From 837191626111e84c0fb27b5052d21ab29b6e41a6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 23 Feb 2001 02:33:34 +0000 Subject: add a few, fix a few, add a few, fix a few... (This used to be commit 5ffb96527ef3bf9f271633a219dcaa02471e4e80) --- docs/docbook/manpages/nmblookup.1.sgml | 4 +- docs/docbook/manpages/smbspool.8.sgml | 5 +- docs/docbook/manpages/smbtar.1.sgml | 226 +++++++++++++++ docs/docbook/manpages/swat.8.sgml | 147 +++++----- docs/docbook/manpages/winbindd.8.sgml | 502 +++++++++++++++++++++++++++++++++ 5 files changed, 809 insertions(+), 75 deletions(-) create mode 100644 docs/docbook/manpages/smbtar.1.sgml create mode 100644 docs/docbook/manpages/winbindd.8.sgml (limited to 'docs') diff --git a/docs/docbook/manpages/nmblookup.1.sgml b/docs/docbook/manpages/nmblookup.1.sgml index 40b9a1a8be..ee81d2b4e8 100644 --- a/docs/docbook/manpages/nmblookup.1.sgml +++ b/docs/docbook/manpages/nmblookup.1.sgml @@ -1,5 +1,5 @@ - + nmblookup @@ -15,7 +15,7 @@ - findsmb + nmblookup -M -R -S diff --git a/docs/docbook/manpages/smbspool.8.sgml b/docs/docbook/manpages/smbspool.8.sgml index b16f925597..b847aadd05 100644 --- a/docs/docbook/manpages/smbspool.8.sgml +++ b/docs/docbook/manpages/smbspool.8.sgml @@ -103,9 +103,8 @@ SEE ALSO - nmbd(8), - samba(7), and smb.conf(5) + smbd(8), + and samba(7). diff --git a/docs/docbook/manpages/smbtar.1.sgml b/docs/docbook/manpages/smbtar.1.sgml new file mode 100644 index 0000000000..4e2ee5fff0 --- /dev/null +++ b/docs/docbook/manpages/smbtar.1.sgml @@ -0,0 +1,226 @@ + + + + + smbtar + 1 + + + + + smbtar + shell script for backing up SMB/CIFS shares + directly to UNIX tape drives + + + + + smbtar + -s server + -p password + -x services + -X + -d directory + -u user + -t tape + -t tape + -b blocksize + -N filename + -i + -r + -l loglevel + -v + filenames + + + + + DESCRIPTION + + This tool is part of the + Samba suite. + + smbtar is a very small shell script on top + of smbclient(1) + which dumps SMB shares directly to tape. + + + + OPTIONS + + + + -s server + The SMB/CIFS server that the share resides + upon. + + + + + -x service + The share name on the server to connect to. + The default is "backup". + + + + + -X + Exclude mode. Exclude filenames... from tar + create or restore. + + + + + + -d directory + Change to initial directory + before restoring / backing up files. + + + + + + -v + Verbose mode. + + + + + + -p password + The password to use to access a share. + Default: none + + + + + -u user + The user id to connect as. Default: + UNIX login name. + + + + + + -t tape + Tape device. May be regular file or tape + device. Default: $TAPE environmental + variable; if not set, a file called tar.out + . + + + + + -b blocksize + Blocking factor. Defaults to 20. See + tar(1) for a fuller explanation. + + + + + -N filename + Backup only files newer than filename. Could + be used (for example) on a log file to implement incremental + backups. + + + + + -i + Incremental mode; tar files are only backed + up if they have the archive bit set. The archive bit is reset + after each file is read. + + + + + -r + Restore. Files are restored to the share + from the tar file. + + + + + + -l log level + Log (debug) level. Corresponds to the + -d flag of smbclient(1) + . + + + + + + + ENVIRONMENT VARIABLES + + The $TAPE variable specifies the + default tape device to write to. May be overridden + with the -t option. + + + + + BUGS + + The smbtar script has different + options from ordinary tar and tar called from smbclient. + + + + + CAVEATS + + Sites that are more careful about security may not like + the way the script handles PC passwords. Backup and restore work + on entire shares, should work on file lists. smbtar works best + with GNU tar and may not work well with other versions. + + + + + DIAGNOSTICS + + See the DIAGNOSTICS section for the + smbclient(1) + command. + + + + + VERSION + + This man page is correct for version 2.2 of + the Samba suite. + + + + SEE ALSO + smbd(8), + smbclient(1), + smb.conf(5), + + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + Ricky Poulten + wrote the tar extension and this man page. The smbtar + script was heavily rewritten and improved by Martin Kraemer. Many + thanks to everyone who suggested extensions, improvements, bug + fixes, etc. The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. + + + diff --git a/docs/docbook/manpages/swat.8.sgml b/docs/docbook/manpages/swat.8.sgml index 7d9540418e..aeff886de8 100644 --- a/docs/docbook/manpages/swat.8.sgml +++ b/docs/docbook/manpages/swat.8.sgml @@ -67,103 +67,110 @@ + -Installation - -After -you compile SWAT you need to run "make install" -to install the swat binary -and the various help files and images. A default install would put these -in: - - - -
