From e3fc10eab22443376ac3312447874607810dbc6b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 19 Apr 2001 21:30:20 +0000 Subject: syncing up with 2.2 (This used to be commit dd83f412e9c60c02bf1d5e11a13a6122c71375ca) --- docs/textdocs/DOMAIN_CONTROL.txt | 121 ----- docs/textdocs/DOMAIN_MEMBER.txt | 151 ------ docs/textdocs/ENCRYPTION.txt | 331 -------------- docs/textdocs/NT_Security.txt | 304 ------------ docs/textdocs/PRINTER_DRIVER2.txt | 332 -------------- docs/textdocs/UNIX_INSTALL.txt | 332 -------------- docs/textdocs/samba-pdc-faq.txt | 939 -------------------------------------- docs/textdocs/samba-pdc-howto.txt | 712 ----------------------------- 8 files changed, 3222 deletions(-) delete mode 100644 docs/textdocs/DOMAIN_CONTROL.txt delete mode 100644 docs/textdocs/DOMAIN_MEMBER.txt delete mode 100644 docs/textdocs/ENCRYPTION.txt delete mode 100644 docs/textdocs/NT_Security.txt delete mode 100644 docs/textdocs/PRINTER_DRIVER2.txt delete mode 100644 docs/textdocs/UNIX_INSTALL.txt delete mode 100644 docs/textdocs/samba-pdc-faq.txt delete mode 100644 docs/textdocs/samba-pdc-howto.txt (limited to 'docs') diff --git a/docs/textdocs/DOMAIN_CONTROL.txt b/docs/textdocs/DOMAIN_CONTROL.txt deleted file mode 100644 index dd4afa3475..0000000000 --- a/docs/textdocs/DOMAIN_CONTROL.txt +++ /dev/null @@ -1,121 +0,0 @@ -!== -!== DOMAIN_CONTROL.txt for Samba release 2.0.4 18 May 1999 -!== -Initial Release: August 22, 1996 -Contributor: John H Terpstra - Copyright (C) 1996-1997 - John H Terpstra -Updated: July 5, 1998 -Status: Current - -Subject: Windows NT Domain Control & Samba -============================================================================ - -****NOTE:**** -============= -The term "Domain Controller" and those related to it refer to one specific -method of authentication that can underly an SMB domain. Domain Controllers -prior to Windows NT Server 3.1 were sold by various companies and based on -private extensions to the LAN Manager 2.1 protocol. Windows NT introduced -Microsoft-specific ways of distributing the user authentication database. -See DOMAIN.txt for examples of how Samba can participate in or create -SMB domains based on shared authentication database schemes other than the -Windows NT SAM. - -Microsoft Windows NT Domain Control is an extremely complex protocol. -We have received countless requests to implement Domain Control in Samba. -The 1.9.18 release of Samba contains experimental code to implement -this. Please read the file docs/NTDOMAIN.txt for more information on this. -============================================================================ - -Windows NT Server can be installed as either a plain file and print server -(WORKGROUP workstation or server) or as a server that participates in Domain -Control (DOMAIN member, Primary Domain controller or Backup Domain controller). - -The same is true for OS/2 Warp Server, Digital Pathworks and other similar -products, all of which can participate in Domain Control along with Windows NT. -However only those servers which have licenced Windows NT code in them can be -a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.) - -To many people these terms can be confusing, so let's try to clear the air. - -Every Windows NT system (workstation or server) has a registry database. -The registry contains entries that describe the initialisation information -for all services (the equivalent of Unix Daemons) that run within the Windows -NT environment. The registry also contains entries that tell application -software where to find dynamically loadable libraries that they depend upon. -In fact, the registry contains entries that describes everything that anything -may need to know to interact with the rest of the system. - -The registry files can be located on any Windows NT machine by opening a -command prompt and typing: - dir %SystemRoot%\System32\config - -The environment variable %SystemRoot% value can be obtained by typing: - echo %SystemRoot% - -The active parts of the registry that you may want to be familiar with are -the files called: default, system, software, sam and security. - -In a domain environment, Microsoft Windows NT domain controllers participate -in replication of the SAM and SECURITY files so that all controllers within -the domain have an exactly identical copy of each. - -The Microsoft Windows NT system is structured within a security model that -says that all applications and services must authenticate themselves before -they can obtain permission from the security manager to do what they set out -to do. - -The Windows NT User database also resides within the registry. This part of -the registry contains the user's security identifier, home directory, group -memberships, desktop profile, and so on. - -Every Windows NT system (workstation as well as server) will have its own -registry. Windows NT Servers that participate in Domain Security control -have a database that they share in common - thus they do NOT own an -independent full registry database of their own, as do Workstations and -plain Servers. - -The User database is called the SAM (Security Access Manager) database and -is used for all user authentication as well as for authentication of inter- -process authentication (ie: to ensure that the service action a user has -requested is permitted within the limits of that user's privileges). - -The Samba team have produced a utility that can dump the Windows NT SAM into -smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and -/pub/samba/pwdump on your nearest Samba mirror for the utility. This -facility is useful but cannot be easily used to implement SAM replication -to Samba systems. - -Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers -can participate in a Domain security system that is controlled by Windows NT -servers that have been correctly configured. At most every domain will have -ONE Primary Domain Controller (PDC). It is desirable that each domain will -have at least one Backup Domain Controller (BDC). - -The PDC and BDCs then participate in replication of the SAM database so that -each Domain Controlling participant will have an up to date SAM component -within its registry. - -Samba can NOT at this time function as a Domain Controller for any of these -security services, but like all other domain members can interact with the -Windows NT security system for all access authentication. - -When Samba is configured with the 'security = server' option and the -'password server = Your_Windows_NT_Server_Name' option, then it will -redirect all access authentication to that server. This way you can -use Windows NT to act as your password server with full support for -Microsoft encrypted passwords. - -Note also, that since release of samba-1.9.18 we now support native encrypted -passwords too. To enable encrypted password handling several things need to be -done: - 1) In smb.conf [globals]: - encrypt passwords = yes - smbpasswd file = /path/smbpasswd -the standard path is /usr/local/samba/private/smbpasswd but this may be -platform specific. - - 2) Use "smbpasswd -a" to add all users to the smbpasswd file. - -Above all read all the documentation for encrypted password support - you will -need it! diff --git a/docs/textdocs/DOMAIN_MEMBER.txt b/docs/textdocs/DOMAIN_MEMBER.txt deleted file mode 100644 index d58a8bc099..0000000000 --- a/docs/textdocs/DOMAIN_MEMBER.txt +++ /dev/null @@ -1,151 +0,0 @@ - -TITLE INFORMATION: Joining an NT Domain with Samba 2.0 -AUTHOR INFORMATION: Jeremy Allison, Samba Team -DATE INFORMATION: 7th October 1999 - -Table of Contents - -Joining an NT Domain with Samba 2.0 ------------------------------------ - -In order for a Samba-2 server to join an NT domain, you must first add -the NetBIOS name of the Samba server to the NT