From 556d1ca2d20c42c7ee5934631331f0a019203f06 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 22 Nov 2002 00:32:24 +0000 Subject: Sync docbook directory with HEAD. Sorry but there are way too many changes to track down all the commit messages and list them here. Most of the changes look like updates and cleanups from Jelmer though. (This used to be commit 75615648d0ace3bde6a2ef2dad562094f1b25d00) --- docs/docbook/Makefile.in | 10 +- docs/docbook/devdoc/dev-doc.sgml | 2 + docs/docbook/devdoc/unix-smb.sgml | 5 + docs/docbook/faq/errors.sgml | 6 + docs/docbook/manpages/nmbd.8.sgml | 3 +- docs/docbook/manpages/pdbedit.8.sgml | 20 +- docs/docbook/manpages/rpcclient.1.sgml | 23 +- docs/docbook/manpages/smb.conf.5.sgml | 34 +- docs/docbook/manpages/smbclient.1.sgml | 2 +- docs/docbook/manpages/smbd.8.sgml | 33 +- docs/docbook/manpages/smbpasswd.8.sgml | 23 +- docs/docbook/manpages/smbsh.1.sgml | 2 +- docs/docbook/manpages/testparm.1.sgml | 12 +- docs/docbook/manpages/vfstest.1.sgml | 23 +- docs/docbook/manpages/wbinfo.1.sgml | 14 +- docs/docbook/projdoc/ADS-HOWTO.sgml | 18 +- docs/docbook/projdoc/Browsing.sgml | 4 +- docs/docbook/projdoc/Bugs.sgml | 5 +- docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 6 +- docs/docbook/projdoc/Diagnosis.sgml | 30 +- docs/docbook/projdoc/ENCRYPTION.sgml | 243 ++-------- docs/docbook/projdoc/Integrating-with-Windows.sgml | 2 +- docs/docbook/projdoc/Printing.sgml | 398 ---------------- docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 2 +- docs/docbook/projdoc/Speed.sgml | 238 +--------- docs/docbook/projdoc/UNIX_INSTALL.sgml | 39 +- docs/docbook/projdoc/msdfs_setup.sgml | 3 +- docs/docbook/projdoc/printer_driver2.sgml | 501 +++++++++++++++++---- docs/docbook/projdoc/samba-doc.sgml | 69 ++- docs/docbook/projdoc/security_level.sgml | 46 +- docs/docbook/projdoc/winbind.sgml | 2 +- 31 files changed, 657 insertions(+), 1161 deletions(-) delete mode 100644 docs/docbook/projdoc/Printing.sgml (limited to 'docs') diff --git a/docs/docbook/Makefile.in b/docs/docbook/Makefile.in index 1ac71e452b..ae24606caf 100644 --- a/docs/docbook/Makefile.in +++ b/docs/docbook/Makefile.in @@ -13,16 +13,14 @@ MANPAGES_NAMES=findsmb.1 smbclient.1 \ smbspool.8 lmhosts.5 \ - smbcontrol.1 smbstatus.1 \ - make_smbcodepage.1 smbd.8 \ - smbtar.1 nmbd.8 smbmnt.8 \ - smbumount.8 nmblookup.1 \ - smbmount.8 swat.8 rpcclient.1 \ + smbcontrol.1 smbstatus.1 \ + smbd.8 net.8 smbtar.1 nmbd.8 \ + smbmnt.8 smbumount.8 nmblookup.1 \ + smbmount.8 swat.8 rpcclient.1 \ smbpasswd.5 testparm.1 samba.7 \ smbpasswd.8 testprns.1 \ smb.conf.5 wbinfo.1 pdbedit.8 \ smbcacls.1 smbsh.1 winbindd.8 \ - make_unicodemap.1 net.8 \ smbgroupedit.8 vfstest.1 ## This part contains only rules. You shouldn't need to change it diff --git a/docs/docbook/devdoc/dev-doc.sgml b/docs/docbook/devdoc/dev-doc.sgml index adc25e83bd..e256dbe3a2 100644 --- a/docs/docbook/devdoc/dev-doc.sgml +++ b/docs/docbook/devdoc/dev-doc.sgml @@ -11,6 +11,7 @@ + ]> @@ -64,5 +65,6 @@ url="http://www.fsf.org/licenses/gpl.txt">http://www.fsf.org/licenses/gpl.txt diff --git a/docs/docbook/devdoc/unix-smb.sgml b/docs/docbook/devdoc/unix-smb.sgml index be79698857..aae96edfb7 100644 --- a/docs/docbook/devdoc/unix-smb.sgml +++ b/docs/docbook/devdoc/unix-smb.sgml @@ -143,6 +143,11 @@ details. Locking + +Since samba 2.2, samba supports other types of locking as well. This +section is outdated. + + The locking calls available under a DOS/Windows environment are much richer than those available in unix. This means a unix server (like diff --git a/docs/docbook/faq/errors.sgml b/docs/docbook/faq/errors.sgml index 2f378a3688..819462899e 100644 --- a/docs/docbook/faq/errors.sgml +++ b/docs/docbook/faq/errors.sgml @@ -167,4 +167,10 @@ A domain controller has to announce on the network who it is. This usually takes + +I'm getting "open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested" in the logs +Your loopback device isn't working correctly. Make sure it's running. + + + diff --git a/docs/docbook/manpages/nmbd.8.sgml b/docs/docbook/manpages/nmbd.8.sgml index bd8bf964f1..b8986110a6 100644 --- a/docs/docbook/manpages/nmbd.8.sgml +++ b/docs/docbook/manpages/nmbd.8.sgml @@ -1,4 +1,3 @@ -2Q @@ -318,7 +317,7 @@ VERSION - This man page is correct for version 2.2 of + This man page is correct for version 3.0 of the Samba suite. diff --git a/docs/docbook/manpages/pdbedit.8.sgml b/docs/docbook/manpages/pdbedit.8.sgml index fd8ce375e5..ed49b9f540 100644 --- a/docs/docbook/manpages/pdbedit.8.sgml +++ b/docs/docbook/manpages/pdbedit.8.sgml @@ -1,4 +1,6 @@ - + %globalentities; +]> @@ -21,8 +23,8 @@ -u username -f fullname -h homedir - -d drive - -s script + -D drive + -S script -p profile -a -m @@ -30,7 +32,8 @@ -i passdb-backend -e passdb-backend -b passdb-backend - -D debuglevel + -d debuglevel + -s configfile -P account-policy -V value @@ -160,9 +163,8 @@ - - -d drive + -D drive This option can be used while adding or modifing a user account. It will specify the windows drive letter to be used to map the home directory. @@ -174,7 +176,7 @@ - -s script + -S script This option can be used while adding or modifing a user account. It will specify the user's logon script path. @@ -299,6 +301,10 @@ + + &stdarg.debuglevel; + &stdarg.help; + &stdarg.configfile; diff --git a/docs/docbook/manpages/rpcclient.1.sgml b/docs/docbook/manpages/rpcclient.1.sgml index 7a7a19c837..10e0ff438d 100644 --- a/docs/docbook/manpages/rpcclient.1.sgml +++ b/docs/docbook/manpages/rpcclient.1.sgml @@ -1,4 +1,6 @@ - + %globalentities; +]> @@ -87,23 +89,8 @@ - - -d|--debug=debuglevel - set the debuglevel. Debug level 0 is the lowest - and 100 being the highest. This should be set to 100 if you are - planning on submitting a bug report to the Samba team (see BUGS.txt). - - - - - - - - -h|--help - Print a summary of command line options. - - - + &stdarg.debuglevel; + &stdarg.help; -I IP-address diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index d5feb65acc..8452e97329 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -1269,10 +1269,10 @@ announce version (G) This specifies the major and minor version numbers that nmbd will use when announcing itself as a server. The default - is 4.2. Do not change this parameter unless you have a specific + is 4.9. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server. - Default: announce version = 4.5 + Default: announce version = 4.9 Example: announce version = 2.0 @@ -2300,7 +2300,7 @@ domain logons (G) If set to yes, the Samba server will serve Windows 95/98 Domain logons for the - workgroup it is in. Samba 2.2 also + workgroup it is in. Samba 2.2 has limited capability to act as a domain controller for Windows NT 4 Domains. For more details on setting up this feature see the Samba-PDC-HOWTO included in the htmldocs/ @@ -2862,7 +2862,7 @@ system print command such as lpr(1) or lp(1). - This paramater does not accept % macros, because + This parameter does not accept % macros, because many parts of the system require this value to be constant for correct operation. @@ -3475,7 +3475,7 @@ ldap server. Only available when the backwards-compatiblity --with-ldapsam option is specified - to configure. See passdb backend + to configure. See passdb backend Default : ldap ssl = start_tls @@ -3791,7 +3791,7 @@ The value of the parameter (a astring) allows the debug level (logging level) to be specified in the smb.conf file. This parameter has been - extended since 2.2.x series, now it allow to specify the debug + extended since the 2.2.x series, now it allow to specify the debug level for multiple debug classes. This is to give greater flexibility in the configuration of the system. @@ -5338,7 +5338,7 @@ passdb backend (G) This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both smbpasswd and tdbsam to be used without a recompile. - Multiple backends can be specified, seperated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified. + Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified. Experimental backends must still be selected (eg --with-tdbsam) at configure time. @@ -5387,8 +5387,8 @@ LDAP connections should be secured where possible. This may be done using either Start-TLS (see - ldap ssl) or by - specifying ldaps:// in + ldap ssl) or by + specifying ldaps:// in the URL argument. @@ -7499,7 +7499,8 @@ unicode (G) Specifies whether Samba should try - to use unicode on the wire by default. + to use unicode on the wire by default. Note: This does NOT + mean that samba will assume that the unix machine uses unicode! Default: unicode = yes @@ -7515,6 +7516,7 @@ Default: unix charset = ASCII + Example: unix charset = UTF8 @@ -8053,11 +8055,10 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ vfs object (S) - This parameter