-
-/usr/local/samba/bin/swat
-/usr/local/samba/swat/images/*
-/usr/local/samba/swat/help/*
-
- - - - -Inetd Installation - -You need to edit your CW/etc/inetd.conf and CW/etc/services -to enable SWAT to be launched via inetd. - -In CW/etc/services you need to -add a line like this: - -CWswat 901/tcp - -Note for NIS/YP users - -you may need to rebuild the NIS service maps rather than alter your local -CW/etc/services file. - -the choice of port number isn't really important except -that it should be less than 1024 and not currently used (using a number -above 1024 presents an obscure security hole depending on the implementation -details of your inetd daemon). + -In CW/etc/inetd.conf you should add a line -like this: + INSTALLATION -CWswat stream tcp nowait.400 root /usr/local/samba/bin/swat -swat + After you compile SWAT you need to run make install + to install the swat binary + and the various help files and images. A default install would put + these in: + + + /usr/local/samba/bin/swat + /usr/local/samba/swat/images/* + /usr/local/samba/swat/help/* + -One you have edited CW/etc/services and CW/etc/inetd.conf you need -to send a HUP signal to inetd. To do this use CW"kill -1 PID" where PID is -the process ID of the inetd daemon. + + Inetd Installation - + You need to edit your /etc/inetd.conf + and /etc/services + to enable SWAT to be launched via inetd. -Launching + In /etc/services you need to + add a line like this: -To launch swat just run your -favorite web browser and point it at CWhttp://localhost:901/. + swat 901/tcp -Note that -you can attach to swat from any IP connected machine but connecting from -a remote machine leaves your connection open to password sniffing as passwords -will be sent in the clear over the wire. + Note for NIS/YP users - you may need to rebuild the + NIS service maps rather than alter your local + /etc/services file. - + the choice of port number isn't really important + except that it should be less than 1024 and not currently + used (using a number above 1024 presents an obscure security + hole depending on the implementation details of your + inetd daemon). -Files + In /etc/inetd.conf you should + add a line like this: -/etc/inetd.conf + swat stream tcp nowait.400 root + /usr/local/samba/bin/swat swat + + One you have edited /etc/services + and /etc/inetd.conf you need to send a + HUP signal to inetd. To do this use kill -1 PID + where PID is the process ID of the inetd daemon. -This file must -contain suitable startup information for the meta-daemon. + -/etc/services + + Launching -This file must contain a mapping of service name (e.g., swat) to service -port (e.g., 901) and protocol type (e.g., tcp). + To launch swat just run your favorite web browser and + point it at "http://localhost:901/". -/usr/local/samba/lib/smb.conf + Note that you can attach to swat from any IP connected + machine but connecting from a remote machine leaves your + connection open to password sniffing as passwords will be sent + in the clear over the wire. + + + + FILES + + + + /etc/inetd.conf + This file must contain suitable startup + information for the meta-daemon. + -This is the default location of the smb.conf server configuration file that -swat edits. Other common places that systems install this file are /usr/samba/lib/smb.conf -and /etc/smb.conf. + + /etc/services + This file must contain a mapping of service name + (e.g., swat) to service port (e.g., 901) and protocol type + (e.g., tcp). + -This file describes all the services the server is to -make available to clients. See smb.conf (5) for more information. + + /usr/local/samba/lib/smb.conf + This is the default location of the smb.conf(5) + server configuration file that swat edits. Other + common places that systems install this file are + /usr/samba/lib/smb.conf and /etc/smb.conf + . This file