domain on the PDC using -Server Manager for Domains. This creates the machine account in the -domain (PDC) SAM. Note that you should add the Samba server as a "Windows -NT Workstation or Server", NOT as a Primary or backup domain controller. - -Assume you have a Samba-2 server with a NetBIOS name of SERV1 and are -joining an NT domain called DOM, which has a PDC with a NetBIOS name -of DOMPDC and two backup domain controllers with NetBIOS names DOMBDC1 -and DOMBDC2. - -In order to join the domain, first stop all Samba daemons and run the -command - -smbpasswd -j DOM -r DOMPDC - -as we are joining the domain DOM and the PDC for that domain (the only -machine that has write access to the domain SAM database) is DOMPDC. If this is -successful you will see the message: - -smbpasswd: Joined domain DOM. - -in your terminal window. See the smbpasswd -man page for more details. - -This command goes through the machine account password change -protocol, then writes the new (random) machine account password for -this Samba server into a file in the same directory in which an -smbpasswd file would be stored - normally : - -/usr/local/samba/private - -The filename looks like this: - -..mac - -The .mac suffix stands for machine account password file. So in -our example above, the file would be called: - -DOM.SERV1.mac - -This file is created and owned by root and is not readable by any -other user. It is the key to the domain-level security for your -system, and should be treated as carefully as a shadow password file. - -Now, before restarting the Samba daemons you must edit your -smb.conf file to tell Samba it should now -use domain security. - -Change (or add) your - -"security =" - -line in the [global] section of your -smb.conf to read: - -security = domain - -Next change the - -"workgroup =" - -line in the [global] section to read: - -workgroup = DOM - -as this is the name of the domain we are joining. - -You must also have the parameter "encrypt passwords" -set to "yes" in order for your users to authenticate to the -NT PDC. - -Finally, add (or modify) a: - -"password server =" - -line in the [global] section to read: - -password server = DOMPDC DOMBDC1 DOMBDC2 - -These are the primary and backup domain controllers Samba will attempt -to contact in order to authenticate users. Samba will try to contact -each of these servers in order, so you may want to rearrange this list -in order to spread out the authentication load among domain -controllers. - -Alternatively, if you want smbd to automatically determine the -list of Domain controllers to use for authentication, you may set this line to be : - -password server = * - -This method, which is new in Samba 2.0.6 and above, allows Samba -to use exactly the same mechanism that NT does. This method either broadcasts or -uses a WINS database in order to find domain controllers to -authenticate against. - -Finally, restart your Samba daemons and get ready for clients to begin -using domain security! - -Why is this better than security = server? ------------------------------------------- - -Currently, domain security in Samba doesn't free you from having to -create local Unix users to represent the users attaching to your -server. This means that if domain user DOM\fred attaches to your -domain security Samba server, there needs to be a local Unix user fred -to represent that user in the Unix filesystem. This is very similar to -the older Samba security mode "security=server", where Samba would pass -through the authentication request to a Windows NT server in the same -way as a Windows 95 or Windows 98 server would. - -The advantage to domain-level security is that the authentication in -domain-level security is passed down the authenticated RPC channel in -exactly the same way that an NT server would do it. This means Samba -servers now participate in domain trust relationships in exactly the -same way NT servers do (i.e., you can add Samba servers into a -resource domain and have the authentication passed on from a resource -domain PDC to an account domain PDC. - -In addition, with "security=server" every Samba daemon on a -server has to keep a connection open to the authenticating server for -as long as that daemon lasts. This can drain the connection resources -on a Microsoft NT server and cause it to run out of available -connections. With "security =domain", however, the Samba -daemons connect to the PDC/BDC only for as long as is necessary to -authenticate the user, and then drop the connection, thus conserving -PDC connection resources. - -And finally, acting in the same manner as an NT server authenticating -to a PDC means that as part of the authentication reply, the Samba -server gets the user identification information such as the user SID, -the list of NT groups the user belongs to, etc. All this information -will allow Samba to be extended in the future into a mode the -developers currently call appliance mode. In this mode, no local Unix -users will be necessary, and Samba will generate Unix uids and gids -from the information passed back from the PDC when a user is -authenticated, making a Samba server truly plug and play in an NT -domain environment. Watch for this code soon. - -NOTE: Much of the text of this document was first published in the -Web magazine "LinuxWorld" as the article "Doing the NIS/NT Samba". diff --git a/docs/textdocs/ENCRYPTION.txt b/docs/textdocs/ENCRYPTION.txt deleted file mode 100644 index 89f30b0d53..0000000000 --- a/docs/textdocs/ENCRYPTION.txt +++ /dev/null @@ -1,331 +0,0 @@ -!== -!== ENCRYPTION.txt for Samba release 2.0.5a 22 Jul 1999 -!== -Contributor: Jeremy Allison -Updated: April 19, 1999 -Note: Please refer to WinNT.txt also - -Subject: LanManager / Samba Password Encryption. -============================================================================ - -With the development of LanManager and Windows NT compatible password -encryption for Samba, it is now able to validate user connections in -exactly the same way as a LanManager or Windows NT server. - -This document describes how the SMB password encryption algorithm -works and what issues there are in choosing whether you want to use -it. You should read it carefully, especially the part about security -and the "PROS and CONS" section. - -How does it work ? ------------------- - -LanManager encryption is somewhat similar to UNIX password -encryption. The server uses a file containing a hashed value of a -user's password. This is created by taking the user's plaintext -password, capitalising it, and either truncating to 14 bytes (or -padding to 14 bytes with null bytes). This 14 byte value is used as -two 56 bit DES keys to encrypt a 'magic' eight byte value, forming a -16 byte value which is stored by the server and client. Let this value -be known as the *hashed password*. - -Windows NT encryption is a higher quality mechanism, consisting -of doing an MD4 hash on a Unicode version of the user's password. This -also produces a 16 byte hash value that is non-reversible. - -When a client (LanManager, Windows for WorkGroups, Windows 95 or -Windows NT) wishes to mount a Samba drive (or use a Samba resource) it -first requests a connection and negotiates the protocol that the client -and server will use. In the reply to this request the Samba server -generates and appends an 8 byte, random value - this is stored in the -Samba server after the reply is sent and is known as the *challenge*. - -The challenge is different for every client connection. - -The client then uses the hashed password (16 byte values described -above), appended with 5 null bytes, as three 56 bit DES keys, each of -which is used to encrypt the challenge 8 byte value, forming a 24 byte -value known as the *response*. - -In the SMB call SMBsessionsetupX (when user level security is -selected) or the call SMBtconX (when share level security is selected) -the 24 byte response is returned by the client to the Samba server. -For Windows NT protocol levels the above calculation is done on -both hashes of the user's password and both responses are returned -in the SMB call, giving two 24 byte values. - -The Samba server then reproduces the above calculation, using its own -stored value of the 16 byte hashed password (read from the smbpasswd -file - described later) and the challenge value that it kept from the -negotiate protocol reply. It then checks to see if the 24 byte value it -calculates matches the 24 byte value returned to it from the client. - -If these values match exactly, then the client knew the correct -password (or the 16 byte hashed value - see security note below) and -is thus allowed access. If not, then the client did not know the -correct password and is denied access. - -Note that the Samba server never knows or stores the cleartext of the -user's password - just the 16 byte hashed values derived from it. Also -note that the cleartext password or 16 byte hashed values are never -transmitted over the network - thus increasing security. - -IMPORTANT NOTE ABOUT SECURITY ------------------------------ - -The unix and SMB password encryption techniques seem similar on the -surface. This similarity is, however, only skin deep. The unix scheme -typically sends clear text passwords over the nextwork when logging -in. This is bad. The SMB encryption scheme never sends the cleartext -password over the network but it does store the 16 byte hashed values -on disk. This is also bad. Why? Because the 16 byte hashed values are a -"password equivalent". You cannot derive the user's password from them, -but they could potentially be used in a modified client to gain access -to a server. This would require considerable technical knowledge on -behalf of the attacker but is perfectly possible. You should thus -treat the smbpasswd file as though it contained the cleartext -passwords of all your users. Its contents must be kept secret, and the -file should be protected accordingly. - -Ideally we would like a password scheme which neither requires plain -text passwords on the net or on disk. Unfortunately this is not -available as Samba is stuck with being compatible with other SMB -systems (WinNT, WfWg, Win95 etc). - - -PROS AND CONS -------------- - -There are advantages and disadvantages to both schemes. - -Advantages of SMB Encryption: ------------------------------ - -- plain text passwords are not passed across the network. Someone using -a network sniffer cannot just record passwords going to the SMB server. - -- WinNT doesn't like talking to a server that isn't using SMB -encrypted passwords. It will refuse to browse the server if the server -is also in user level security mode. It will insist on prompting the -user for the password on each connection, which is very annoying. The -only things you can do to stop this is to use SMB encryption. - -Advantages of non-encrypted passwords: --------------------------------------- - -- plain text passwords are not kept on disk. - -- uses same password file as other unix services such as login and -ftp - -- you are probably already using other services (such as telnet and -ftp) which send plain text passwords over the net, so not sending them -for SMB isn't such a big deal. - -Note that Windows NT 4.0 Service pack 3 changed the default for -permissible authentication so that plaintext passwords are *never* -sent over the wire. The solution to this is either to switch to -encrypted passwords with Samba or edit the Windows NT registry to -re-enable plaintext passwords. See the document WinNT.txt for -details on how to do this. - -The smbpasswd file. -------------------- - -In order for Samba to participate in the above protocol it must -be able to look up the 16 byte hashed values given a user name. -Unfortunately, as the UNIX password value is also a one way hash -function (ie. it is impossible to retrieve the cleartext of the user's -password given the UNIX hash of it) then a separate password file -containing this 16 byte value must be kept. To minimise problems with -these two password files, getting out of sync, the UNIX /etc/passwd and -the smbpasswd file, a utility, mksmbpasswd.sh, is provided to generate -a smbpasswd file from a UNIX /etc/passwd file. - -To generate the smbpasswd file from your /etc/passwd file use the -following command :- - -cat /etc/passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd - -If you are running on a system that uses NIS, use - -ypcat passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd - -The mksmbpasswd.sh program is found in the Samba source directory. By -default, the smbpasswd file is stored in :- - -/usr/local/samba/private/smbpasswd - -The owner of the /usr/local/samba/private directory should be set to -root, and the permissions on it should be set to :- - -r-x------ - -The command - -chmod 500 /usr/local/samba/private - -will do the trick. Likewise, the smbpasswd file inside the private -directory should be owned by root and the permissions on is should be -set to - -rw------- - -by the command :- - -chmod 600 smbpasswd. - -The format of the smbpasswd file is - -username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[Account type]:LCT-:Long name - -Although only the username, uid, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, -[Account type] and last-change-time sections are significant and -are looked at in the Samba code. - -It is *VITALLY* important that there by 32 'X' characters between the -two ':' characters in the XXX sections - the smbpasswd and Samba code -will fail to validate any entries that do not have 32 characters -between ':' characters. The first XXX section is for the Lanman password -hash, the second is for the Windows NT version. - -When the password file is created all users have password entries -consisting of 32 'X' characters. By default this disallows any access -as this user. When a user has a password set, the 'X' characters change -to 32 ascii hexadecimal digits (0-9, A-F). These are an ascii -representation of the 16 byte hashed value of a user's password. - -To set a user to have no password (not recommended), edit the file -using vi, and replace the first 11 characters with the asci text - -NO PASSWORD - -Eg. To clear the password for user bob, his smbpasswd file entry would -look like : - -bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Bob's full name:/bobhome:/bobshell - -If you are allowing users to use the smbpasswd command to set their own -passwords, you may want to give users NO PASSWORD initially so they do -not have to enter a previous password when changing to their new -password (not recommended). In order for you to allow this the -smbpasswd program must be able to connect to the smbd daemon as -that user with no password. Enable this by adding the line : - -null passwords = true - -to the [global] section of the smb.conf file (this is why the -above scenario is not recommended). Preferably, allocate your -users a default password to begin with, so you do not have -to enable this on your server. - -Note : This file should be protected very carefully. Anyone with -access to this file can (with enough knowledge of the protocols) gain -access to your SMB server. The file is thus more sensitive than a -normal unix /etc/passwd file. - -The smbpasswd Command. ----------------------- - -The smbpasswd command maintains the two 32 byte password fields in -the smbpasswd file. If you wish to make it similar to the unix passwd -or yppasswd programs, install it in /usr/local/samba/bin (or your main -Samba binary directory). - -Note that as of Samba 1.9.18p4 this