print Client ('IBM Peer') + TCP/IP ('Internet support') + The "NetBIOS over TCP/IP" driver ('TCPBEUI') + Installing the first two together with the base operating system on a blank system is explained in the Warp manual. If Warp @@ -113,41 +110,27 @@ packages, Samba, and Linux (and other UNIX-based systems) see - - Are there any other issues when OS/2 (any version) - is used as a client? - - When you do a NET VIEW or use the "File and Print - Client Resource Browser", no Samba servers show up. This can - be fixed by a patch from - http://carol.wins.uva.nl/~leeuw/samba/fix.html. - The patch will be included in a later version of Samba. It also - fixes a couple of other problems, such as preserving long - filenames when objects are dragged from the Workplace Shell - to the Samba server. - - How do I get printer driver download working for OS/2 clients? - First, create a share called [PRINTDRV] that is + First, create a share called [PRINTDRV] that is world-readable. Copy your OS/2 driver files there. Note that the .EA_ files must still be separate, so you will need to use the original install files, and not copy an installed driver from an OS/2 system. Install the NT driver first for that printer. Then, - add to your smb.conf a parameter, os2 driver map = - filename". Then, in the file + add to your &smb.conf; a parameter, os2 driver map = + filename. Then, in the file specified by filename, map the name of the NT driver name to the OS/2 driver name as follows: - nt driver name = os2 "driver - name"."device name", e.g.: - HP LaserJet 5L = LASERJET.HP LaserJet 5L + nt driver name = os2 driver name.device name, e.g.: + + + HP LaserJet 5L = LASERJET.HP LaserJet 5L You can have multiple drivers mapped in this file. @@ -176,10 +159,16 @@ for workgroups. Microsoft has released an incremental upgrade to their TCP/IP 32-Bit VxD drivers. The latest release can be found on their ftp site at -ftp.microsoft.com, located in /peropsys/windows/public/tcpip/wfwt32.exe. +ftp.microsoft.com, located in /peropsys/windows/public/tcpip/wfwt32.exe. There is an update.txt file there that describes the problems that were -fixed. New files include WINSOCK.DLL, TELNET.EXE, WSOCK.386, VNBT.386, -WSTCP.386, TRACERT.EXE, NETSTAT.EXE, and NBTSTAT.EXE. +fixed. New files include WINSOCK.DLL, +TELNET.EXE, +WSOCK.386, +VNBT.386, +WSTCP.386, +TRACERT.EXE, +NETSTAT.EXE, and +NBTSTAT.EXE. @@ -210,10 +199,11 @@ Often WfWg will totally ignore a password you give it in a dialog box. There is a program call admincfg.exe on the last disk (disk 8) of the WFW 3.11 disk set. To install it -type EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE Then add an icon -for it via the "Progam Manager" "New" Menu. This program allows you -to control how WFW handles passwords. ie disable Password Caching etc -for use with security = user +type EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE. +Then add an icon +for it via the Program Manager New Menu. +This program allows you to control how WFW handles passwords. ie disable Password Caching etc +for use with security = user @@ -221,7 +211,7 @@ for use with security = user Case handling of passwords -Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the smb.conf(5) information on password level to specify what characters samba should try to uppercase when checking. +Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the smb.conf(5) information on password level to specify what characters samba should try to uppercase when checking. @@ -240,8 +230,9 @@ It is presumably a WfWg bug. Speed improvement -Note that some people have found that setting DefaultRcvWindow in -the [MSTCP] section of the SYSTEM.INI file under WfWg to 3072 gives a +Note that some people have found that setting DefaultRcvWindow in +the [MSTCP] section of the +SYSTEM.INI file under WfWg to 3072 gives a big improvement. I don't know why. @@ -270,16 +261,17 @@ Microsoft Web site for all currently available updates to your specific version of Windows 95. - -Kernel Update: KRNLUPD.EXE -Ping Fix: PINGUPD.EXE -RPC Update: RPCRTUPD.EXE -TCP/IP Update: VIPUPD.EXE -Redirector Update: VRDRUPD.EXE - + +Kernel Update: KRNLUPD.EXE +Ping Fix: PINGUPD.EXE +RPC Update: RPCRTUPD.EXE +TCP/IP Update: VIPUPD.EXE +Redirector Update: VRDRUPD.EXE + -Also, if using MS OutLook it is desirable to install the OLEUPD.EXE fix. This +Also, if using MS OutLook it is desirable to +install the OLEUPD.EXE fix. This fix may stop your machine from hanging for an extended period when exiting OutLook and you may also notice a significant speedup when accessing network neighborhood services. @@ -290,7 +282,7 @@ neighborhood services. Configure the win95 TCPIP registry settings to give better -performance. I use a program called MTUSPEED.exe which I got off the +performance. I use a program called MTUSPEED.exe which I got off the net. There are various other utilities of this type freely available. @@ -312,7 +304,7 @@ likely occur if it is not. In order to serve profiles successfully to Windows 2000 SP2 clients (when not operating as a PDC), Samba must have -nt acl support = no +nt acl support = no added to the file share which houses the roaming profiles. If this is not done, then the Windows 2000 SP2 client will complain about not being able to access the profile (Access @@ -320,7 +312,7 @@ Denied) and create multiple copies of it on disk (DOMAIN.user.001, DOMAIN.user.002, etc...). See the smb.conf(5) man page for more details on this option. Also note that the -nt acl support parameter was formally a global parameter in +nt acl support parameter was formally a global parameter in releases prior to Samba 2.2.2. @@ -343,17 +335,17 @@ the security descriptor for the profile which contains the Samba server's SID, and not the domain SID. The client compares the SID for SAMBA\user and realizes it is different that the one assigned to DOMAIN\user. Hence the reason -for the "access denied" message. +for the access denied message. -By disabling the nt acl support parameter, Samba will send +By disabling the nt acl support parameter, Samba will send the Win2k client a response to the QuerySecurityDescriptor trans2 call which causes the client to set a default ACL for the profile. This default ACL includes -DOMAIN\user "Full Control" +DOMAIN\user "Full Control"> This bug does not occur when using winbind to create accounts on the Samba host for Domain users. diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.xml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.xml index 4b5179acc7..08df14ea73 100644 --- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.xml +++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.xml @@ -1,5 +1,11 @@ + + StephenLangasek + +
vorlon@netexpress.net