specifies a shared object file that - is used for Samba VFS I/O operations. By default, normal + This parameter specifies a shared object files that + are used for Samba VFS I/O operations. By default, normal disk I/O operations are used but these can be overloaded - with a VFS object. The Samba VFS layer is new to Samba 2.2 and - must be enabled at compile time with --with-vfs. + with one or more VFS objects. Default : no value @@ -8069,9 +8070,8 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ vfs options (S) This parameter allows parameters to be passed - to the vfs layer at initialization time. The Samba VFS layer - is new to Samba 2.2 and must be enabled at compile time - with --with-vfs. See also + to the vfs layer at initialization time. + See also vfs object. Default : no value diff --git a/docs/docbook/manpages/smbclient.1.sgml b/docs/docbook/manpages/smbclient.1.sgml index 31031dafc4..43994a4529 100644 --- a/docs/docbook/manpages/smbclient.1.sgml +++ b/docs/docbook/manpages/smbclient.1.sgml @@ -30,7 +30,7 @@ -l logfile -L <netbios name> -I destinationIP - -E <terminal code> + -E -c <command string> -i scope -O <socket options> diff --git a/docs/docbook/manpages/smbd.8.sgml b/docs/docbook/manpages/smbd.8.sgml index 509007c4bc..4ae8b3148b 100644 --- a/docs/docbook/manpages/smbd.8.sgml +++ b/docs/docbook/manpages/smbd.8.sgml @@ -16,13 +16,10 @@ smbd -D - -a -i - -o - -P -h -V - -b + -b -d <debug level> -l <log directory> -p <port number> @@ -89,13 +86,6 @@ - - -a - If this parameter is specified, each new - connection will append log messages to the log file. - This is the default. - - -i If this parameter is specified it causes the @@ -106,21 +96,6 @@ - - -o - If this parameter is specified, the - log files will be overwritten when opened. By default, - smbd will append entries to the log - files. - - - - -P - Passive option. Causes smbd not to - send any network traffic out. Used for debugging by - the developers only. - - -h Prints the help information (usage) @@ -128,7 +103,7 @@ - -v + -V Prints the version number for smbd. @@ -322,7 +297,7 @@ - Account Validation: All acccesses to a + Account Validation: All accesses to a samba server are checked against PAM to see if the account is vaild, not disabled and is permitted to login at this time. This also applies to encrypted logins. @@ -340,7 +315,7 @@ VERSION - This man page is correct for version 2.2 of + This man page is correct for version 3.0 of the Samba suite. diff --git a/docs/docbook/manpages/smbpasswd.8.sgml b/docs/docbook/manpages/smbpasswd.8.sgml index c0b7ac3359..8e6d925ae0 100644 --- a/docs/docbook/manpages/smbpasswd.8.sgml +++ b/docs/docbook/manpages/smbpasswd.8.sgml @@ -28,6 +28,8 @@ -h -s -w pass + -i + -L username @@ -317,7 +319,22 @@ - + + + -i + This option tells smbpasswd that the account + being changed is an interdomain trust account. Currently this is used + when Samba is being used as an NT Primary Domain Controller. + The account contains the info about another trusted domain. + + This option is only available when running smbpasswd as root. + + + + + -L + Run in local mode. + username @@ -382,7 +399,3 @@ - - - - diff --git a/docs/docbook/manpages/smbsh.1.sgml b/docs/docbook/manpages/smbsh.1.sgml index 82efb334ba..c40609be4f 100644 --- a/docs/docbook/manpages/smbsh.1.sgml +++ b/docs/docbook/manpages/smbsh.1.sgml @@ -188,7 +188,7 @@ VERSION - This man page is correct for version 2.2 of + This man page is correct for version 3.0 of the Samba suite. diff --git a/docs/docbook/manpages/testparm.1.sgml b/docs/docbook/manpages/testparm.1.sgml index 350683eb57..254ede7265 100644 --- a/docs/docbook/manpages/testparm.1.sgml +++ b/docs/docbook/manpages/testparm.1.sgml @@ -20,8 +20,9 @@ -h -v -L <servername> + -t <encoding> config filename - hostname hostIP + hostname hostIP @@ -86,6 +87,12 @@ their defaults. + + -t encoding + + Output data in specified encoding. + + configfilename This is the name of the configuration file @@ -144,7 +151,7 @@ VERSION - This man page is correct for version 2.2 of + This man page is correct for version 3.0 of the Samba suite. @@ -173,4 +180,3 @@ - diff --git a/docs/docbook/manpages/vfstest.1.sgml b/docs/docbook/manpages/vfstest.1.sgml index 9a7eff1939..d6c7e5f142 100644 --- a/docs/docbook/manpages/vfstest.1.sgml +++ b/docs/docbook/manpages/vfstest.1.sgml @@ -1,4 +1,7 @@ - + %globalentities; +]> + @@ -43,25 +46,13 @@ -c|--command=command - Execute the specified (colon-seperated) commands. + Execute the specified (colon-separated) commands. See below for the commands that are available. - - -d|--debug=debuglevel - set the debuglevel. Debug level 0 is the lowest - and 100 being the highest. This should be set to 100 if you are - planning on submitting a bug report to the Samba team (see - BUGS.txt). - - - - - -h|--help - Print a summary of command line options. - - + &stdarg.debuglevel; + &stdarg.help; -l|--logfile=logbasename diff --git a/docs/docbook/manpages/wbinfo.1.sgml b/docs/docbook/manpages/wbinfo.1.sgml index f1461b07b9..a6ca244243 100644 --- a/docs/docbook/manpages/wbinfo.1.sgml +++ b/docs/docbook/manpages/wbinfo.1.sgml @@ -17,8 +17,8 @@ wbinfo -u -g - -h name -i ip + -N netbios-name -n name -s sid -U uid @@ -30,6 +30,7 @@ -r user -a user%password -A user%password + -p @@ -72,10 +73,9 @@ winbindd(8). - - -h name - The -h option + -N name + The -N option queries winbindd(8) to query the WINS server for the IP address associated with the NetBIOS name specified by the name parameter. @@ -84,8 +84,8 @@ - -i ip - The -i option + -I ip + The -I option queries winbindd(8) to send a node status request to get the NetBIOS name associated with the IP address specified by the ip parameter. @@ -210,7 +210,7 @@ VERSION - This man page is correct for version 2.2 of + This man page is correct for version 3.0 of the Samba suite. diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index 0d2fda5f78..3e34d53c0a 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -7,13 +7,11 @@ 2002 -Using samba 3.0 with ActiveDirectory support +Samba as a ADS domain member -This is a VERY ROUGH guide to setting up the current (November 2001) -pre-alpha version of Samba 3.0 with kerberos authentication against a -Windows2000 KDC. The procedures listed here are likely to change as -the code develops. +This is a rough guide to setting up Samba 3.0 with kerberos authentication against a +Windows2000 KDC. Pieces you need before you begin: @@ -76,13 +74,17 @@ to get them off CD2. realm = YOUR.KERBEROS.REALM - ads server = your.kerberos.server security = ADS encrypt passwords = yes -Strictly speaking, you can omit the realm name and you can use an IP - address for the ads server. In that case Samba will auto-detect these. + +In case samba can't figure out your ads server using your realm name, use the +ads server option in smb.conf: + + ads server = your.kerberos.server + + You do *not* need a smbpasswd file, although it won't do any harm and if you have one then Samba will be able to fall back to normal diff --git a/docs/docbook/projdoc/Browsing.sgml b/docs/docbook/projdoc/Browsing.sgml index a463ea786b..13d6fce917 100644 --- a/docs/docbook/projdoc/Browsing.sgml +++ b/docs/docbook/projdoc/Browsing.sgml @@ -461,7 +461,7 @@ all smb.conf files : - wins server = >name or IP address< +wins server = >name or IP address< @@ -512,7 +512,7 @@ set the following option in the [global] section of the smb.conf file : - domain master = yes +domain master = yes diff --git a/docs/docbook/projdoc/Bugs.sgml b/docs/docbook/projdoc/Bugs.sgml index 5a24458e08..a9493b07d4 100644 --- a/docs/docbook/projdoc/Bugs.sgml +++ b/docs/docbook/projdoc/Bugs.sgml @@ -15,7 +15,8 @@ Introduction -The email address for bug reports is samba@samba.org +The email address for bug reports for stable releases is samba@samba.org. +Bug reports for alpha releases should go to samba-technical@samba.org. @@ -44,7 +45,7 @@ that list that may be able to help you. You may also like to look though the recent mailing list archives, which are conveniently accessible on the Samba web pages -at http://samba.org/samba/ +at http://samba.org/samba/. diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index 6d0b36eafc..8a30a5527d 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -25,7 +25,7 @@ -security = domain in Samba 2.x +Samba as a NT4 domain member @@ -139,10 +139,11 @@ Samba and Windows 2000 Domains + Many people have asked regarding the state of Samba's ability to participate in -a Windows 2000 Domain. Samba 2.2 is able to act as a member server of a Windows +a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows 2000 domain operating in mixed or native mode. @@ -164,7 +165,6 @@ Computers" MMC (Microsoft Management Console) plugin. - Why is this better than security = server? diff --git a/docs/docbook/projdoc/Diagnosis.sgml b/docs/docbook/projdoc/Diagnosis.sgml index 3cc0bab5d5..8c407375ed 100644 --- a/docs/docbook/projdoc/Diagnosis.sgml +++ b/docs/docbook/projdoc/Diagnosis.sgml @@ -7,7 +7,14 @@