program MUST NOT BE INSTALLED -setuid root (the new smbpasswd code enforces this restriction so -it cannot be run this way by accident). - -smbpasswd now works in a client-server mode where it contacts -the local smbd to change the user's password on its behalf. This -has enormous benefits - as follows. - -1). smbpasswd no longer has to be setuid root - an enormous -range of potential security problems is eliminated. - -2). smbpasswd now has the capability to change passwords -on Windows NT servers (this only works when the request is -sent to the NT Primary Domain Controller if you are changing -an NT Domain user's password). - -To run smbpasswd as a normal user just type : - -smbpasswd -Old SMB password: -New SMB Password: < type new value > -Repeat New SMB Password: < re-type new value > - -If the old value does not match the current value stored for that user, -or the two new values do not match each other, then the password will -not be changed. - -If invoked by an ordinary user it will only allow the user to change -his or her own Samba password. - -If run by the root user smbpasswd may take an optional argument, -specifying the user name whose SMB password you wish to change. Note -that when run as root smbpasswd does not prompt for or check the old -password value, thus allowing root to set passwords for users who have -forgotten their passwords. - -smbpasswd is designed to work in the same way and be familiar to UNIX -users who use the passwd or yppasswd commands. - -For more details on using smbpasswd refer to the man page which -will always be the definitive reference. - -Setting up Samba to support LanManager Encryption. --------------------------------------------------- - -This is a very brief description on how to setup samba to support -password encryption. More complete instructions will probably be added -later. - -1) compile and install samba as usual - -2) if your system can't compile the module getsmbpass.c then remove the --DSMBGETPASS define from the Makefile. - -3) enable encrypted passwords in smb.conf by adding the line -"encrypt passwords = yes" in the [global] section - -4) create the initial smbpasswd password file in the place you -specified in the Makefile. A simple way to do this based on your -existing Makefile (assuming it is in a reasonably standard format) is -like this: - -cat /etc/passwd | mksmbpasswd.sh > /usr/local/samba/private/smbpasswd - -Change ownership of private and smbpasswd to root. - -chown -R root /usr/local/samba/private - -Set the correct permissions on /usr/local/samba/private - -chmod 500 /usr/local/samba/private - -Set the correct permissions on /usr/local/samba/private/smbpasswd - -chmod 600 /usr/local/samba/private/smbpasswd - -note that the mksmbpasswd.sh script is in the samba source directory. - -If this fails then you will find that you will need entries that look -like this: - -# SMB password file. -tridge:148:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Andrew Tridgell:/home/tridge:/bin/tcsh - -note that the uid and username fields must be right. Also, you must get -the number of X's right (there should be 32). - -5) set the passwords for users using the smbpasswd command. For -example, as root you could do "smbpasswd tridge" - -6) try it out! - -Note that you can test things using smbclient, as it also now supports -encryption. - -============================================================================== -Footnote: Please refer to WinNT.txt also diff --git a/docs/textdocs/NT_Security.txt b/docs/textdocs/NT_Security.txt deleted file mode 100644 index 4620dd8408..0000000000 --- a/docs/textdocs/NT_Security.txt +++ /dev/null @@ -1,304 +0,0 @@ - -TITLE INFORMATION: Viewing and changing UNIX permissions using the NT security dialogs in Samba 2.0.4 -AUTHOR INFORMATION: Jeremy Allison, Samba Team -DATE INFORMATION: 12th April 1999 - -Table of Contents - -Viewing and changing UNIX permissions using the NT security dialogs - -------------------------------------------------------------------- - -New in the Samba 2.0.4 release is the -ability for Windows NT clients to use their native security -settings dialog box to view and modify the underlying UNIX -permissions. - -Note that this ability is careful not to compromise the security -of the UNIX host Samba is running on, and still obeys all the -file permission rules that a Samba administrator can set. - -In Samba 2.0.4 and above the default value of the parameter -"nt acl support" has been -changed from "false" to "true", so manipulation of permissions is -turned on by default. - -How to view file security on a Samba share - ------------------------------------------- - -From an NT 4.0 client, single-click with the right mouse button on -any file or directory in a Samba mounted drive letter or UNC path. -When the menu pops-up, click on the Properties entry at the -bottom of the menu. This brings up the normal file properties dialog -box, but with Samba 2.0.4 this will have a new tab along the top -marked Security. Click on this tab and you will see three buttons, -Permissions, Auditing, and Ownership. The Auditing -button will cause either an error message "A requested privilege is -not held by the client" to appear if the user is not the NT Administrator, -or a dialog which is intended to allow an Administrator to add -auditing requirements to a file if the user is logged on as the -NT Administrator. This dialog is non-functional with a Samba -share at this time, as the only useful button, the Add button -will not currently allow a list of users to be seen. - -Viewing file ownership - ----------------------- - -Clicking on the "Ownership" button brings up a dialog box telling -you who owns the given file. The owner name will be of the form : - -"SERVER\user (Long name)" - -Where SERVER is the NetBIOS name of the Samba server, user -is the user name of the UNIX user who owns the file, and (Long name) -is the discriptive string identifying the user (normally found in the -GECOS field of the UNIX password database). Click on the Close -button to remove this dialog. - -If the parameter "nt acl support" -is set to "false" then the file owner will be shown as the NT user -"Everyone". - -The Take Ownership button will not allow you to change the -ownership of this file to yourself (clicking on it will display a -dialog box complaining that the user you are currently logged onto -the NT client cannot be found). The reason for this is that changing -the ownership of a file is a privilaged operation in UNIX, available -only to the root user. As clicking on this button causes NT to -attempt to change the ownership of a file to the current user logged -into the NT client this will not work with Samba at this time. - -There is an NT chown command that will work with Samba and allow -a user with Administrator privillage connected to a Samba 2.0.4 -server as root to change the ownership of files on both a local NTFS -filesystem or remote mounted NTFS or Samba drive. This is available -as part of the Seclib NT security library written by Jeremy -Allison of the Samba Team, available from the main Samba ftp site. - -Viewing file or directory permissions - -------------------------------------- - -The third button is the "Permissions" button. Clicking on this -brings up a dialog box that shows both the permissions and the UNIX -owner of the file or directory. The owner is displayed in the form : - -"SERVER\user (Long name)" - -Where SERVER is the NetBIOS name of the Samba server, user -is the user name of the UNIX user who owns the file, and (Long name) -is the discriptive string identifying the user (normally found in the -GECOS field of the UNIX password database). - -If the parameter "nt acl support" -is set to "false" then the file owner will be shown as the