+ + &author.jht; (Jun 21 2001) @@ -102,8 +108,8 @@ hashes. This database is stored in either Samba implementation for your Unix/Linux system. The pam_smbpass.so module is provided by Samba version 2.2.1 or later. It can be compiled by specifying the ---with-pam_smbpass options when running Samba's -configure script. For more information + options when running Samba's +configure script. For more information on the pam_smbpass module, see the documentation in the source/pam_smbpass directory of the Samba source distribution. @@ -176,7 +182,7 @@ The following is from the on-line help for this option in SWAT; When Samba is configured to enable PAM support (i.e. ---with-pam), this parameter will +), this parameter will control whether or not Samba should obey PAM's account and session management directives. The default behavior is to use PAM for clear text authentication only and to @@ -188,7 +194,7 @@ authentication mechanism needed in the presence of SMB password encryption. -Default: obey pam restrictions = no +Default: obey pam restrictions = no @@ -204,7 +210,7 @@ generic interface to authentication mechanisms. -For more information on PAM, see http://ftp.kernel.org/pub/linux/libs/pam/ + For more information on PAM, see The linux PAM homepage. @@ -214,52 +220,41 @@ concerned about the presence of suid root binaries on your system, it is recommended that you use pam_winbind instead. - + Options recognized by this module are as follows: + + + + debuglog more debugging info + auditlike debug, but also logs unknown usernames + use_first_passdon't prompt the user for passwords; take them from PAM_ items instead + try_first_passtry to get the password from a previous PAM module, fall back to prompting the user + use_authtoklike try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set. (intended for stacking password modules only) + not_set_passdon't make passwords used by this module available to other modules. + nodelaydon't insert ~1 second delays on authentication failure. + nulloknull passwords are allowed. + nonullnull passwords are not allowed. Used to override the Samba configuration. + migrateonly meaningful in an "auth" context; used to update smbpasswd file with a password used for successful authentication. + smbconf=filespecify an alternate path to the &smb.conf; file. + + +
+ - debug - log more debugging info - audit - like debug, but also logs unknown usernames - use_first_pass - don't prompt the user for passwords; - take them from PAM_ items instead - try_first_pass - try to get the password from a previous - PAM module, fall back to prompting the user - use_authtok - like try_first_pass, but *fail* if the new - PAM_AUTHTOK has not been previously set. - (intended for stacking password modules only) - not_set_pass - don't make passwords used by this module - available to other modules. - nodelay - don't insert ~1 second delays on authentication - failure. - nullok - null passwords are allowed. - nonull - null passwords are not allowed. Used to - override the Samba configuration. - migrate - only meaningful in an "auth" context; - used to update smbpasswd file with a - password used for successful authentication. - smbconf=< file > - specify an alternate path to the smb.conf - file. - - - + Thanks go to the following people: + + Andrew Morgan, for providing the Linux-PAM + framework, without which none of this would have happened - * Andrew Morgan < morgan@transmeta.com >, for providing the Linux-PAM - framework, without which none of this would have happened - - * Christian Gafton < gafton@redhat.com > and Andrew Morgan again, for the - pam_pwdb module upon which pam_smbpass was originally based + Christian Gafton and Andrew Morgan again, for the + pam_pwdb module upon which pam_smbpass was originally based - * Luke Leighton < lkcl@switchboard.net > for being receptive to the idea, + Luke Leighton for being receptive to the idea, and for the occasional good-natured complaint about the project's status - that keep me working on it :) - - * and of course, all the other members of the Samba team - <http://www.samba.org/samba/team.html>, for creating a great product - and for giving this project a purpose - - --------------------- - Stephen Langasek < vorlon@netexpress.net > - + that keep me working on it :) +. + The following are examples of the use of pam_smbpass.so in the format of Linux diff --git a/docs/docbook/projdoc/PolicyMgmt.xml b/docs/docbook/projdoc/PolicyMgmt.xml index 14be370d79..be829af167 100644 --- a/docs/docbook/projdoc/PolicyMgmt.xml +++ b/docs/docbook/projdoc/PolicyMgmt.xml @@ -112,7 +112,7 @@ here is incomplete - you are warned. Use the Group Policy Editor to create a policy file that specifies the location of user profiles and/or the My Documents etc. stuff. Then save these settings in a file called Config.POL that needs to - be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto + be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto the Samba Domain, it will automatically read this file and update the Win9x/Me registry of the machine as it logs on. @@ -152,7 +152,7 @@ here is incomplete - you are warned. - You need poledit.exe, common.adm and winnt.adm. + You need poledit.exe, common.adm and winnt.adm. It is convenient to put the two *.adm files in the c:\winnt\inf directory which is where the binary will look for them unless told otherwise. Note also that that directory is normally 'hidden'. @@ -202,7 +202,7 @@ here is incomplete - you are warned. The older NT4 style registry based policies are known as Administrative Templates in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security configurations, enforce Internet Explorer browser settings, change and redirect aspects of the - users' desktop (including: the location of My Documents files (directory), as + users' desktop (including: the location of My Documents files (directory), as well as intrinsics of where menu items will appear in the Start menu). An additional new feature is the ability to make available particular software Windows applications to particular users and/or groups. @@ -239,14 +239,14 @@ here is incomplete - you are warned. Administration of Win2K / XP Policies - Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the - executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console - (MMC) snap-in as follows: + Instead of using the tool called The System Policy Editor, commonly called Poledit (from the + executable name poledit.exe), GPOs are created and managed using a + Microsoft Management Console (MMC) snap-in as follows: - Go to the Windows 200x / XP menu Start->Programs->Administrative Tools - and select the MMC snap-in called "Active Directory Users and Computers" + Go to the Windows 200x / XP menu Start->Programs->Administrative Tools + and select the