tridge@samba.org
- 1 November 1999 + + JelmerVernooij + + Samba Team +
jelmer@samba.org
+ + + $Id: Diagnosis.sgml,v 1.1.2.3 2002/11/22 00:32:23 tpot Exp $ Diagnosing your samba server @@ -23,15 +30,15 @@ then it is probably working fine. -You should do ALL the tests, in the order shown. I have tried to +You should do ALL the tests, in the order shown. We have tried to carefully choose them so later tests only use capabilities verified in the earlier tests. -If you send me an email saying "it doesn't work" and you have not -followed this test procedure then you should not be surprised if I -ignore your email. +If you send one of the samba mailing lists an email saying "it doesn't work" +and you have not followed this test procedure then you should not be surprised +your email is ignored. @@ -40,11 +47,8 @@ ignore your email. Assumptions -In all of the tests I assume you have a Samba server called BIGSERVER -and a PC called ACLIENT both in workgroup TESTGROUP. I also assume the -PC is running windows for workgroups with a recent copy of the -microsoft tcp/ip stack. Alternatively, your PC may be running Windows -95 or Windows NT (Workstation or Server). +In all of the tests it is assumed you have a Samba server called +BIGSERVER and a PC called ACLIENT both in workgroup TESTGROUP. @@ -52,7 +56,7 @@ The procedure is similar for other types of clients. -I also assume you know the name of an available share in your +It is also assumed you know the name of an available share in your smb.conf. I will assume this share is called "tmp". You can add a "tmp" share like by adding the following to smb.conf: @@ -68,7 +72,7 @@ smb.conf. I will assume this share is called "tmp". You can add a -THESE TESTS ASSUME VERSION 2.0.6 OR LATER OF THE SAMBA SUITE. SOME +THESE TESTS ASSUME VERSION 3.0.0 OR LATER OF THE SAMBA SUITE. SOME COMMANDS SHOWN DID NOT EXIST IN EARLIER VERSIONS @@ -99,7 +103,7 @@ configuration file is faulty. -Note: Your smb.conf file may be located in: /etc +Note: Your smb.conf file may be located in: /etc/samba Or in: /usr/local/samba/lib diff --git a/docs/docbook/projdoc/ENCRYPTION.sgml b/docs/docbook/projdoc/ENCRYPTION.sgml index 6a26dbeffa..f903d7d334 100644 --- a/docs/docbook/projdoc/ENCRYPTION.sgml +++ b/docs/docbook/projdoc/ENCRYPTION.sgml @@ -7,88 +7,42 @@ Samba Team
- samba@samba.org + jra@samba.org
- - 19 Apr 1999 + + JelmerVernooij + + Samba Team +
+ jelmer@samba.org +
+ + + + 4 November 2002 -LanMan and NT Password Encryption in Samba 2.x +LanMan and NT Password Encryption in Samba Introduction - With the development of LanManager and Windows NT - compatible password encryption for Samba, it is now able - to validate user connections in exactly the same way as - a LanManager or Windows NT server. - - This document describes how the SMB password encryption - algorithm works and what issues there are in choosing whether - you want to use it. You should read it carefully, especially - the part about security and the "PROS and CONS" section. - - - - - How does it work? - - LanManager encryption is somewhat similar to UNIX - password encryption. The server uses a file containing a - hashed value of a user's password. This is created by taking - the user's plaintext password, capitalising it, and either - truncating to 14 bytes or padding to 14 bytes with null bytes. - This 14 byte value is used as two 56 bit DES keys to encrypt - a 'magic' eight byte value, forming a 16 byte value which is - stored by the server and client. Let this value be known as - the "hashed password". - - Windows NT encryption is a higher quality mechanism, - consisting of doing an MD4 hash on a Unicode version of the user's - password. This also produces a 16 byte hash value that is - non-reversible. - - When a client (LanManager, Windows for WorkGroups, Windows - 95 or Windows NT) wishes to mount a Samba drive (or use a Samba - resource), it first requests a connection and negotiates the - protocol that the client and server will use. In the reply to this - request the Samba server generates and appends an 8 byte, random - value - this is stored in the Samba server after the reply is sent - and is known as the "challenge". The challenge is different for - every client connection. - - The client then uses the hashed password (16 byte values - described above), appended with 5 null bytes, as three 56 bit - DES keys, each of which is used to encrypt the challenge 8 byte - value, forming a 24 byte value known as the "response". - - In the SMB call SMBsessionsetupX (when user level security - is selected) or the call SMBtconX (when share level security is - selected), the 24 byte response is returned by the client to the - Samba server. For Windows NT protocol levels the above calculation - is done on both hashes of the user's password and both responses are - returned in the SMB call, giving two 24 byte values. + Newer windows clients send encrypted passwords over + the wire, instead of plain text passwords. The newest clients + will only send encrypted passwords and refuse to send plain text + passwords, unless their registry is tweaked. - The Samba server then reproduces the above calculation, using - its own stored value of the 16 byte hashed password (read from the - smbpasswd file - described later) and the challenge - value that it kept from the negotiate protocol reply. It then checks - to see if the 24 byte value it calculates matches the 24 byte value - returned to it from the client. - - If these values match exactly, then the client knew the - correct password (or the 16 byte hashed value - see security note - below) and is thus allowed access. If not, then the client did not - know the correct password and is denied access. + These passwords can't be converted to unix style encrypted + passwords. Because of that you can't use the standard unix + user database, and you have to store the Lanman and NT hashes + somewhere else. For more information, see the documentation + about the passdb backend = parameter. + - Note that the Samba server never knows or stores the cleartext - of the user's password - just the 16 byte hashed values derived from - it. Also note that the cleartext password or 16 byte hashed values - are never transmitted over the network - thus increasing security. @@ -183,111 +137,6 @@ - - <anchor id="SMBPASSWDFILEFORMAT">The smbpasswd file - - In order for Samba to participate in the above protocol - it must be able to look up the 16 byte hashed values given a user name. - Unfortunately, as the UNIX password value is also a one way hash - function (ie. it is impossible to retrieve the cleartext of the user's - password given the UNIX hash of it), a separate password file - containing this 16 byte value must be kept. To minimise problems with - these two password files, getting out of sync, the UNIX - /etc/passwd and the smbpasswd file, - a utility, mksmbpasswd.sh, is provided to generate - a smbpasswd file from a UNIX /etc/passwd file. - To generate the smbpasswd file from your /etc/passwd - file use the following command : - - $ cat /etc/passwd | mksmbpasswd.sh - > /usr/local/samba/private/smbpasswd - - If you are running on a system that uses NIS, use - - $ ypcat passwd | mksmbpasswd.sh - > /usr/local/samba/private/smbpasswd - - The mksmbpasswd.sh program is found in - the Samba source directory. By default, the smbpasswd file is - stored in : - - /usr/local/samba/private/smbpasswd - - The owner of the /usr/local/samba/private/ - directory should be set to root, and the permissions on it should - be set to 0500 (chmod 500 /usr/local/samba/private). - - - Likewise, the smbpasswd file inside the private directory should - be owned by root and the permissions on is should be set to 0600 - (chmod 600 smbpasswd). - - - The format of the smbpasswd file is (The line has been - wrapped here. It should appear as one entry per line in - your smbpasswd file.) - - -username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: - [Account type]:LCT-<last-change-time>:Long name - - - Although only the username, - uid, - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, - [Account type] and - last-change-time sections are significant - and are looked at in the Samba code. - - It is VITALLY important that there by 32 - 'X' characters between the two ':' characters in the XXX sections - - the smbpasswd and Samba code will fail to validate any entries that - do not have 32 characters between ':' characters. The first XXX - section is for the Lanman password