NT user -"Everyone" and the permissions will be shown as NT "Full Control". - -The permissions field is displayed differently for files and directories, -so I'll describe the way file permissions are displayed first. - -File Permissions - ----------------- - -The standard UNIX user/group/world triple and the correspinding -"read", "write", "execute" permissions triples are mapped by Samba -into a three element NT ACL with the 'r', 'w', and 'x' bits mapped -into the corresponding NT permissions. The UNIX world permissions are mapped -into the global NT group Everyone, followed by the list of permissions -allowed for UNIX world. The UNIX owner and group permissions -are displayed as an NT user icon and an NT local group icon -respectively followed by the list of permissions allowed for the -UNIX user and group. - -As many UNIX permission sets don't map into common NT names such as -"read", "change" or "full control" then usually the permissions -will be prefixed by the words "Special Access" in the NT display -list. - -But what happens if the file has no permissions allowed for a -particular UNIX user group or world component ? In order to -allow "no permissions" to be seen and modified then Samba overloads -the NT "Take Ownership" ACL attribute (which has no meaning in -UNIX) and reports a component with no permissions as having the NT -"O" bit set. This was chosen of course to make it look like a -zero, meaning zero permissions. More details on the decision behind -this will be given below. - -Directory Permissions - ---------------------- - -Directories on an NT NTFS file system have two different sets of -permissions. The first set of permissions is the ACL set on the -directory itself, this is usually displayed in the first set of -parentheses in the normal "RW" NT style. This first set of -permissions is created by Samba in exactly the same way as normal -file permissions are, described above, and is displayed in the -same way. - -The second set of directory permissions has no real meaning in the -UNIX permissions world and represents the "inherited" permissions -that any file created within this directory would inherit. - -Samba synthesises these inherited permissions for NT by returning as -an NT ACL the UNIX permission mode that a new file created by Samba -on this share would receive. - -Modifying file or directory permissions - ---------------------------------------- - -Modifying file and directory permissions is as simple as changing -the displayed permissions in the dialog box, and clicking the OK -button. However, there are limitations that a user needs to be aware -of, and also interactions with the standard Samba permission masks -and mapping of DOS attributes that need to also be taken into account. - -If the parameter "nt acl support" -is set to "false" then any attempt to set security permissions will -fail with an "Access Denied" message. - -The first thing to note is that the "Add" button will not return -a list of users in Samba 2.0.4 (it will give an error message of -"The remote proceedure call failed and did not execute"). This -means that you can only manipulate the current user/group/world -permissions listed in the dialog box. This actually works quite well -as these are the only permissions that UNIX actually has. - -If a permission triple (either user, group, or world) is removed from -the list of permissions in the NT dialog box, then when the "OK" -button is pressed it will be applied as "no permissions" on the UNIX -side. If you then view the permissions again the "no permissions" entry -will appear as the NT "O" flag, as described above. This allows you -to add permissions back to a file or directory once you have removed -them from a triple component. - -As UNIX supports only the "r", "w" and "x" bits of an NT ACL -then if other NT security attributes such as "Delete access" -are selected then they will be ignored when applied on the -Samba server. - -When setting permissions on a directory the second set of permissions -(in the second set of parentheses) is by default applied to all -files within that directory. If this is not what you want you -must uncheck the "Replace permissions on existing files" checkbox -in the NT dialog before clicking "OK". - -If you wish to remove all permissions from a user/group/world -component then you may either highlight the component and click -the "Remove" button, or set the component to only have the special -"Take Ownership" permission (dsplayed as "O") highlighted. - -Interaction with the standard Samba create mask parameters - ----------------------------------------------------------- - -Note that with Samba 2.0.5 there are four new parameters to -control this interaction. - -These are : - -security mask -force security mode -directory security mask -force directory security mode - -Once a user clicks "OK" to apply the permissions Samba maps -the given permissions into a user/group/world r/w/x triple set, -and then will check the changed permissions for a file against -the bits set in the "security mask" -parameter. Any bits that were changed that are not set to '1' -in this parameter are left alone in the file permissions. - -Essentially, zero bits in the "security mask" -mask may be treated as a set of bits the user is not allowed to change, -and one bits are those the user is allowed to change. - -If not set explicitly this parameter is set to the same value as the -"create mask" parameter to provide compatibility -with Samba 2.0.4 where this permission change facility was introduced. -To allow a user to modify all the user/group/world permissions on a file, -set this parameter to 0777. - -Next Samba checks the changed permissions for a file against the -bits set in the "force security mode" -parameter. Any bits that were changed that correspond to bits set -to '1' in this parameter are forced to be set. - -Essentially, bits set in the "force security mode" -parameter may be treated as a set of bits that, when modifying security on a file, the -user has always set to be 'on'. - -If not set explicitly this parameter is set to the same value as the -"force create mode" parameter to provide compatibility -with Samba 2.0.4 where the permission change facility was introduced. -To allow a user to modify all the user/group/world permissions on a file, -with no restrictions set this parameter to 000. - -The "security mask" and -"force security mode" parameters -are applied to the change request in that order. - -For a directory Samba will perform the same operations as described above -for a file except using the parameter "directory security mask" -instead of "security mask", and -"force directory security mode" parameter instead -of "force security mode". - -The "directory security mask" -parameter by default is set to the same value as the "directory mask" -parameter and the "force directory security mode" -parameter by default is set to the same value as the -iurl("force directory mode")(smb.conf.5.html#forcedirectorymode) parameter -to provide compatibility with Samba 2.0.4 where the permission change facility was introduced. - -In this way Samba enforces the permission restrictions that an administrator -can set on a Samba share, whilst still allowing users to modify the -permission bits within that restriction. - -If you want to set up a share that allows users full control -in modifying the permission bits on their files and directories and -doesn't force any particular bits to be set 'on', then set the following -parameters in the smb.conf.5 file in -that share specific section : - -security mask = 0777 -force security mode = 0 -directory security mask = 0777 -force directory security mode = 0 - -As described, in Samba 2.0.4 the parameters : - -create mask -force create mode -directory