MMC snap-in called Active Directory Users and Computers @@ -256,12 +256,12 @@ here is incomplete - you are warned. - Now left click on the Group Policy tab, then left click on the New tab. Type a name + Now left click on the Group Policy tab, then left click on the New tab. Type a name for the new policy you will create. - Now left click on the Edit tab to commence the steps needed to create the GPO. + Now left click on the Edit tab to commence the steps needed to create the GPO. @@ -360,7 +360,8 @@ Common restrictions that are frequently used includes: With a Samba Domain Controller, the new tools for managing of user account and policy information includes: - smbpasswd, pdbedit, net, rpcclient.. The administrator should read the + smbpasswd, pdbedit, net, rpcclient. + The administrator should read the man pages for these tools and become familiar with their use. diff --git a/docs/docbook/projdoc/Portability.xml b/docs/docbook/projdoc/Portability.xml index 72c3d20547..9f1188e4a2 100644 --- a/docs/docbook/projdoc/Portability.xml +++ b/docs/docbook/projdoc/Portability.xml @@ -1,6 +1,8 @@ &author.jelmer; + Portability @@ -14,14 +16,14 @@ platform-specific information about compiling and using samba. HP's implementation of supplementary groups is, er, non-standard (for -hysterical reasons). There are two group files, /etc/group and -/etc/logingroup; the system maps UIDs to numbers using the former, but +hysterical reasons). There are two group files, /etc/group and +/etc/logingroup; the system maps UIDs to numbers using the former, but initgroups() reads the latter. Most system admins who know the ropes -symlink /etc/group to /etc/logingroup (hard link doesn't work for reasons -too stupid to go into here). initgroups() will complain if one of the -groups you're in in /etc/logingroup has what it considers to be an invalid -ID, which means outside the range [0..UID_MAX], where UID_MAX is (I think) -60000 currently on HP-UX. This precludes -2 and 65534, the usual 'nobody' +symlink /etc/group to /etc/logingroup +(hard link doesn't work for reasons too stupid to go into here). initgroups() will complain if one of the +groups you're in in /etc/logingroup has what it considers to be an invalid +ID, which means outside the range [0..UID_MAX], where UID_MAX is (I think) +60000 currently on HP-UX. This precludes -2 and 65534, the usual nobody GIDs. @@ -46,14 +48,15 @@ Samba. SCO Unix -If you run an old version of SCO Unix then you may need to get important +If you run an old version of SCO Unix then you may need to get important TCP/IP patches for Samba to work correctly. Without the patch, you may encounter corrupt data transfers using samba. The patch you need is UOD385 Connection Drivers SLS. It is available from -SCO (ftp.sco.com, directory SLS, files uod385a.Z and uod385a.ltr.Z). +SCO (ftp.sco.com, directory SLS, +files uod385a.Z and uod385a.ltr.Z). @@ -121,8 +124,10 @@ _seteuid: after creating the above files you then assemble them using -as seteuid.s -as setegid.s + + $ as seteuid.s + $ as setegid.s + that should produce the files seteuid.o and @@ -155,7 +160,7 @@ You should then remove the line: By default RedHat Rembrandt-II during installation adds an -entry to /etc/hosts as follows: +entry to /etc/hosts as follows: 127.0.0.1 loopback "hostname"."domainname" @@ -209,8 +214,7 @@ has not been released yet. The patch revision for 2.6 is 105181-34 -for 8 is 108528-19 -and for 9 is 112233-04 +for 8 is 108528-19 and for 9 is 112233-04 diff --git a/docs/docbook/projdoc/Problems.xml b/docs/docbook/projdoc/Problems.xml index eb43b63b63..59cfbe3a13 100644 --- a/docs/docbook/projdoc/Problems.xml +++ b/docs/docbook/projdoc/Problems.xml @@ -26,15 +26,15 @@ general SMB topics such as browsing. One of the best diagnostic tools for debugging problems is Samba itself. -You can use the -d option for both smbd and nmbd to specify what -'debug level' at which to run. See the man pages on smbd, nmbd and +You can use the for both &smbd; and &nmbd; to specify what +debug level at which to run. See the man pages on smbd, nmbd and smb.conf for more information on debugging options. The debug level can range from 1 (the default) to 10 (100 for debugging passwords). Another helpful method of debugging is to compile samba using the -gcc -g flag. This will include debug +gcc -g flag. This will include debug information in the binaries and allow you to attach gdb to the running smbd / nmbd process. In order to attach gdb to an smbd process for an NT workstation, first get the workstation to make the @@ -51,10 +51,10 @@ typing in your password, you can attach gdb and continue. Some useful samba commands worth investigating: - - testparam | more - smbclient -L //{netbios name of server} - + + $ testparam | more + $ smbclient -L //{netbios name of server} + An SMB enabled version of tcpdump is available from @@ -91,18 +91,18 @@ NT Server 4.0 Install CD and the Workstation 4.0 Install CD. -Initially you will need to install 'Network Monitor Tools and Agent' +Initially you will need to install Network Monitor Tools and Agent on the NT Server. To do this - Goto Start - Settings - Control Panel - - Network - Services - Add + Goto Start - Settings - Control Panel - + Network - Services - Add - Select the 'Network Monitor Tools and Agent' and - click on 'OK'. + Select the Network Monitor Tools and Agent and + click on OK. - Click 'OK' on the Network Control Panel. + Click OK on the Network Control Panel. Insert the Windows NT Server 4.0 install CD @@ -124,13 +124,13 @@ install CD. - Goto Start - Settings - Control Panel - - Network - Services - Add + Goto Start - Settings - Control Panel - + Network - Services - Add - Select the 'Network Monitor Agent' and click - on 'OK'. + Select the Network Monitor Agent and click + on OK. - Click 'OK' on the Network Control Panel. + Click OK on the Network Control Panel. Insert the Windows NT Workstation 4.0 install @@ -138,15 +138,15 @@ install CD. -Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* -to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set -permissions as you deem appropriate for your site. You will need +Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* +to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set +permissions as you deem appropriate for your site. You will need administrative rights on the NT box to run netmon. To install Netmon on a Windows 9x box install the network monitor agent -from the Windows 9x CD (\admin\nettools\netmon). There is a readme +from the Windows 9x CD (\admin\nettools\netmon). There is a readme file located with the netmon driver files on the CD if you need information on how to do this. Copy the files from a working Netmon installation. @@ -158,32 +158,16 @@ Netmon installation. Useful