hash, the second is for the - Windows NT version. - - When the password file is created all users have password entries - consisting of 32 'X' characters. By default this disallows any access - as this user. When a user has a password set, the 'X' characters change - to 32 ascii hexadecimal digits (0-9, A-F). These are an ascii - representation of the 16 byte hashed value of a user's password. - - To set a user to have no password (not recommended), edit the file - using vi, and replace the first 11 characters with the ascii text - "NO PASSWORD" (minus the quotes). - - For example, to clear the password for user bob, his smbpasswd file - entry would look like : - - - bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Bob's full name:/bobhome:/bobshell - - - If you are allowing users to use the smbpasswd command to set - their own passwords, you may want to give users NO PASSWORD initially - so they do not have to enter a previous password when changing to their - new password (not recommended). In order for you to allow this the - smbpasswd program must be able to connect to the - smbd daemon as that user with no password. Enable this - by adding the line : - - null passwords = yes - - to the [global] section of the smb.conf file (this is why - the above scenario is not recommended). Preferably, allocate your - users a default password to begin with, so you do not have - to enable this on your server. - - Note : This file should be protected very - carefully. Anyone with access to this file can (with enough knowledge of - the protocols) gain access to your SMB server. The file is thus more - sensitive than a normal unix /etc/passwd file. - - - The smbpasswd Command @@ -297,25 +146,14 @@ username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: install it in /usr/local/samba/bin/ (or your main Samba binary directory). - Note that as of Samba 1.9.18p4 this program MUST NOT - BE INSTALLED setuid root (the new smbpasswd - code enforces this restriction so it cannot be run this way by - accident). - smbpasswd now works in a client-server mode where it contacts the local smbd to change the user's password on its behalf. This has enormous benefits - as follows. - - smbpasswd no longer has to be setuid root - - an enormous range of potential security problems is - eliminated. - - smbpasswd now has the capability - to change passwords on Windows NT servers (this only works when - the request is sent to the NT Primary Domain Controller if you - are changing an NT Domain user's password). - + smbpasswd now has the capability + to change passwords on Windows NT servers (this only works when + the request is sent to the NT Primary Domain Controller if you + are changing an NT Domain user's password). To run smbpasswd as a normal user just type : @@ -348,31 +186,4 @@ username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: to the man page which will always be the definitive reference. - - - Setting up Samba to support LanManager Encryption - - This is a very brief description on how to setup samba to - support password encryption. - - - compile and install samba as usual - - - enable encrypted passwords in - smb.conf by adding the line encrypt - passwords = yes in the [global] section - - - create the initial smbpasswd - password file in the place you specified in the Makefile - (--prefix=<dir>). See the notes under the The smbpasswd File - section earlier in the document for details. - - - - Note that you can test things using smbclient. - - diff --git a/docs/docbook/projdoc/Integrating-with-Windows.sgml b/docs/docbook/projdoc/Integrating-with-Windows.sgml index 701e48678c..3b0faf81af 100644 --- a/docs/docbook/projdoc/Integrating-with-Windows.sgml +++ b/docs/docbook/projdoc/Integrating-with-Windows.sgml @@ -253,7 +253,7 @@ principal of speaking only when necessary. -Samba version 2.2.0 will add Linux support for extensions to +Starting with version 2.2.0 samba has Linux support for extensions to the name service switch infrastructure so that linux clients will be able to obtain resolution of MS Windows NetBIOS names to IP Addresses. To gain this functionality Samba needs to be compiled diff --git a/docs/docbook/projdoc/Printing.sgml b/docs/docbook/projdoc/Printing.sgml deleted file mode 100644 index ce9f40e88b..0000000000 --- a/docs/docbook/projdoc/Printing.sgml +++ /dev/null @@ -1,398 +0,0 @@ - - - - PatrickPowell - -
papowell@lprng.org
- - - 11 August 2000 - - -Debugging Printing Problems - - -Introduction - - -This is a short description of how to debug printing problems with -Samba. This describes how to debug problems with printing from a SMB -client to a Samba server, not the other way around. For the reverse -see the examples/printing directory. - - - -Ok, so you want to print to a Samba server from your PC. The first -thing you need to understand is that Samba does not actually do any -printing itself, it just acts as a middleman between your PC client -and your Unix printing subsystem. Samba receives the file from the PC -then passes the file to a external "print command". What print command -you use is up to you. - - - -The whole things is controlled using options in smb.conf. The most -relevant options (which you should look up in the smb.conf man page) -are: - - - - [global] - print command - send a file to a spooler - lpq command - get spool queue status - lprm command - remove a job - [printers] - path = /var/spool/lpd/samba - - - -The following are nice to know about: - - - - queuepause command - stop a printer or print queue - queueresume command - start a printer or print queue - - - -Example: - - - - print command = /usr/bin/lpr -r -P%p %s - lpq command = /usr/bin/lpq -P%p %s - lprm command = /usr/bin/lprm -P%p %j - queuepause command = /usr/sbin/lpc -P%p stop - queuepause command = /usr/sbin/lpc -P%p start - - - -Samba should set reasonable defaults for these depending on your -system type, but it isn't clairvoyant. It is not uncommon that you -have to tweak these for local conditions. The commands should -always have fully specified pathnames, as the smdb may not have -the correct PATH values. - - - -When you send a job to Samba to be printed, it will make a temporary -copy of it in the directory specified in the [printers] section. -and it should be periodically cleaned out. The lpr -r option -requests that the temporary copy be removed after printing; If -printing fails then you might find leftover files in this directory, -and it should be periodically cleaned out. Samba used the lpq -command to determine the "job number" assigned to your print job -by the spooler. - - - -The %>letter< are "macros" that get dynamically replaced with appropriate -values when they are used. The %s gets replaced with the name of the spool -file that Samba creates and the %p gets replaced with the name of the -printer. The %j gets replaced with the "job number" which comes from -the lpq output. - - - - - -Debugging printer problems - - -One way to debug printing problems is to start by replacing these -command with shell scripts that record the arguments and the contents -of the print file. A simple example of this kind of things might -be: - - - - print command = /tmp/saveprint %p %s - - #!/bin/saveprint - # we make sure that we are the right user - /usr/bin/id -p >/tmp/tmp.print - # we run the command and save the error messages - # replace the command with the one appropriate for your system - /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print - - - -Then you print a file and try removing it. You may find that the -print queue needs to be stopped in order to see the queue status -and remove the job: - - - - -h4: {42} % echo hi >/tmp/hi -h4: {43} % smbclient //localhost/lw4 -added interface ip=10.0.0.4 bcast=10.0.0.255 nmask=255.255.255.0 -Password: -Domain=[ASTART] OS=[Unix] Server=[Samba 2.0.7] -smb: \> print /tmp/hi -putting file /tmp/hi as hi-17534 (0.0 kb/s) (average 0.0 kb/s) -smb: \> queue -1049 3 hi-17534 -smb: \> cancel 1049 -Error cancelling job 1049 : code 0 -smb: \> cancel 1049 -Job 1049 cancelled -smb: \> queue -smb: \> exit - - - -The 'code 0' indicates that the job was removed. The comment -by the smbclient is a bit misleading on this. -You can observe the command output and then and look at the -/tmp/tmp.print file to see what the results are. You can quickly -find out if the problem is with your printing system. Often people -have problems with their /etc/printcap file or permissions on -various print queues. - - - - -What printers do I have? - - -You can use the 'testprns' program to check to see if the printer -name you are using is recognized by Samba. For example, you can -use: - - - - testprns printer /etc/printcap - - - -Samba can get its printcap