mask -force directory mode - -were used instead of the parameters discussed here. - -Interaction with the standard Samba file attribute mapping - ----------------------------------------------------------- - -Samba maps some of the DOS attribute bits (such as "read only") -into the UNIX permissions of a file. This means there can be a -conflict between the permission bits set via the security dialog -and the permission bits set by the file attribute mapping. - -One way this can show up is if a file has no UNIX read access -for the owner it will show up as "read only" in the standard -file attributes tabbed dialog. Unfortunately this dialog is -the same one that contains the security info in another tab. - -What this can mean is that if the owner changes the permissions -to allow themselves read access using the security dialog, clicks -"OK" to get back to the standard attributes tab dialog, and -then clicks "OK" on that dialog, then NT will set the file -permissions back to read-only (as that is what the attributes -still say in the dialog). This means that after setting permissions -and clicking "OK" to get back to the attributes dialog you -should always hit "Cancel" rather than "OK" to ensure -that your changes are not overridden. diff --git a/docs/textdocs/PRINTER_DRIVER2.txt b/docs/textdocs/PRINTER_DRIVER2.txt deleted file mode 100644 index 2bca8e69c9..0000000000 --- a/docs/textdocs/PRINTER_DRIVER2.txt +++ /dev/null @@ -1,332 +0,0 @@ -!== -!== PRINTER_DRIVER2.txt for Samba release 2.2.0-alpha1 23 Nov 2000 -!== - -========================================================================== - Gerald Carter 14 Sep 2000 -=========================================================================== - -Introduction -============ -Beginning with the 2.2.0 release, Samba now supports the native Windows -NT printing mechanisms implemented via MS-RPC (i.e. the SPOOLSS named -pipe). Previous versions of Samba only supported the LanMan printing -calls. - -The additional functionality provided by the new SPOOLSS support -includes: - - o Support for downloading printer driver files to - Windows 95/98/NT/2000 clients upon demand. - o Uploading of printer drivers via the Windows NT - Add Printer Wizard (APW) or the Imprints tool set - o Support for the native MS-RPC printing calls such - as StartDocPrinter, EnumJobs(), etc... (See the MSDN - documentation for more information on the Win32 - printing API) - o Support for NT Access Control Lists (ACL) on - printer objects - o Improved support for printer queue manipulation through - the use of an internal database for spooled job information. - - -Configuration -============= - -In order to support the uploading of printer driver files, you -must first configure a file share named [print$]. The name of -this share is hard coded in Samba's internals so the name is -very important (print$ is the service used by Windows NT -print servers to provide support for printer driver download. - - - -You should modify the server's smb.conf file to create the -following file share (of course, some of the parameter values, -such as 'path' are arbitrary and should be replaced with -appropriate values for your site): - - [print$] - path = /usr/local/samba/printers - guest ok = yes - browseable = yes - read only = yes - write list = ntadmin - -The 'write list' is used to allow administrative level user accounts -to have write access in order to update files on the share. -See the smb.conf(5) man page for more information on configuring -file shares. - -The requirement for 'guest ok = yes' depends upon how your -site is configured. If users will be guaranteed to have -an account on the Samba host, then this is a non-issue. - - [author's note: The non-issue is that if all your Windows - NT users are guarenteed to be authenticated by the Samba server - (such as a domain member server and the NT user has already - been validated by the Domain Controller in order to logon - to the Windows NT console), then guest access is not necessary. - Of course, in a workgroup environment where you just want - to be able to print without worrying about silly accounts - and security, then configure the share for gues access. - You'll probably want to add 'map to guest = Bad User' - in the [global] section as well. Make sure you understand - what this parameter does before using it though. --jerry] - -In order for a Windows NT print server to support the -downloading of driver files by multiple client architectures, -it must create subdirectories within the [print$] service -which correspond to each of the supported client architectures. -Samba follows this model as well. - -Next create the directory tree below the [print$] share for -each architecture you wish to support. - - [print$]----- - |-W32X86 ; "Windows NT x86" - |-WIN40 ; "Windows 95/98" - |-W32ALPHA ; "Windows NT Alpha_AXP" - |-W32MIPS ; "Windows NT R4000" - |-W32PPC ; "Windows NT PowerPC" - - -+++++++++++++ ATTENTION! REQUIRED PERMISSIONS +++++++++++++++++ - -Currently, the connected user must have uid 0 in order to -successfully install a new printer driver. There are two -points of authorization in this process. - - o Access permissions to add files to the [print$] - share. This access control is managed using - the same semantics as normal file shares. - (i.e. filesystem permissions, write list, - writeable, etc...) - - o Authorization to add entries to - - $SAMBA/var/locks/ntdrivers.tdb - - Updates to this TDB are curently restricted - to the root account. - -Therefore, you must be connected to the samba host as the -root user in order to add a new printer driver. - - -++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - -!== The Windows NT APW - -Once you have created the required [print$] service and associated -subdirectories, simply log onto the Samba server using a root account -from a Windows NT 4.0 client. Navigate to the "Printers" folder -on the Samba server. You should see an initial listing of printers -that matches the printer shares defined on your Samba host. - - - -The initial listing of printers in the Samba host's Printers -folder will have no printer driver assigned to them. The way -assign a driver to a printer is to view the Properties of the -printer and either - - o Use the "New Driver..." button to install a new printer - driver, or - o Select a driver from the popup list of installed drivers. - Initially this list will be empty. - -If you wish to install printer drivers for client operating -systems other than "Windows NT x86", you will need to use the -"Sharing" tab of the printer properties dialog. - -Assuming you have connected with a root account, you will -also be able modify other printer properties such as -ACLs and device settings using this dialog box. - - -!