URL's -Home of Samba site - http://samba.org. We have a mirror near you ! - - The Development document -on the Samba mirrors might mention your problem. If so, -it might mean that the developers are working on it. - See how Scott Merrill simulates a BDC behavior at http://www.skippy.net/linux/smb-howto.html. -Although 2.0.7 has almost had its day as a PDC, David Bannon will - keep the 2.0.7 PDC pages at - http://bioserve.latrobe.edu.au/samba going for a while yet. - -Misc links to CIFS information - http://samba.org/cifs/ - -NT Domains for Unix - http://mailhost.cb1.com/~lkcl/ntdom/ - FTP site for older SMB specs: ftp://ftp.microsoft.com/developr/drg/CIFS/ + diff --git a/docs/docbook/projdoc/ProfileMgmt.xml b/docs/docbook/projdoc/ProfileMgmt.xml index 58c6af3b90..680555cd6a 100644 --- a/docs/docbook/projdoc/ProfileMgmt.xml +++ b/docs/docbook/projdoc/ProfileMgmt.xml @@ -86,17 +86,18 @@ where %L translates to the name of the Samba server and %u translates to the use -The default for this option is \\%N\%U\profile, namely \\sambaserver\username\profile. -The \\N%\%U service is created automatically by the [homes] service. If you are using +The default for this option is \\%N\%U\profile, +namely \\sambaserver\username\profile. +The \\N%\%U service is created automatically by the [homes] service. If you are using a samba server for the profiles, you _must_ make the share specified in the logon path -browseable. Please refer to the man page for smb.conf in respect of the different +browseable. Please refer to the man page for &smb.conf; in respect of the different symantics of %L and %N, as well as %U and %u. MS Windows NT/2K clients at times do not disconnect a connection to a server -between logons. It is recommended to NOT use the homes +between logons. It is recommended to NOT use the homes meta-service name as part of the profile share path. @@ -106,7 +107,7 @@ meta-service name as part of the profile share path. Windows 9x / Me User Profiles -To support Windows 9x / Me clients, you must use the "logon home" parameter. Samba has + To support Windows 9x / Me clients, you must use the logon home parameter. Samba has now been fixed so that net use /home now works as well, and it, too, relies on the logon home parameter. @@ -114,7 +115,7 @@ on the logon home parameter. By using the logon home parameter, you are restricted to putting Win9x / Me profiles in the user's home directory. But wait! There is a trick you -can use. If you set the following in the [global] section of your &smb.conf; file: +can use. If you set the following in the [global] section of your &smb.conf; file: logon home = \\%L\%U\.profiles @@ -129,7 +130,7 @@ of your home directory called .profiles (thus making them h Not only that, but net use /home will also work, because of a feature in Windows 9x / Me. It removes any directory stuff off the end of the home directory area and only uses the server and share portion. That is, it looks like you -specified \\%L\%U for logon home. +specified \\%L\%U for logon home. @@ -138,7 +139,7 @@ specified \\%L\%U for logon home. You can support profiles for both Win9X and WinNT clients by setting both the -logon home and logon path parameters. For example: +logon home and logon path parameters. For example: @@ -151,27 +152,32 @@ You can support profiles for both Win9X and WinNT clients by setting both the Disabling Roaming Profile Support -A question often asked is "How may I enforce use of local profiles?" or -"How do I disable Roaming Profiles?" + A question often asked is How may I enforce use of local profiles? or + How do I disable Roaming Profiles? There are three ways of doing this: - - - In smb.conf: affect the following settings and ALL clients - will be forced to use a local profile: - - logon home = - logon path = - - - - MS Windows Registry: by using the Microsoft Management Console - gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This - of course modifies registry settings. The full path to the option is: + + + In &smb.conf; + + Affect the following settings and ALL clients + will be forced to use a local profile: + + logon home = + logon path = + + + + + + MS Windows Registry: + + By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is: + Local Computer Policy\ Computer Configuration\ @@ -182,15 +188,18 @@ There are three ways of doing this: Disable: Only Allow Local User Profiles Disable: Prevent Roaming Profile Change from Propogating to the Server - - + + - - Change of Profile Type: From the start menu right click on the - MY Computer icon, select Properties, click on the "User Profiles - tab, select the profile you wish to change from Roaming type to Local, click Change Type. - - + + Change of Profile Type: + + From the start menu right click on the + My Computer icon, select Properties, click on the User Profiles + tab, select the profile you wish to change from Roaming type to Local, click Change Type. + + + Consult the MS Windows registry guide for your particular MS Windows version for more @@ -215,12 +224,13 @@ Microsoft MS Windows Resource Kit for your version of Windows for specific infor When a user first logs in on Windows 9X, the file user.DAT is created, -as are folders "Start Menu", "Desktop", "Programs" and "Nethood". +as are folders Start Menu, Desktop, +Programs and Nethood. These directories and their contents will be merged with the local -versions stored in c:\windows\profiles\username on subsequent logins, -taking the most recent from each. You will need to use the [global] -options "preserve case = yes", "short preserve case = yes" and -"case sensitive = no" in order to maintain capital letters in shortcuts +versions stored in c:\windows\profiles\username on subsequent logins, +taking the most recent from each. You will need to use the [global] +options preserve case = yes, short preserve case = yes and +case sensitive = no in order to maintain capital letters in shortcuts in any of the profile folders. @@ -233,19 +243,19 @@ and deny them write access to this file. - On the Windows 9x / Me machine, go to Control Panel -> Passwords and - select the User Profiles tab. Select the required level of - roaming preferences. Press OK, but do _not_ allow the computer + On the Windows 9x / Me machine, go to Control Panel -> Passwords and + select the User Profiles tab. Select the required level of + roaming preferences. Press OK, but do _not_ allow the computer to reboot. - On the Windows 9x / Me machine, go to Control Panel -> Network -> - Client for Microsoft Networks -> Preferences. Select 'Log on to - NT Domain'. Then, ensure that the Primary Logon is 'Client for - Microsoft Networks'. Press OK, and this time allow the computer + On the Windows 9x / Me machine, go to Control Panel -> Network -> + Client for