describes all the services the server + is to make available to clients. + + + - - WANRNIGS + WARNINGS swat will rewrite your smb.conf file. It will rearrange the entries and delete all comments, include= and copy=" options. If you have a carefully crafted - smb.conf then back it up or don't use swat! + smb.conf then back it up or don't use swat! diff --git a/docs/docbook/manpages/winbindd.8.sgml b/docs/docbook/manpages/winbindd.8.sgml new file mode 100644 index 0000000000..5b53e504cd --- /dev/null +++ b/docs/docbook/manpages/winbindd.8.sgml @@ -0,0 +1,502 @@ + + + + + winbindd + 8 + + + + + winbindd + Name Service Switch daemon for resolving names + from NT servers + + + + + nmblookup + -d debuglevel + -i + -S + -r + -A + -h + -B <broadcast address> + -U <unicast address> + -d <debug level> + -s <smb config file> + -i <NetBIOS scope> + -T + name + + + + + DESCRIPTION + + This tool is part of the + Samba suite version 3.0 and describes functionality not + yet implemented in the main version of Samba. + + winbindd is a daemon that provides + a service for the Name Service Switch capability that is present + in most modern C libraries. The Name Service Switch allows user + and system information to be obtained from different databases + services such as NIS or DNS. The exact behaviour can be configured + throught the /etc/nsswitch.conf file. + Users and groups are allocated as they are resolved to a range + of user and group ids specified by the administrator of the + Samba system. + + The service provided by winbindd is called `winbind' and + can be used to resolve user and group information from a + Windows NT server. The service can also provide authentication + services via an associated PAM module. + + The following nsswitch databases are implemented by + the winbindd service: + + + + passwd + User information traditionally stored in + the passwd(5) file and used by + getpwent(3) functions. + + + + group + Group information traditionally stored in + the group(5) file and used by + getgrent(3) functions. + + + + For example, the following simple configuration in the + /etc/nsswitch.conf file can be used to initially + resolve user and group information from /etc/passwd + and /etc/group and then from the + Windows NT server. + + +passwd: files winbind +group: files winbind + + + + + + OPTIONS + + + + -d debuglevel + Sets the debuglevel to an integer between + 0 and 100. 0 is for no debugging and 100 is for reams and + reams. To submit a bug report to the Samba Team, use debug + level 100 (see BUGS.txt). + + + + -i + Tells winbindd to not + become a daemon and detach from the current terminal. This + option is used by developers when interactive debugging + of winbindd is required. + + + + + + + NAME AND ID RESOLUTION + + Users and groups on a Windows NT server are assigned + a relative id (rid) which is unique for the domain when the + user or group is created. To convert the Windows NT user or group + into a unix user or group, a mapping between rids and unix user + and group ids is required. This is one of the jobs that + winbindd performs. + + As winbindd users and groups are resolved from a server, user + and group ids are allocated from a specified range. This + is done on a first come, first served basis, although all existing + users and groups will be mapped as soon as a client performs a user + or group enumeration command. The allocated unix ids are stored + in a database file under the Samba lock directory and will be + remembered. + + WARNING: The rid to unix id database is the only location + where the user and group mappings are stored by winbindd. If this + file is deleted or corrupted, there is no way for winbindd to + determine which user and group ids correspond to Windows NT user + and group rids. + + + + + CONFIGURATION + + Configuration of the winbindd daemon + is done through configuration parameters in the smb.conf(5) + file. All parameters should be specified in the + [global] section of smb.conf. + + + + winbind separator + The winbind separator option allows you + to specify how NT domain names and user names are combined + into unix user names when presented to users. By default, + winbindd will use the traditional '\' + separator so that the unix user names look like + DOMAIN\username. In some