== Imprints - -The Imprints tool set provides a UNIX equivalent of the Windows -NT Add Printer Wizard. For complete information, please refer -to the Imprints web site at http://imprints.sourceforge.net/ -as well as the documentation included with the imprints source -distribution. This section will only provide a brief introduction -to the features of Imprints. - -What is Imprints? - - Imprints is a collection of tools for supporting the goals of - - o Providing a central repository information regarding - Windows NT and 95/98 printer driver packages - o Providing the tools necessary for creating the Imprints - printer driver packages. - o Providing an installation client which will obtain - and install printer drivers on remote Samba and Windows - NT 4 print servers. - - -Creating Printer Driver Packages - - The process of creating printer driver packages is beyond - the scope of this document (refer to Imprints.txt also included - with the Samba distribution for more information). In short, - an Imprints driver package is a gzipped tarball containing the - driver files, related INF files, and a control file needed by the - installation client. - -The Imprints server - - The Imprints server is really a database server that may - be queried via standard HTTP mechanisms. Each printer entry - in the database has an associated URL for the actual - downloading of the package. Each package is digitally signed - via GnuPG which can be used to verify that package downloaded - is actually the one referred in the Imprints database. It is - **not** recommended that this security check be disabled. - -The Installation Client - - - The Imprints installation client comes in two forms. - - o a set of command line Perl scripts - o a GTK+ based graphical interface to the command - line perl scripts - - The installation client (in both forms) provides a means - of querying the Imprints database server for a matching - list of known printer model names as well as a means to - download and install the drivers on remote Samba and Windows - NT print servers. - - The basic installation process is in four steps and perl code - is wrapped around smbclient and rpcclient. - - foreach (supported architecture for a given driver) - { - 1. rpcclient: Get the appropriate upload directory - on the remote server - 2. smbclient: Upload the driver files - 3. rpcclient: Issues an AddPrinterDriver() MS-RPC - } - - 4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually - create the printer - -!== The printer driver name space problem - - One of the problems encountered when implementing the Imprints - tool set was the name space issues between various supported - client architectures. For example, Windows NT includes a driver - named "Apple LaserWriter II NTX v51.8" and Windows 95 calls - its version of this driver "Apple LaserWriter II NTX" - - The problem is how to know what client drivers have been - uploaded for a printer. As astute reader will remember that - the Windows NT Printer Properties dialog only includes space - for one printer driver name. A quick look in the Windows NT - 4 system registry at - - HKLM\System\CurrentControlSet\Control\Print\Environment - - will reveal that Windows NT always uses the NT driver name. - The is ok as Windows NT always requires that at least the Windows - NT version of the printer driver is present. However, Samba - does not have the requirement internally. Therefore, how can - you use the NT driver name if is has not already been installed? - - The way of sidestepping this limitation is to require that all - Imprints printer driver packages include both the Intel Windows - NT and 95/98 printer drivers and that NT driver is installed - first. - - -Migration to 2.2.x -============================= - -Given that printer driver management has changed -(we hope improved :) ) in 2.2.0 over prior releases, -migration from an existing setup to 2.2.0 can follow -several paths. - - - The following smb.conf parameters are considered to be - depreciated and will be removed soon. Do not use them - in new installations - - 'printer driver file' (G) - 'printer driver' (S) - 'printer driver location' (S) - - - -Here are the possible scenarios for supporting migration: - - o If you does not desire the new Windows NT - print driver support, nothing needs to be done. - All existing parameters work the same. - - o If you want to take advantage of NT printer - driver support but does not want to migrate the - 9x drivers to the new setup, the leave the existing - printers.def file. When smbd attempts to locate a - 9x driver for the printer in the TDB and fails it - will drop down to using the printers.def (and all - associated parameters). The make_printerdef tool - will also remain for backwards compatibility but will - be moved to the "this tool is the old way of doing it" - pile. - - o If you instal a Windows 9x driver for a printer on - your Samba host (in the printing TDB), this information will - take precedence and the three old printing parameters - will be ignored (including print driver location). - - o If you want to migrate an existing printers.def file into - the new setup, the current only solution is to use the - Windows NT APW to install the NT drivers and the 9x - drivers. (comment: this could possibly be scripted using - smbclient and rpcclient, but I haven't had time --jerry) - -!== end of PRINTER_DRIVER2.txt ======================================= -!===================================================================== - diff --git a/docs/textdocs/UNIX_INSTALL.txt b/docs/textdocs/UNIX_INSTALL.txt deleted file mode 100644 index 1de821e152..0000000000 --- a/docs/textdocs/UNIX_INSTALL.txt +++ /dev/null @@ -1,332 +0,0 @@ -HOW TO INSTALL AND TEST SAMBA -============================= - -STEP 0. Read the man pages. They contain lots of useful info that will -help to get you started. If you don't know how to read man pages then -try something like: - - nroff -man smbd.8 | more - -Other sources of information are pointed to by the Samba web -site, http://samba.org/samba. - -STEP 1. Building the binaries - -To do this, first run the program ./configure in the source -directory. This should automatically configure Samba for your -operating system. If you have unusual needs then you may wish to run -"./configure --help" first to see what special options you can enable. - -Then type "make". This will create the binaries. - -Once it's successfully compiled you can use "make install" to install -the binaries and manual pages. You can separately install the binaries -and/or man pages using "make installbin" and "make installman". - -Note that if you are upgrading for a previous version of Samba you -might like to know that the old versions of the binaries will be -renamed with a ".old" extension. You can go back to the previous -version with "make revert" if you find this version a disaster! - -STEP 2. The all important step - -At this stage you must fetch yourself a coffee or other drink you find -stimulating. Getting the rest of the install right can sometimes be -tricky, so you will probably need it. - -If you have installed samba before then you can skip this step. - -STEP 3. Create the smb configuration file. - -There are sample configuration files in the examples subdirectory in -the distribution. I suggest you read them carefully so you can see how -the options go together in practice. See the man page for all the -options. - -The simplest useful configuration file would be something like this: - - workgroup = MYGROUP - - [homes] - guest ok = no - read only = no - -which would allow connections by anyone with an account on the server, -using either their login name or "homes" as the service name. (Note -that I also set the workgroup that Samba is part of. See BROWSING.txt -for defails) - -Note that "make install" will not install a smb.conf file. You need to -create it yourself. You will also need to create the path you specify -in the Makefile for the logs etc, such as /usr/local/samba. - -Make sure you put the smb.conf file in the same place you specified in -the Makefile. - -For more information about security settings for the [homes] share please -refer to the document UNIX_SECURITY.txt - -STEP 4. Test your config file with testparm - -It's important that you test the validity of your smb.conf file using -the testparm program. If testparm runs OK then it will list the loaded -services. If not it will give an error message. - -Make sure it runs OK and that the services look resonable before -proceeding. - -STEP 5. Starting the smbd and nmbd. - -You must choose to start smbd and nmbd either as daemons or from -inetd. Don't try to do both! Either you can put them in inetd.conf -and have them started on demand by inetd, or you can start them as -daemons either