Microsoft Networks -> Preferences. Select Log on to + NT Domain. Then, ensure that the Primary Logon is Client for + Microsoft Networks. Press OK, and this time allow the computer to reboot. @@ -271,15 +281,15 @@ supports it), user name and user's password. Once the user has been successfully validated, the Windows 9x / Me machine -will inform you that 'The user has not logged on before' and asks you -if you wish to save the user's preferences? Select 'yes'. +will inform you that The user has not logged on before' and asks you + if you wish to save the user's preferences? Select yes. Once the Windows 9x / Me client comes up with the desktop, you should be able -to examine the contents of the directory specified in the "logon path" -on the samba server and verify that the "Desktop", "Start Menu", -"Programs" and "Nethood" folders have been created. +to examine the contents of the directory specified in the logon path +on the samba server and verify that the Desktop, Start Menu, +Programs and Nethood folders have been created. @@ -316,21 +326,20 @@ they will be told that they are logging in "for the first time". - run the regedit.exe program, and look in: + run the regedit.exe program, and look in: - - HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList + + HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList you will find an entry, for each user, of ProfilePath. Note the - contents of this key (likely to be c:\windows\profiles\username), + contents of this key (likely to be c:\windows\profiles\username), then delete the key ProfilePath for the required user. + - [Exit the registry editor]. - - + [Exit the registry editor]. diff --git a/docs/docbook/projdoc/locking.xml b/docs/docbook/projdoc/locking.xml index 437f7756d9..5d21270e87 100644 --- a/docs/docbook/projdoc/locking.xml +++ b/docs/docbook/projdoc/locking.xml @@ -82,33 +82,34 @@ All other locks can not be seen by unix anyway. Strictly a SMB server should check for locks before every read and write call on a file. Unfortunately with the way fcntl() works this can be slow and may overstress -the rpc.lockd. It is also almost always unnecessary as clients are supposed to +the rpc.lockd. It is also almost always unnecessary as clients are supposed to independently make locking calls before reads and writes anyway if locking is important to them. By default Samba only makes locking calls when explicitly asked -to by a client, but if you set strict locking = yes then it +to by a client, but if you set strict locking = yes then it will make lock checking calls on every read and write. -You can also disable by range locking completely using locking = no. +You can also disable by range locking completely using locking = no. This is useful for those shares that don't support locking or don't need it (such as cdroms). In this case Samba fakes the return codes of locking calls to tell clients that everything is OK. -The second class of locking is the deny modes. These +The second class of locking is the deny modes. These are set by an application when it opens a file to determine what types of access should be allowed simultaneously with its open. A client may ask for -DENY_NONE, DENY_READ, DENY_WRITE or DENY_ALL. There are also special compatibility -modes called DENY_FCB and DENY_DOS. +DENY_NONE, DENY_READ, +DENY_WRITE or DENY_ALL. There are also special compatibility +modes called DENY_FCB and DENY_DOS. Opportunistic Locking Overview -OPPORTUNISTIC LOCKING (Oplocks) is invoked by the Windows file system +Opportunistic locking (Oplocks) is invoked by the Windows file system (as opposed to an API) via registry entries (on the server AND client) for the purpose of enhancing network performance when accessing a file residing on a server. Performance is enhanced by caching the file @@ -129,7 +130,7 @@ locally on the client which allows: Lock caching: - + The client caches application locks locally, eliminating network latency @@ -408,7 +409,7 @@ the share. Beware of Force User -Samba includes an smb.conf parameter called "force user" that changes +Samba includes an &smb.conf; parameter called force user that changes the user accessing a share from the incoming user to whatever user is defined by the smb.conf variable. If opportunistic locking is enabled on a share, the change in user access causes an oplock break to be sent @@ -425,7 +426,7 @@ Avoid the combination of the following: - force user in the &smb.conf; share configuration. + force user in the &smb.conf; share configuration. @@ -447,8 +448,9 @@ Samba provides opportunistic locking parameters that allow the administrator to adjust various properties of the oplock mechanism to account for timing and usage levels. These parameters provide good versatility for implementing oplocks in environments where they would -likely cause problems. The parameters are: oplock break wait time, -oplock contention limit. +likely cause problems. The parameters are: +oplock break wait time, +oplock contention limit. @@ -622,7 +624,7 @@ you may want to play it safe and disable oplocks and level2 oplocks. -Diabling Kernel OpLocks +Disabling Kernel OpLocks Kernel OpLocks is an &smb.conf; parameter that notifies Samba (if @@ -639,12 +641,11 @@ basis in the &smb.conf; file. -Example: + [global] - kernel oplocks = yes - -The default is "no". +kernel oplocks = yes +The default is "no". @@ -676,7 +677,7 @@ enabled on a per-share basis, or globally for the entire server, in the interval for Samba to reply to an oplock break request. Samba recommends "DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE." Oplock Break Wait Time can only be -configured globally in the smb.conf file: +configured globally in the &smb.conf; file: @@ -701,7 +702,7 @@ the entire server, in the &smb.conf; file: [global] oplock break contention limit = 2 (default) - [share_name] +[share_name] oplock break contention limit = 2 (default) @@ -722,7 +723,7 @@ operating system known as Opportunistic Locking. When a wor attempts to access shared data files located on another Windows 2000/XP computer, the Windows 2000/XP operating system will attempt to increase performance by locking the files and caching information locally. When this occurs, the application is unable to -properly function, which results in an Access Denied +properly function, which results in an Access Denied error message being displayed during network operations. diff --git a/docs/docbook/projdoc/msdfs_setup.xml b/docs/docbook/projdoc/msdfs_setup.xml index cd2d41794f..c21c9ec6bf 100644 --- a/docs/docbook/projdoc/msdfs_setup.xml +++ b/docs/docbook/projdoc/msdfs_setup.xml @@ -58,7 +58,7 @@ Here's an example of setting up a DFS tree on a Samba server. - + # The smb.conf file: [global] netbios name = SMOKEY @@ -67,13 +67,12 @@ [dfs] path = /export/dfsroot msdfs root = yes - + - - In the /export/dfsroot directory we set up our dfs links to other servers on the network. - - + In the /export/dfsroot directory we set up our dfs links to + other servers on the network. + &rootprompt;cd /export/dfsroot &rootprompt;chown root /export/dfsroot @@ -81,7 +80,6 @@ &rootprompt;ln -s msdfs:storageA\\shareA linka &rootprompt;ln -s msdfs:serverB\\share,serverC\\share linkb - You should set up the permissions and ownership of the directory acting as the DFS root such that only designated diff --git a/docs/docbook/projdoc/passdb.xml b/docs/docbook/projdoc/passdb.xml index 4152494d24..5dfc5fb70d 100644 --- a/docs/docbook/projdoc/passdb.xml +++ b/docs/docbook/projdoc/passdb.xml @@ -248,23 +248,12 @@ Samba-3 introduces the following new password backend capabilities: although they may log onto a domain environment: - - - MS DOS Network client 3.0 with the basic network redirector installed - - - - Windows 95 with the network redirector update installed - - - - Windows 98 [se] - - - - Windows Me - - + + MS DOS Network client 3.0 with the basic network redirector installed + Windows 95 with the network redirector update installed + Windows 98 [se] + Windows Me + @@ -277,13 +266,13 @@ Samba-3 introduces the following new password backend capabilities: The following versions of MS Windows fully support domain security protocols. - - Windows NT 3.5x - Windows NT 4.0 - Windows 2000 Professional - Windows 200x Server/Advanced Server - Windows XP Professional - + + Windows NT 3.5x + Windows NT 4.0 + Windows 2000 Professional + Windows 200x Server/Advanced Server + Windows XP Professional + All current release of Microsoft SMB/CIFS clients support authentication via the @@ -359,7 +348,7 @@ Samba-3 introduces the following new password backend capabilities: Firstly, all Samba SAM (Security Account Management database) accounts require a Unix/Linux UID that the account will map to. As users are added to the account - information database samba-3 will call the add user script + information database samba-3 will call the add user script interface to add the account to the Samba host OS. In essence all accounts in the local SAM require a local user account. @@ -379,7 +368,7 @@ Samba-3 introduces the following new password backend capabilities: Samba-3 provides two (2) tools for management of User and machine accounts. These tools are -called smbpasswd and pdbedit. A third tool is under +called smbpasswd and pdbedit. A third tool is under development but is NOT expected to ship in time for Samba-3.0.0. The new tool will be a TCL/TK GUI tool that looks much like the MS Windows NT4 Domain User Manager - hopefully this will be announced in time for samba-3.0.1 release timing. @@ -409,47 +398,30 @@ be announced in time for samba-3.0.1 release timing. smbpasswd can be used to: - - - add user or machine accounts - - - - delete user or machine accounts - - - - enable user or machine accounts - - - - disable user or machine accounts - - - - set to NULL user passwords - - - - manage interdomain trust accounts - - + + add user or machine accounts + delete user or machine accounts + enable user or machine accounts + disable user or machine accounts + set to NULL user passwords + manage interdomain trust accounts + To run smbpasswd as a normal user just type: - + $ smbpasswd - Old SMB password: <secret> - - For secret type old value here - or hit return if + Old SMB password: secret + + For secret type old value here - or hit return if there was no old password - - New SMB Password: <new secret> - Repeat New SMB Password: <new secret> - + + New SMB Password: new secret + Repeat New SMB Password: new secret + @@ -490,19 +462,11 @@ be announced in time for samba-3.0.1 release timing. manage the passdb backend. pdbedit can be used to: - - - add, remove or modify user accounts - - - - listing user accounts - - - - migrate user accounts - - + + add, remove or modify user accounts + listing user accounts + migrate user accounts + The pdbedit tool is the only one that can manage the account @@ -521,9 +485,8 @@ be announced in time for samba-3.0.1 release timing. a tdbsam password backend. This listing was produced by running: - - pdbedit -Lv met - + + $ pdbedit -Lv met Unix username: met NT username: Account Flags: [UX ] @@ -544,8 +507,9 @@ be announced in time for samba-3.0.1 release timing. Password last set: Sat, 14 Dec 2002 14:37:03 GMT Password can change: Sat, 14 Dec 2002 14:37:03 GMT Password must change: Mon, 18 Jan 2038 20:14:07 GMT - - + + + @@ -566,8 +530,8 @@ backends of the same type. For example, to use two different tdbsam databases: -In smb.conf [globals] - passdb backend = tdbsam:/etc/samba/passdb.tdb, \ +[globals] + passdb backend = tdbsam:/etc/samba/passdb.tdb, \ tdbsam:/etc/samba/old-passdb.tdb, guest @@ -917,7 +881,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz -slapadd -v -l initldap.dif +$ slapadd -v -l initldap.dif @@ -931,7 +895,7 @@ slapadd -v -l initldap.dif Before Samba can access the LDAP server you need to stoe the LDAP admin password into the Samba-3 secrets.tdb database by: - &rootprompt; smbpasswd -w secret +&rootprompt; smbpasswd -w secret @@ -968,7 +932,7 @@ slapadd -v -l initldap.dif - + ## /usr/local/samba/lib/smb.conf [global] security = user @@ -1010,7 +974,7 @@ slapadd -v -l initldap.dif # generally the default ldap search filter is ok # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))" - + @@ -1088,12 +1052,12 @@ slapadd -v -l initldap.dif - + ## allow the "ldap admin dn" access, but deny everyone else access to attrs=lmPassword,ntPassword by dn="cn=Samba Admin,ou=people,dc=plainjoe,dc=org" write by * none - + @@ -1105,64 +1069,65 @@ access to attrs=lmPassword,ntPassword The sambaAccount objectclass is composed of the following attributes: - - lmPassword: the LANMAN password 16-byte hash stored as a character - representation of a hexidecimal string. - - ntPassword: the NT password hash 16-byte stored as a character - representation of a hexidecimal string. - - pwdLastSet: The integer time in seconds since 1970 when the + + + + lmPasswordthe LANMAN password 16-byte hash stored as a character + representation of a hexidecimal string. + ntPasswordthe NT password hash 16-byte stored as a character + representation of a hexidecimal string. + pwdLastSetThe integer time in seconds since 1970 when the lmPassword and ntPassword attributes were last set. - + - acctFlags: string of 11 characters surrounded by square brackets [] + acctFlagsstring of 11 characters surrounded by square brackets [] representing account flags such as U (user), W(workstation), X(no password expiration), I(Domain trust account), H(Home dir required), S(Server trust account), - and D(disabled). + and