information from a file or from a program. -You can try the following to see the format of the extracted -information: - - - - testprns -a printer /etc/printcap - - testprns -a printer '|/bin/cat printcap' - - - - - -Setting up printcap and print servers - - -You may need to set up some printcaps for your Samba system to use. -It is strongly recommended that you use the facilities provided by -the print spooler to set up queues and printcap information. - - - -Samba requires either a printcap or program to deliver printcap -information. This printcap information has the format: - - - - name|alias1|alias2...:option=value:... - - - -For almost all printing systems, the printer 'name' must be composed -only of alphanumeric or underscore '_' characters. Some systems also -allow hyphens ('-') as well. An alias is an alternative name for the -printer, and an alias with a space in it is used as a 'comment' -about the printer. The printcap format optionally uses a \ at the end of lines -to extend the printcap to multiple lines. - - - -Here are some examples of printcap files: - - - - - -pr just printer name - - -pr|alias printer name and alias - - -pr|My Printer printer name, alias used as comment - - -pr:sh:\ Same as pr:sh:cm= testing - :cm= \ - testing - - -pr:sh Same as pr:sh:cm= testing - :cm= testing - - - - - -Samba reads the printcap information when first started. If you make -changes in the printcap information, then you must do the following: - - - - - -make sure that the print spooler is aware of these changes. -The LPRng system uses the 'lpc reread' command to do this. - - - -make sure that the spool queues, etc., exist and have the -correct permissions. The LPRng system uses the 'checkpc -f' -command to do this. - - - -You now should send a SIGHUP signal to the smbd server to have -it reread the printcap information. - - - - - - -Job sent, no output - - -This is the most frustrating part of printing. You may have sent the -job, verified that the job was forwarded, set up a wrapper around -the command to send the file, but there was no output from the printer. - - - -First, check to make sure that the job REALLY is getting to the -right print queue. If you are using a BSD or LPRng print spooler, -you can temporarily stop the printing of jobs. Jobs can still be -submitted, but they will not be printed. Use: - - - - lpc -Pprinter stop - - - -Now submit a print job and then use 'lpq -Pprinter' to see if the -job is in the print queue. If it is not in the print queue then -you will have to find out why it is not being accepted for printing. - - - -Next, you may want to check to see what the format of the job really -was. With the assistance of the system administrator you can view -the submitted jobs files. You may be surprised to find that these -are not in what you would expect to call a printable format. -You can use the UNIX 'file' utitily to determine what the job -format actually is: - - - - cd /var/spool/lpd/printer # spool directory of print jobs - ls # find job files - file dfA001myhost - - - -You should make sure that your printer supports this format OR that -your system administrator has installed a 'print filter' that will -convert the file to a format appropriate for your printer. - - - - - -Job sent, strange output - - -Once you have the job printing, you can then start worrying about -making it print nicely. - - - -The most common problem is extra pages of output: banner pages -OR blank pages at the end. - - - -If you are getting banner pages, check and make sure that the -printcap option or printer option is configured for no banners. -If you have a printcap, this is the :sh (suppress header or banner -page) option. You should have the following in your printer. - - - - printer: ... :sh - - - -If you have this option and are still getting banner pages, there -is a strong chance that your printer is generating them for you -automatically. You should make sure that banner printing is disabled -for the printer. This usually requires using the printer setup software -or procedures supplied by the printer manufacturer. - - - -If you get an extra page of output, this could be due to problems -with your job format, or if you are generating PostScript jobs, -incorrect setting on your printer driver on the MicroSoft client. -For example, under Win95 there is a option: - - - - Printers|Printer Name|(Right Click)Properties|Postscript|Advanced| - - - -that allows you to choose if a Ctrl-D is appended to all jobs. -This is a very bad thing to do, as most spooling systems will -automatically add a ^D to the end of the job if it is detected as -PostScript. The multiple ^D may cause an additional page of output. - - - - - -Raw PostScript printed - - -This is a problem that is usually caused by either the print spooling -system putting information at the start of the print job that makes -the printer think the job is a text file, or your printer simply -does not support PostScript. You may need to enable 'Automatic -Format Detection' on your printer. - - - - - -Advanced Printing - - -Note that you can do some pretty magic things by using your -imagination with the "print command" option and some shell scripts. -Doing print accounting is easy by passing the %U option to a print -command shell script. You could even make the print command detect -the type of output and its size and send it to an appropriate -printer. - - - - - -Real debugging - - -If the above debug tips don't help, then maybe you need to bring in -the bug guns, system tracing. See Tracing.txt in this directory. - - - diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index 25a9783277..7cf3e5735c 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -19,7 +19,7 @@ -How to Configure Samba 2.2 as a Primary Domain Controller +How to Configure Samba as a NT4 Primary Domain Controller diff --git a/docs/docbook/projdoc/Speed.sgml b/docs/docbook/projdoc/Speed.sgml index 17adf10429..55d8b9492b 100644 --- a/docs/docbook/projdoc/Speed.sgml +++ b/docs/docbook/projdoc/Speed.sgml @@ -53,92 +53,6 @@ systems. - -Oplocks - - -Overview - - -Oplocks are the way that SMB clients get permission from a server to -locally cache file operations. If a server grants an oplock -(opportunistic lock) then the client is free to assume that it is the -only one accessing the file and it will agressively cache file -data. With some oplock types the client may even cache file open/close -operations. This can give enormous performance benefits. - - - -With the release of Samba 1.9.18 we now correctly support opportunistic -locks. This is turned on by default, and can be turned off on a share- -by-share basis by setting the parameter : - - - -oplocks = False - - - -We recommend that you leave oplocks on however, as current benchmark -tests with NetBench seem to give approximately a 30% improvement in -speed with them on. This is on average however, and the actual -improvement seen can be orders of magnitude greater, depending on -what the client redirector is doing. - - - -Previous to Samba 1.9.18 there was a 'fake oplocks' option. This -option has been left in the code for backwards compatibility reasons -but it's use is now deprecated. A short summary of what the old -code did follows. - - - - - -Level2 Oplocks - - -With Samba 2.0.5 a new capability - level2 (read only) oplocks is -supported (although the option is off by default - see the smb.conf -man page for details). Turning on level2 oplocks (on a share-by-share basis) -by setting the parameter : - - - -level2 oplocks = true - - - -should speed concurrent access to files that are not commonly written -to, such as application serving shares (ie. shares that contain common -.EXE files - such as a Microsoft Office share) as it allows clients to -read-ahread cache copies of these files. - - - - - -Old 'fake oplocks' option - deprecated - - -Samba can also fake oplocks, by granting a oplock whenever a client -asks for one. This is controlled using the smb.conf option "fake -oplocks". If you set "fake oplocks = yes" then you are telling the -client that it may agressively cache the file data for all opens. - - - -Enabling 'fake oplocks' on all read-only shares or shares that you know -will only be accessed from one client at a time you will see a big -performance improvement on many operations. If you enable this option -on shares where multiple clients may be accessing the files read-write -at the same time you can get data corruption. - - - - - Socket options @@ -226,55 +140,6 @@ In most cases the default is the best option. - -Locking - - -By default Samba does not implement strict locking on each read/write -call (although it did in previous versions). If you enable strict -locking (using "strict locking = yes") then you may find that you -suffer a severe performance hit on some systems. - - - -The performance hit will probably be greater on NFS mounted -filesystems, but could be quite high even on local disks. - - - - - -Share modes - - -Some people find that opening files is very slow. This is often -because of the "share modes" code needed to fully implement the dos -share modes stuff. You can disable this code using "share modes = -no". This will gain you a lot in opening and closing files but will -mean that (in some cases) the system won't force a second user of a -file to open the file read-only if the first has it open -read-write. For many applications that do their own locking this -doesn't matter, but for some it may. Most Windows applications -depend heavily on "share modes" working correctly and it is -recommended that the Samba share mode support be left at the -default of "on". - - - -The share mode code in Samba has been re-written in the 1.9.17 -release following tests with the Ziff-Davis NetBench PC Benchmarking -tool. It is now believed that Samba 1.9.17 implements share modes -similarly to Windows NT. - - - -NOTE: In the most recent versions of Samba there is an option to use -shared memory via mmap() to implement the share modes. This makes -things much faster. See the Makefile for how to enable this. - - - - Log level @@ -286,18 +151,6 @@ expensive. - -Wide lines - - -The "wide links" option is now enabled by default, but if you disable -it (for better security) then you may suffer a performance hit in -resolving filenames. The performance loss is lessened if you have -"getwd cache = yes", which is now the default. - - - - Read raw @@ -339,61 +192,6 @@ case you may wish to change this option. - -Read prediction - - -Samba can do read prediction on some of the SMB commands. Read -prediction means that Samba reads some extra data on the last file it -read while waiting for the next SMB command to arrive. It can then -respond more quickly when the next read request arrives. - - - -This is disabled by default. You can enable it by using "read -prediction = yes". - - - -Note that read prediction is only used on files that were opened read -only. - - - -Read prediction should particularly help for those silly clients (such -as "Write" under NT) which do lots of very small reads on a file. - - - -Samba will not read ahead more data than the amount specified in the -"read size" option. It always reads ahead on 1k block boundaries. - - - - - -Memory mapping - - -Samba supports reading files via memory mapping them. One some -machines this can give a large boost to performance, on others it -makes not difference at all, and on some it may reduce performance. - - - -To enable you you have to recompile Samba with the -DUSE_MMAP option -on the FLAGS line of the Makefile. - - - -Note that memory mapping is only used on files opened read only, and -is not used by the "read raw" operation. Thus you may find memory -mapping is more effective if you disable "read raw" using "read raw = -no". - - - - Slow Clients @@ -510,11 +308,12 @@ drive (Kernel 2.0.30). The transfer rate was reasonable for 10 baseT. -FIXME + The figures are: Put Get P166 client 3Com card: 420-440kB/s 500-520kB/s P100 client 3Com card: 390-410kB/s 490-510kB/s DX4-75 client NE2000: 370-380kB/s 330-350kB/s + @@ -541,38 +340,5 @@ if it could get up to the rate of FTP the perfomance would be quite staggering. - - - -My Results - - -Some people want to see real numbers in a document like this, so here -they are. I have a 486sx33 client running WfWg 3.11 with the 3.11b -tcp/ip stack. It has a slow IDE drive and 20Mb of ram. It has a SMC -Elite-16 ISA bus ethernet card. The only WfWg tuning I've done is to -set DefaultRcvWindow in the [MSTCP] section of system.ini to 16384. My -server is a 486dx3-66 running Linux. It also has 20Mb of ram and a SMC -Elite-16 card. You can see my server config in the examples/tridge/ -subdirectory of the distribution. - - - -I get 490k/s on reading a 8Mb file with copy. -I get 441k/s writing the same file to the samba server. - - - -Of course, there's a lot more to benchmarks than 2 raw throughput -figures, but it gives you a ballpark figure. - - - -I've also tested Win95 and WinNT, and found WinNT gave me the best -speed as a samba client. The fastest client of all (for me) is -smbclient running on another linux box. Maybe I'll add those results -here someday ... - - diff --git a/docs/docbook/projdoc/UNIX_INSTALL.sgml b/docs/docbook/projdoc/UNIX_INSTALL.sgml index c307636d5f..1ff735a656 100644 --- a/docs/docbook/projdoc/UNIX_INSTALL.sgml +++ b/docs/docbook/projdoc/UNIX_INSTALL.sgml @@ -3,15 +3,17 @@ How to Install and Test SAMBA - Step 0: Read the man pages + Read the man pages The man pages distributed with SAMBA contain lots of useful info that will help to get you started. If you don't know how to read man pages then try something like: - $ nroff -man smbd.8 | more - + $ man smbd.8 + or + $ nroff -man smbd.8 | more + on older unixes. Other sources of information are pointed to by the Samba web site, @@ -19,7 +21,7 @@ - Step 1: Building the Binaries + Building the Binaries To do this, first run the program ./configure in the source directory. This should automatically @@ -62,7 +64,7 @@ - Step 2: The all important step + The all important step At this stage you must fetch yourself a coffee or other drink you find stimulating. Getting the rest @@ -74,7 +76,7 @@ - Step 3: Create the smb configuration file. + Create the smb configuration file. There are sample configuration files in the examples subdirectory in the distribution. I suggest you read them @@ -91,7 +93,7 @@ [homes] guest ok = no read only = no - + which would allow connections by anyone with an account on the server, using either their login name or @@ -111,7 +113,7 @@ - Step 4: Test your config file with + <title>Test your config file with <command>testparm</command> It's important that you test the validity of your @@ -122,10 +124,13 @@ Make sure it runs OK and that the services look reasonable before proceeding. + Always run testparm again when you change + smb.conf! + - Step 5: Starting the smbd and nmbd + Starting the smbd and nmbd You must choose to start smbd and nmbd either as daemons or from inetd. Don't try @@ -144,7 +149,7 @@ request. - Step 5a: Starting from inetd.conf + Starting from inetd.conf NOTE; The following will be different if you use NIS or NIS+ to distributed services maps. @@ -196,7 +201,7 @@ - Step 5b. Alternative: starting it as a daemon + Alternative: starting it as a daemon To start the server as a daemon you should create a script something like this one, perhaps calling @@ -225,7 +230,7 @@ - Step 6: Try listing the shares available on your + <title>Try listing the shares available on your server $ smbclient -L @@ -245,7 +250,7 @@ - Step 7: Try connecting with the unix client + Try connecting with the unix client $ smbclient //yourhostname/aservice @@ -265,7 +270,7 @@ - Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, + <title>Try connecting from a DOS, WfWg, Win9x, WinNT, Win2k, OS/2, etc... client Try mounting disks. eg: @@ -305,8 +310,8 @@ Diagnosing Problems - If you have installation problems then go to - DIAGNOSIS.txt to try to find the + If you have installation problems then go to the + Diagnosis chapter to try to find the problem. @@ -424,6 +429,8 @@ its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE or DENY_ALL. There are also special compatibility modes called DENY_FCB and DENY_DOS. + + diff --git a/docs/docbook/projdoc/msdfs_setup.sgml b/docs/docbook/projdoc/msdfs_setup.sgml index 35c9d40840..6e1609460f 100644 --- a/docs/docbook/projdoc/msdfs_setup.sgml +++ b/docs/docbook/projdoc/msdfs_setup.sgml @@ -11,8 +11,7 @@ - - 12 Jul 200 + 12 Jul 2000 diff --git a/docs/docbook/projdoc/printer_driver2.sgml b/docs/docbook/projdoc/printer_driver2.sgml index 85ae0713b3..7bca8dc6f5 100644 --- a/docs/docbook/projdoc/printer_driver2.sgml +++ b/docs/docbook/projdoc/printer_driver2.sgml @@ -11,12 +11,16 @@ - - + + PatrickPowell + +
papowell@lprng.org