cases this separator character may + cause problems as the '\' character has special meaning in + unix shells. In that case you can use the winbind separator + option to specify an alternative sepataror character. Good + alternatives may be '/' (although that conflicts + with the unix directory separator) or a '+ 'character. + The '+' character appears to be the best choice for 100% + compatibility with existing unix utilities, but may be an + aesthetically bad choice depending on your taste. + + Default: winbind separator = \ + + Example: winbind separator = + + + + + + winbind uid + The winbind uid parameter specifies the + range of user ids that are allocated by the winbindd daemon. + This range of ids should have no existing local or nis users + within it as strange conflicts can occur otherwise. + + Default: winbind uid = <empty string> + + Example: winbind uid = 10000-20000 + + + + + + winbind gid + The winbind gid parameter specifies the + range of group ids that are allocated by the winbindd daemon. + This range of group ids should have no existing local or nis + groups within it as strange conflicts can occur otherwise. + + Default: winbind gid = <empty string> + + Example: winbind gid = 10000-20000 + + + + + + winbind cache time + This parameter specifies the number of + seconds the winbindd daemon will cache user and group information + before querying a Windows NT server again. When a item in the + cache is older than this time winbindd will ask the domain + controller for the sequence number of the servers account database. + If the sequence number has not changed then the cached item is + marked as valid for a further winbind cache time + seconds. Otherwise the item is fetched from the + server. This means that as long as the account database is not + actively changing winbindd will only have to send one sequence + number query packet every winbind cache time + seconds. + + Default: winbind cache time = 15 + + + + + winbind enum users + On large installations it may be necessary + to suppress the enumeration of users through the + setpwent(), getpwent() and + endpwent() group of system calls. If + the winbind enum users parameter is false, + calls to the getpwent system call will not + return any data. + + Warning: Turning off user enumeration + may cause some programs to behave oddly. For example, the finger + program relies on having access to the full user list when + searching for matching usernames. + + Default: winbind enum users = yes + + + + + winbind enum groups + On large installations it may be necessary + to suppress the enumeration of groups through the + setgrent(), getgrent() and + endgrent() group of system calls. If + the winbind enum groups parameter is + false, calls to the getgrent() system + call will not return any data. + + Warning: Turning off group + enumeration may cause some programs to behave oddly. + + + Default: winbind enum groups = no + + + + + + + template homedir + When filling out the user information + for a Windows NT user, the winbindd daemon + uses this parameter to fill in the home directory for that user. + If the string %D is present it is + substituted with the user's Windows NT domain name. If the + string %U is present it is substituted + with the user's Windows NT user name. + + Default: template homedir = /home/%D/%U + + + + + + template shell + When filling out the user information for + a Windows NT user, the winbindd daemon + uses this parameter to fill in the shell for that user. + + + Default: template shell = /bin/false + + + + + + + + EXAMPLE SETUP + + To setup winbindd for user and group lookups plus + authentication from a domain controller use something like the + following setup. This was tested on a RedHat 6.2 Linux box. + + In /etc/nsswitch.conf put the + following: + + +passwd: files winbind +group: files winbind + + + In /etc/pam.d/* replace the + auth lines with something like this: + + + +auth required /lib/security/pam_securetty.so +auth required /lib/security/pam_nologin.so +auth sufficient /lib/security/pam_winbind.so +auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok + + + + Note in particular the use of the sufficient + keyword and the use_first_pass keyword. + + Now replace the account lines with this: + + account required /lib/security/pam_winbind.so + + + The next step is to join the domain. To do that use the + samedit program like this: + + samedit -S '*' -W DOMAIN -UAdministrator + + The username after the -U can be any Domain + user that has administrator priviliges on the machine. Next from + within samedit, run the command: + + createuser MACHINE$ -j DOMAIN -L + + This assumes your domain is called "DOMAIN" and your Samba + workstation is called "MACHINE". + + Next copy libnss_winbind.so.2 to + /lib and pam_winbind.so + to /lib/security. + + Finally, setup a smb.conf containing directives like the + following: + + +[global] + winbind separator = + + winbind cache time = 10 + template shell = /bin/bash + template homedir = /home/%D/%U + winbind uid = 10000-20000 + winbind gid = 10000-20000 + workgroup = DOMAIN + security = domain + password server = * + + + + Now start winbindd and you should find that your user and + group database is expanded to include your NT users and groups, + and that you can login to your unix box as a domain user, using + the DOMAIN+user syntax for the username. You may wish to use the + commands getent passwd and getent group + to confirm the correct operation of winbindd. + + + + + Notes + + The following notes are useful when configuring and + running winbindd: + + nmbd must be running on the local machine + for winbindd to work. winbindd + queries the list of trusted domains for the Windows NT server + on startup and when a SIGHUP is received. Thus, for a running + winbindd to become aware of new trust relationships between + servers, it must be sent a SIGHUP signal. + + Client processes resolving names through the winbindd + nsswitch module read an environment variable named + $WINBINDD_DOMAIN. If this variable contains a comma separated + list of Windows NT domain names, then winbindd will only resolve users + and groups within those Windows NT domains. + + PAM is really easy to misconfigure. Make sure you know what + you are doing when modifying PAM configuration files. It is possible + to set up PAM such that you can no longer log into your system. + + If more than one UNIX machine is running winbindd, + then in general the user and groups ids allocated by winbindd will not + be the same. The user and group ids will only be valid for the local + machine. + + If the the Windows NT RID to UNIX user and group id mapping + file is damaged or destroyed then the mappings will be lost. + + + + + Signals + + The following signals can be used to manipulate the + winbindd daemon. + + + + SIGHUP + Reload the smb.conf(5) + file and apply any parameter changes to the running + version of winbindd. This signal also clears any cached + user and group information. The list of other domains trusted + by winbindd is also reloaded. + + + + SIGUSR1 + The SIGUSR1 signal will cause + winbindd to write status information to the winbind + log file including information about the number of user and + group ids allocated by winbindd. + + Log files are stored in the filename specified by the + log file parameter. + + + + + + Files + + + + /etc/nsswitch.conf(5) + Name service switch configuration file. + + + + + /tmp/.winbindd/pipe + The UNIX pipe over which clients communicate with + the winbindd program. For security reasons, the + winbind client will only attempt to connect to the winbindd daemon + if both the /tmp/.winbindd directory + and /tmp/.winbindd/pipe file are owned by + root. + + + + /lib/libnss_winbind.so.X + Implementation of name service switch library. + + + + + $LOCKDIR/winbindd_idmap.tdb + Storage for the Windows NT rid to UNIX user/group + id mapping. The lock directory is specified when Samba is initially + compiled using the --with-lockdir option. + This directory is by default /usr/local/samba/var/locks + . + + + + $LOCKDIR/winbindd_cache.tdb + Storage for cached user and group information. + + + + + + + + VERSION + + This man page is correct for version 2.2 of + the Samba suite. winbindd is however not available in + stable release of Samba as of yet. + + + + SEE ALSO + + nsswitch.conf(5), + samba(7), + wbinfo(1), + smb.conf(5) + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + wbinfo and winbindd + were written by Tim Potter. + + The conversion to DocBook for Samba 2.2 was done + by Gerald Carter + + + -- cgit