D(disabled). - logonTime: Integer value currently unused + logonTimeInteger value currently unused - logoffTime: Integer value currently unused + logoffTimeInteger value currently unused - kickoffTime: Integer value currently unused + kickoffTimeInteger value currently unused - pwdCanChange: Integer value currently unused + pwdCanChangeInteger value currently unused - pwdMustChange: Integer value currently unused + pwdMustChangeInteger value currently unused - homeDrive: specifies the drive letter to which to map the + homeDrivespecifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the form "X:" where X is the letter of the drive to map. Refer to the "logon drive" parameter in the - smb.conf(5) man page for more information. + smb.conf(5) man page for more information. - scriptPath: The scriptPath property specifies the path of + scriptPathThe scriptPath property specifies the path of the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path is relative to the netlogon share. Refer to the "logon script" parameter in the - smb.conf(5) man page for more information. + smb.conf(5) man page for more information. - profilePath: specifies a path to the user's profile. + profilePathspecifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path. Refer to the - "logon path" parameter in the smb.conf(5) man page for more information. + "logon path" parameter in the smb.conf(5) man page for more information. - smbHome: The homeDirectory property specifies the path of + smbHomeThe homeDirectory property specifies the path of the home directory for the user. The string can be null. If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string. Refer to the logon home parameter in the &smb.conf; man page for more information. - + - userWorkstation: character string value currently unused. - + userWorkstationcharacter string value currently unused. + - rid: the integer representation of the user's relative identifier - (RID). + ridthe integer representation of the user's relative identifier + (RID). - primaryGroupID: the relative identifier (RID) of the primary group - of the user. + primaryGroupIDthe relative identifier (RID) of the primary group + of the user. - domain: domain the user is part of. - + domaindomain the user is part of. + +
The majority of these parameters are only used when Samba is acting as a PDC of @@ -1171,18 +1136,18 @@ access to attrs=lmPassword,ntPassword are only stored with the sambaAccount entry if the values are non-default values: - - smbHome - scriptPath - logonPath - homeDrive - + + smbHome + scriptPath + logonPath + homeDrive + These attributes are only stored with the sambaAccount entry if the values are non-default values. For example, assume TASHTEGO has now been - configured as a PDC and that logon home = \\%L\%u was defined in - its smb.conf file. When a user named "becky" logons to the domain, + configured as a PDC and that logon home = \\%L\%u was defined in + its &smb.conf; file. When a user named "becky" logons to the domain, the logon home string is expanded to \\TASHTEGO\becky. If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org", this value is used. However, if this attribute does not exist, then the value @@ -1201,7 +1166,7 @@ access to attrs=lmPassword,ntPassword - + dn: uid=guest2, ou=people,dc=plainjoe,dc=org ntPassword: 878D8014606CDA29677A44EFA1353FC7 pwdMustChange: 2147483647 @@ -1216,7 +1181,7 @@ access to attrs=lmPassword,ntPassword logoffTime: 2147483647 rid: 19006 pwdCanChange: 0 - + @@ -1225,7 +1190,7 @@ access to attrs=lmPassword,ntPassword - + dn: uid=gcarter, ou=people,dc=plainjoe,dc=org logonTime: 0 displayName: Gerald Carter @@ -1248,7 +1213,7 @@ access to attrs=lmPassword,ntPassword pwdCanChange: 0 pwdMustChange: 2147483647 ntPassword: 878D8014606CDA29677A44EFA1353FC7 - + @@ -1261,7 +1226,7 @@ access to attrs=lmPassword,ntPassword using pam_ldap, this allows changing both unix and windows passwords at once. - The ldap passwd sync options can have the following values: + The ldap passwd sync options can have the following values: @@ -1322,7 +1287,7 @@ access to attrs=lmPassword,ntPassword contains the correct queries to create the required tables. Use the command : - mysql -uusername -hhostname -ppassword databasename > /path/to/samba/examples/pdb/mysql/mysql.dump + $ mysql -uusername -hhostname -ppassword databasename > /path/to/samba/examples/pdb/mysql/mysql.dump @@ -1332,10 +1297,10 @@ access to attrs=lmPassword,ntPassword This plugin lacks some good documentation, but here is some short info: - Add a the following to the passdb backend variable in your smb.conf: - + Add a the following to the passdb backend variable in your &smb.conf;: + passdb backend = [other-plugins] mysql:identifier [other-plugins] - + The identifier can be any string you like, as long as it doesn't collide with @@ -1345,18 +1310,18 @@ access to attrs=lmPassword,ntPassword - Additional options can be given thru the &smb.conf; file in the [global] section. + Additional options can be given thru the &smb.conf; file in the [global] section. - + identifier:mysql host - host name, defaults to 'localhost' identifier:mysql password identifier:mysql user - defaults to 'samba' identifier:mysql database - defaults to 'samba' identifier:mysql port - defaults to 3306 identifier:table - Name of the table containing users - + : @@ -1371,7 +1336,7 @@ access to attrs=lmPassword,ntPassword Names of the columns in this table(I've added column types those columns should have first): - + identifier:logon time column - int(9) identifier:logoff time column - int(9) identifier:kickoff time column - int(9) @@ -1403,7 +1368,7 @@ access to attrs=lmPassword,ntPassword identifier:hours len column - int(9) - ? identifier:unknown 5 column - int(9) - unknown identifier:unknown 6 column - int(9) - unknown - + @@ -1466,7 +1431,7 @@ access to attrs=lmPassword,ntPassword - pdbedit -e xml:filename + $ pdbedit -e xml:filename @@ -1475,22 +1440,7 @@ access to attrs=lmPassword,ntPassword To import data, use: - pdbedit -i xml:filename -e current-pdb - - - - Where filename is the name to read the data from and current-pdb to put it in. - - - - For example: To migrate (copy) the smbpasswd database into a tdbsam database: - - - - then execute (as root): - - &rootprompt;pdbedit -i smbpasswd -e tdbsam - + $ pdbedit -i xml:filename @@ -1517,12 +1467,12 @@ access to attrs=lmPassword,ntPassword - + [globals] ... passdb backend = smbpasswd, tdbsam, guest ... - + @@ -1531,12 +1481,12 @@ access to attrs=lmPassword,ntPassword - + [globals] ... passdb backend = tdbsam, smbpasswd, guest ... - + diff --git a/docs/docbook/projdoc/printer_driver2.xml b/docs/docbook/projdoc/printer_driver2.xml index 76f59c12ea..028c6cc1e6 100644 --- a/docs/docbook/projdoc/printer_driver2.xml +++ b/docs/docbook/projdoc/printer_driver2.xml @@ -60,12 +60,8 @@ spooled files. They are utilized entirely by the clients. The following MS KB article, may be of some help if you are dealing with -Windows 2000 clients: How to Add Printers with No User -Interaction in Windows 2000 - - - -http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP +Windows 2000 clients: +How to Add Printers with No User Interaction in Windows 2000 @@ -141,8 +137,8 @@ level user accounts to have write access in order to update files on the share. See the smb.conf(5) man page for more information on configuring file shares. -The requirement for guest -ok = yes depends upon how your +The requirement for guest +ok = yes depends upon how your site is configured. If users will be guaranteed to have an account on the Samba host, then this is a non-issue. @@ -158,8 +154,8 @@ is not necessary. Of course, in a workgroup environment where you just want to be able to print without worrying about silly accounts and security, then configure the share for guest access. You'll probably want to add map to guest = Bad User - in the [global] section as well. Make sure +url="smb.conf.5.html#MAPTOGUEST">map to guest = Bad User + in the [global] section as well. Make sure you understand what this parameter does before using it though. --jerry @@ -210,12 +206,12 @@ that all file shares are set to 'read only' by default. -Once you have created the required [print$] service and +Once you have created the required [print$] service and associated subdirectories, simply log onto the Samba server using a root (or printer admin) account -from a Windows NT 4.0/2k client. Open "Network Neighbourhood" or -"My Network Places" and browse for the Samba host. Once you have located -the server, navigate to the "Printers..." folder. +from a Windows NT 4.0/2k client. Open Network Neighbourhood or +My Network Places and browse for the Samba host. Once you have located +the server, navigate to the Printers... folder. You should see an initial listing of printers that matches the printer shares defined on your Samba host. @@ -233,30 +229,30 @@ which has this default driver assigned will result in the error message: -Device settings cannot be displayed. The driver +Device settings cannot be displayed. The driver for the specified printer is not installed, only spooler properties will be displayed. Do you want to install the -driver now? +driver now? -Click "No" in the error dialog and you will be presented with +Click No in the error dialog and you will be presented with the printer properties window. The way to assign a driver to a printer is to either - - Use the "New Driver..." button to install - a new printer driver, or + + Use the New Driver... button to install + a new printer driver, or - Select a driver from the popup list of - installed drivers. Initially this list will be empty. - - + Select a driver from the popup list of + installed drivers. Initially this list will be empty. + + If you wish to install printer drivers for client operating systems other than "Windows NT x86", you will need -to use the "Sharing" tab of the printer properties dialog. +to use the Sharing tab of the printer properties dialog. Assuming you have connected with a root account, you will also be able modify other printer properties such as @@ -267,7 +263,7 @@ on a Windows NT print server to have printers listed in the Printers folder which are not shared. Samba does not make this distinction. By definition, the only printers of which Samba is aware are those which are specified as shares in -smb.conf. +&smb.conf;. Another interesting side note is that Windows NT clients do not use the SMB printer share, but rather can print directly @@ -287,15 +283,15 @@ permissions to the "Everyone" well-known group. One issue that has arisen during the development phase of Samba 2.2 is the need to support driver downloads for 100's of printers. Using the Windows NT APW is somewhat -awkward to say the list. If more than one printer are using the +awkward to say the least. If more than one printer are using the same driver, the rpcclient's setdriver command can be used to set the driver associated with an installed driver. The following is example of how this could be accomplished: -$ rpcclient pogo -U root%secret -c "enumdrivers" - + +$ rpcclient pogo -U root%secret -c "enumdrivers" Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] [Windows NT x86] @@ -307,21 +303,17 @@ Printer Driver Info 1: Printer Driver Info 1: Driver Name: [HP LaserJet 4Si/4SiMX PS] - -$ rpcclient pogo -U root%secret -c "enumprinters" - +$ rpcclient pogo -U root%secret -c "enumprinters" Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] flags:[0x800000] name:[\\POGO\hp-print] description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,] comment:[] - -$ rpcclient pogo -U root%secret -c "setdriver hp-print \"HP LaserJet 4000 Series PS\"" - +$ rpcclient pogo -U root%secret -c "setdriver hp-print \"HP LaserJet 4000 Series PS\" Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3] Successfully set hp-print to driver HP LaserJet 4000 Series PS. - + @@ -330,9 +322,9 @@ Successfully set hp-print to driver HP LaserJet 4000 Series PS. Adding New Printers via the Windows NT APW -By default, Samba offers all printer shares defined in smb.conf -in the "Printers..." folder. Also existing in this folder is the Windows NT -Add Printer Wizard icon. The APW will be show only if +By default, Samba offers all printer shares defined in &smb.conf; +in the Printers... folder. Also existing in this folder is the Windows NT +Add Printer Wizard icon. The APW will be show only if @@ -352,15 +344,15 @@ server, the add printer command must have a defined value. The program hook must successfully add the printer to the system (i.e. /etc/printcap or appropriate files) and -smb.conf if necessary. +&smb.conf; if necessary. When using the APW from a client, if the named printer share does -not exist, smbd will execute the add printer -command and reparse to the smb.conf +not exist, &smbd; will execute the add printer +command and reparse to the &smb.conf; to attempt to locate the new printer share. If the share is still not defined, -an error of "Access Denied" is returned to the client. Note that the +an error of Access Denied is returned to the client. Note that the add printer program is executed under the context of the connected user, not necessarily a root account. @@ -447,7 +439,7 @@ a form of load balancing or fail over. If you require that multiple ports be defined for some reason, -smb.conf possesses a enumports command which can be used to define an external program that generates a listing of ports on a system. @@ -588,6 +580,7 @@ foreach (supported architecture for a given driver)