+ + (3 May 2001) -Printing Support in Samba 2.2.x +Printing Support Introduction @@ -59,12 +63,7 @@ SPOOLSS support includes: There has been some initial confusion about what all this means and whether or not it is a requirement for printer drivers to be installed on a Samba host in order to support printing from Windows -clients. A bug existed in Samba 2.2.0 which made Windows NT/2000 clients -require that the Samba server possess a valid driver for the printer. -This is fixed in Samba 2.2.1 and once again, Windows NT/2000 clients -can use the local APW for installing drivers to be used with a Samba -served printer. This is the same behavior exhibited by Windows 9x clients. -As a side note, Samba does not use these drivers in any way to process +clients. As a side note, Samba does not use these drivers in any way to process spooled files. They are utilized entirely by the clients. @@ -104,16 +103,9 @@ parameter named printer driver provided a means of defining the printer driver name to be sent to the client. - - -These parameters, including printer driver -file parameter, are being deprecated and should not -be used in new installations. For more information on this change, -you should refer to the Migration section -of this document. - - + + Creating [print$] @@ -243,10 +235,8 @@ that matches the printer shares defined on your Samba host. The initial listing of printers in the Samba host's Printers folder will have no real printer driver assigned -to them. By default, in Samba 2.2.0 this driver name was set to -NO PRINTER DRIVER AVAILABLE FOR THIS PRINTER. -Later versions changed this to a NULL string to allow the use -tof the local Add Printer Wizard on NT/2000 clients. +to them. This defaults to a NULL string to allow the use +of the local Add Printer Wizard on NT/2000 clients. Attempting to view the printer properties for a printer which has this default driver assigned will result in the error message: @@ -603,84 +593,6 @@ foreach (supported architecture for a given driver) - - -<anchor id="MIGRATION">Migration to from Samba 2.0.x to 2.2.x - - -Given that printer driver management has changed (we hope improved) in -2.2 over prior releases, migration from an existing setup to 2.2 can -follow several paths. Here are the possible scenarios for -migration: - - - - If you do not desire the new Windows NT - print driver support, nothing needs to be done. - All existing parameters work the same. - - If you want to take advantage of NT printer - driver support but do not want to migrate the - 9x drivers to the new setup, the leave the existing - printers.def file. When smbd attempts - to locate a - 9x driver for the printer in the TDB and fails it - will drop down to using the printers.def (and all - associated parameters). The make_printerdef - tool will also remain for backwards compatibility but will - be removed in the next major release. - - If you install a Windows 9x driver for a printer - on your Samba host (in the printing TDB), this information will - take precedence and the three old printing parameters - will be ignored (including print driver location). - - If you want to migrate an existing printers.def - file into the new setup, the current only solution is to use the Windows - NT APW to install the NT drivers and the 9x drivers. This can be scripted - using smbclient and rpcclient. See the - Imprints installation client at http://imprints.sourceforge.net/ - for an example. - - - - - -Achtung! - - -The following smb.conf parameters are considered to -be deprecated and will be removed soon. Do not use them in new -installations - - - - printer driver file (G) - - - printer driver (S) - - - printer driver location (S) - - - - - - -The have been two new parameters add in Samba 2.2.2 to for -better support of Samba 2.0.x backwards capability (disable -spoolss) and for using local printers drivers on Windows -NT/2000 clients (use client driver). Both of -these options are described in the smb.coinf(5) man page and are -disabled by default. - - - - - - + +Diagnosis + + +Introduction + + +This is a short description of how to debug printing problems with +Samba. This describes how to debug problems with printing from a SMB +client to a Samba server, not the other way around. For the reverse +see the examples/printing directory. + + + +Ok, so you want to print to a Samba server from your PC. The first +thing you need to understand is that Samba does not actually do any +printing itself, it just acts as a middleman between your PC client +and your Unix printing subsystem. Samba receives the file from the PC +then passes the file to a external "print command". What print command +you use is up to you. + + + +The whole things is controlled using options in smb.conf. The most +relevant options (which you should look up in the smb.conf man page) +are: + + + + [global] + print command - send a file to a spooler + lpq command - get spool queue status + lprm command - remove a job + [printers] + path = /var/spool/lpd/samba + + + +The following are nice to know about: + + + + queuepause command - stop a printer or print queue + queueresume command - start a printer or print queue + + + +Example: + + + + print command = /usr/bin/lpr -r -P%p %s + lpq command = /usr/bin/lpq -P%p %s + lprm command = /usr/bin/lprm -P%p %j + queuepause command = /usr/sbin/lpc -P%p stop + queuepause command = /usr/sbin/lpc -P%p start + + + +Samba should set reasonable defaults for these depending on your +system type, but it isn't clairvoyant. It is not uncommon that you +have to tweak these for local conditions. The commands should +always have fully specified pathnames, as the smdb may not have +the correct PATH values. + + + +When you send a job to Samba to be printed, it will make a temporary +copy of it in the directory specified in the [printers] section. +and it should be periodically cleaned out. The lpr -r option +requests that the temporary copy be removed after printing; If +printing fails then you might find leftover files in this directory, +and it should be periodically cleaned out. Samba used the lpq +command to determine the "job number" assigned to your print job +by the spooler. + + + +The %>letter< are "macros" that get dynamically replaced with appropriate +values when they are used. The %s gets replaced with the name of the spool +file that Samba creates and the %p gets replaced with the name of the +printer. The %j gets replaced with the "job number" which comes from +the lpq output. + + + + + +Debugging printer problems + + +One way to debug printing problems is to start by replacing these +command with shell scripts that record the arguments and the contents +of the print file. A simple example of this kind of things might +be: + + + + print command = /tmp/saveprint %p %s + + #!/bin/saveprint + # we make sure that we are the right user + /usr/bin/id -p >/tmp/tmp.print + # we run the command and save the error messages + # replace the command with the one appropriate for your system + /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print + + + +Then you print a file and try removing it. You may find that the +print queue needs to be stopped in order to see the queue status +and remove the job: + + + + +h4: {42} % echo hi >/tmp/hi +h4: {43} % smbclient //localhost/lw4 +added interface ip=10.0.0.4 bcast=10.0.0.255 nmask=255.255.255.0 +Password: +Domain=[ASTART] OS=[Unix] Server=[Samba 2.0.7] +smb: \> print /tmp/hi +putting file /tmp/hi as hi-17534 (0.0 kb/s) (average 0.0 kb/s) +smb: \> queue +1049 3 hi-17534 +smb: \> cancel 1049 +Error cancelling job 1049 : code 0 +smb: \> cancel 1049 +Job 1049 cancelled +smb: \> queue +smb: \> exit + + + +The 'code 0' indicates that the job was removed. The comment +by the smbclient is a bit misleading on this. +You can observe the command output and then and look at the +/tmp/tmp.print file to see what the results are. You can quickly +find out if the problem is with your printing system. Often people +have problems with their /etc/printcap file or permissions on +various print queues. + + + + +What printers do I have? + + +You can use the 'testprns' program to check to see if the printer +name you are using is recognized by Samba. For example, you can +use: + + + + testprns printer /etc/printcap + + + +Samba can get its printcap information from a file or from a program. +You can try the following to see the format of the extracted +information: + + + + testprns -a printer /etc/printcap + + testprns -a printer '|/bin/cat printcap' + + + + + +Setting up printcap and print servers + + +You may need to set up some printcaps for your Samba system to use. +It is strongly recommended that you use the facilities provided by +the print spooler to set up queues and printcap information. + + + +Samba requires either a printcap or program to deliver printcap +information. This printcap information has the format: + + + + name|alias1|alias2...:option=value:... + + + +For almost all printing systems, the printer 'name' must be composed +only of alphanumeric or underscore '_' characters. Some systems also +allow hyphens ('-') as well. An alias is an alternative name for the +printer, and an alias with a space in it is used as a 'comment' +about the printer. The printcap format optionally uses a \ at the end of lines +to extend the printcap to multiple lines. + + + +Here are some examples of printcap files: + + + + + +pr just printer name + + +pr|alias printer name and alias + + +pr|My Printer printer name, alias used as comment + + +pr:sh:\ Same as pr:sh:cm= testing + :cm= \ + testing + + +pr:sh Same as pr:sh:cm= testing + :cm= testing + + + + + +Samba reads the printcap information when first started. If you make +changes in the printcap information, then you must do the following: + + + + + +make sure that the print spooler is aware of these changes. +The LPRng system uses the 'lpc reread' command to do this. + + + +make sure that the spool queues, etc., exist and have the +correct permissions. The LPRng system uses the 'checkpc -f' +command to do this. + + + +You now should send a SIGHUP signal to the smbd server to have +it reread the printcap information. + + + + + + +Job sent, no output + + +This is the most frustrating part of printing. You may have sent the +job, verified that the job was forwarded, set up a wrapper around +the command to send the file, but there was no output from the printer. + + + +First, check to make sure that the job REALLY is getting to the +right print queue. If you are using a BSD or LPRng print spooler, +you can temporarily stop the printing of jobs. Jobs can still be +submitted, but they will not be printed. Use: + + + + lpc -Pprinter stop + + + +Now submit a print job and then use 'lpq -Pprinter' to see if the +job is in the print queue. If it is not in the print queue then +you will have to find out why it is not being accepted for printing. + + + +Next, you may want to check to see what the format of the job really +was. With the assistance of the system administrator you can view +the submitted jobs files. You may be surprised to find that these +are not in what you would expect to call a printable format. +You can use the UNIX 'file' utitily to determine what the job +format actually is: + + + + cd /var/spool/lpd/printer # spool directory of print jobs + ls # find job files + file dfA001myhost + + + +You should make sure that your printer supports this format OR that +your system administrator has installed a 'print filter' that will +convert the file to a format appropriate for your printer. + + + + + +Job sent, strange output + + +Once you have the job printing, you can then start worrying about +making it print nicely. + + + +The most common problem is extra pages of output: banner pages +OR blank pages at the end. + + + +If you are getting banner pages, check and make sure that the +printcap option or printer option is configured for no banners. +If you have a printcap, this is the :sh (suppress header or banner +page) option. You should have the following in your printer. + + + + printer: ... :sh + + + +If you have this option and are still getting banner pages, there +is a strong chance that your printer is generating them for you +automatically. You should make sure that banner printing is disabled +for the printer. This usually requires using the printer setup software +or procedures supplied by the printer manufacturer. + + + +If you get an extra page of output, this could be due to problems +with your job format, or if you are generating PostScript jobs, +incorrect setting on your printer driver on the MicroSoft client. +For example, under Win95 there is a option: + + + + Printers|Printer Name|(Right Click)Properties|Postscript|Advanced| + + + +that allows you to choose if a Ctrl-D is appended to all jobs. +This is a very bad thing to do, as most spooling systems will +automatically add a ^D to the end of the job if it is detected as +PostScript. The multiple ^D may cause an additional page of output. + + + + + +Raw PostScript printed + + +This is a problem that is usually caused by either the print spooling +system putting information at the start of the print job that makes +the printer think the job is a text file, or your printer simply +does not support PostScript. You may need to enable 'Automatic +Format Detection' on your printer. + + + + + +Advanced Printing + + +Note that you can do some pretty magic things by using your +imagination with the "print command" option and some shell scripts. +Doing print accounting is easy by passing the %U option to a print +command shell script. You could even make the print command detect +the type of output and its size and send it to an appropriate +printer. + + + + + +Real debugging + + +If the above debug tips don't help, then maybe you need to bring in +the bug guns, system tracing. See Tracing.txt in this directory. + + + + diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index f20849edbf..286749289c 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -13,7 +13,6 @@ - @@ -23,6 +22,10 @@ + + + + ]> @@ -40,7 +43,7 @@ Abstract -Last Update : Thu Aug 15 12:48:45 CDT 2002 +Last Update : $Date: 2002/11/22 00:32:23 $ @@ -49,7 +52,8 @@ I try to ensure that all are current, but sometimes the is a larger job than one person can maintain. The most recent version of this document can be found at http://www.samba.org/ on the "Documentation" page. Please send updates to jerry@samba.org. +url="mailto:jerry@samba.org">jerry@samba.org or +jelmer@samba.org. @@ -66,30 +70,65 @@ Cheers, jerry + +General installation + +Introduction +This part contains general info on how to install samba +and how to configure the parts of samba you will most likely need. +PLEASE read this. + &UNIX-INSTALL; +&BROWSING; +&oplocks; +&BROWSING-Quick; +&ENCRYPTION; + + + +Type of installation + +Introduction + +Samba can operate in various SMB networks. This part contains information on configuring samba +for various environments. + + +&SECURITY-LEVEL; +&Samba-PDC-HOWTO; +&Samba-BDC-HOWTO; +&ADS-HOWTO; +&DOMAIN-MEMBER; + + + +Optional configuration + +Introduction +Samba has several features that you might want or might not want to use. The chapters in this +part each cover one specific feature. + &IntegratingWithWindows; +&NT-Security; &Samba-PAM; &MS-Dfs-Setup; -&NT-Security; &PRINTER-DRIVER2; -&PRINTING; -&SECURITY-LEVEL; -&DOMAIN-MEMBER; &WINBIND; -&Samba-PDC-HOWTO; -&Samba-BDC-HOWTO; +&pdb-mysql; +&pdb-xml; +&VFS; &Samba-LDAP; -&ADS-HOWTO; -&BROWSING; -&BROWSING-Quick; -&SPEED; &CVS-Access; -&BUGS; &GROUP-MAPPING-HOWTO; +&SPEED; + - + +Appendixes &Portability; &Other-Clients; +&BUGS; &Diagnosis; + diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml index efe2b6eaf3..e2d9cfbbaa 100644 --- a/docs/docbook/projdoc/security_level.sgml +++ b/docs/docbook/projdoc/security_level.sgml @@ -9,40 +9,7 @@ -Security levels - - -Introduction - - -Samba supports the following options to the global smb.conf parameter - - - -[global] -security = [share|user(default)|domain|ads] - - - -Please refer to the smb.conf man page for usage information and to the document -DOMAIN_MEMBER.html for further background details -on domain mode security. The Windows 2000 Kerberos domain security model -(security = ads) is described in the ADS-HOWTO.html. - - - -Of the above, "security = server" means that Samba reports to clients that -it is running in "user mode" but actually passes off all authentication -requests to another "user mode" server. This requires an additional -parameter "password server =" that points to the real authentication server. -That real authentication server can be another Samba server or can be a -Windows NT server, the later natively capable of encrypted password support. - - - - - -More complete description of security levels +User and Share security level (for servers not in a domain) A SMB server tells the client at startup what "security level" it is @@ -136,5 +103,14 @@ cryptographically impossible to translate from unix style encryption to SMB style encryption, although there are some fairly simple management schemes by which the two could be kept in sync. - + + +"security = server" means that Samba reports to clients that +it is running in "user mode" but actually passes off all authentication +requests to another "user mode" server. This requires an additional +parameter "password server =" that points to the real authentication server. +That real authentication server can be another Samba server or can be a +Windows NT server, the later natively capable of encrypted password support. + + diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml index b045a26db6..d2bfb8ab67 100644 --- a/docs/docbook/projdoc/winbind.sgml +++ b/docs/docbook/projdoc/winbind.sgml @@ -412,7 +412,7 @@ you get frustrated with the way things are going. ;-) -The latest version of SAMBA (version 2.2.2 as of this writing), now +The latest version of SAMBA (version 3.0 as of this writing), now includes a functioning winbindd daemon. Please refer to the main SAMBA web page or, better yet, your closest SAMBA mirror site for instructions on -- cgit