from the command line or in /etc/rc.local. See the man -pages for details on the command line options. Take particular care -to read the bit about what user you need to be in order to start Samba. -In many cases you must be root. - -The main advantage of starting smbd and nmbd as a daemon is that they -will respond slightly more quickly to an initial connection -request. This is, however, unlilkely to be a problem. - -Step 5a. Starting from inetd.conf - -NOTE; The following will be different if you use NIS or NIS+ to -distributed services maps. - -Look at your /etc/services. What is defined at port 139/tcp. If -nothing is defined then add a line like this: - -netbios-ssn 139/tcp - -similarly for 137/udp you should have an entry like: - -netbios-ns 137/udp - -Next edit your /etc/inetd.conf and add two lines something like this: - -netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd -netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd - -The exact syntax of /etc/inetd.conf varies between unixes. Look at the -other entries in inetd.conf for a guide. - -NOTE: Some unixes already have entries like netbios_ns (note the -underscore) in /etc/services. You must either edit /etc/services or -/etc/inetd.conf to make them consistant. - -NOTE: On many systems you may need to use the "interfaces" option in -smb.conf to specify the IP address and netmask of your interfaces. Run -ifconfig as root if you don't know what the broadcast is for your -net. nmbd tries to determine it at run time, but fails on some -unixes. See the section on "testing nmbd" for a method of finding if -you need to do this. - -!!!WARNING!!! Many unixes only accept around 5 parameters on the -command line in inetd. This means you shouldn't use spaces between the -options and arguments, or you should use a script, and start the -script from inetd. - -Restart inetd, perhaps just send it a HUP. If you have installed an -earlier version of nmbd then you may need to kill nmbd as well. - -Step 5b. Alternative: starting it as a daemon - -To start the server as a daemon you should create a script something -like this one, perhaps calling it "startsmb" - -#!/bin/sh -/usr/local/samba/bin/smbd -D -/usr/local/samba/bin/nmbd -D - -then make it executable with "chmod +x startsmb" - -You can then run startsmb by hand or execute it from /etc/rc.local - -To kill it send a kill signal to the processes nmbd and smbd. - -NOTE: If you use the SVR4 style init system then you may like to look -at the examples/svr4-startup script to make Samba fit into that system. - - -STEP 6. Try listing the shares available on your server - -smbclient -L yourhostname - -Your should get back a list of shares available on your server. If you -don't then something is incorrectly setup. Note that this method can -also be used to see what shares are available on other LanManager -clients (such as WfWg). - -If you choose user level security then you may find that Samba requests -a password before it will list the shares. See the smbclient docs for -details. (you can force it to list the shares without a password by -adding the option -U% to the command line. This will not work with -non-Samba servers) - -STEP 7. try connecting with the unix client. eg: - -smbclient //yourhostname/aservice - -Typically the "yourhostname" would be the name of the host where you -installed smbd. The "aservice" is any service you have defined in the -smb.conf file. Try your user name if you just have a [homes] section -in smb.conf. - -For example if your unix host is bambi and your login name is fred you -would type: - -smbclient //bambi/fred - -STEP 8. Try connecting from a dos/WfWg/Win95/NT/os-2 client. Try -mounting disks. eg: - -net use d: \\servername\service - -Try printing. eg: - -net use lpt1: \\servername\spoolservice -print filename - -Celebrate, or send me a bug report! - -WHAT IF IT DOESN'T WORK? -======================== - -If nothing works and you start to think "who wrote this pile of trash" -then I suggest you do step 2 again (and again) till you calm down. - -Then you might read the file DIAGNOSIS.txt and the FAQ. If you are -still stuck then try the mailing list or newsgroup (look in the README -for details). Samba has been successfully installed at thousands of -sites worldwide, so maybe someone else has hit your problem and has -overcome it. You could also use the WWW site to scan back issues of -the samba-digest. - -When you fix the problem PLEASE send me some updates to the -documentation (or source code) so that the next person will find it -easier. - -DIAGNOSING PROBLEMS -=================== - -If you have instalation problems then go to DIAGNOSIS.txt to try to -find the problem. - -SCOPE IDs -========= - -By default Samba uses a blank scope ID. This means all your windows -boxes must also have a blank scope ID. If you really want to use a -non-blank scope ID then you will need to use the -i option to -nmbd, smbd, and smbclient. All your PCs will need to have the same -setting for this to work. I do not recommend scope IDs. - - -CHOOSING THE PROTOCOL LEVEL -=========================== - -The SMB protocol has many dialects. Currently Samba supports 5, called -CORE, COREPLUS, LANMAN1, LANMAN2 and NT1. - -You can choose what maximum protocol to support in the smb.conf -file. The default is NT1 and that is the best for the vast majority of -sites. - -In older versions of Samba you may have found it necessary to use -COREPLUS. The limitations that led to this have mostly been fixed. It -is now less likely that you will want to use less than LANMAN1. The -only remaining advantage of COREPLUS is that for some obscure reason -WfWg preserves the case of passwords in this protocol, whereas under -LANMAN1, LANMAN2 or NT1 it uppercases all passwords before sending them, -forcing you to use the "password level=" option in some cases. - -The main advantage of LANMAN2 and NT1 is support for long filenames with some -clients (eg: smbclient, Windows NT or Win95). - -See the smb.conf manual page for more details. - -Note: To support print queue reporting you may find that you have to -use TCP/IP as the default protocol under WfWg. For some reason if you -leave Netbeui as the default it may break the print queue reporting on -some systems. It is presumably a WfWg bug. - - -PRINTING FROM UNIX TO A CLIENT PC -================================= - -To use a printer that is available via a smb-based server from a unix -host you will need to compile the smbclient program. You then need to -install the script "smbprint". Read the instruction in smbprint for -more details. - -There is also a SYSV style script that does much the same thing called -smbprint.sysv. It contains instructions. - - -LOCKING -======= - -One area which sometimes causes trouble is locking. - -There are two types of locking which need to be performed by a SMB -server. The first is "record locking" which allows a client to lock a -range of bytes in a open file. The second is the "deny modes" that are -specified when a file is open. - -Samba supports "record locking" using the fcntl() unix system -call. This is often implemented using rpc calls to a rpc.lockd process -running on the system that owns the filesystem. Unfortunately many -rpc.lockd implementations are very buggy, particularly when made to -talk to versions from other vendors. It is not uncommon for the -rpc.lockd to crash. - -There is also a problem translating the 32 bit lock requests generated -by PC clients to 31 bit requests supported by most -unixes. Unfortunately many PC applications (typically OLE2 -applications) use byte ranges with the top bit set as semaphore -sets. Samba attempts translation to support these types of -applications, and the translation has proved to be quite successful. - -Strictly a SMB server should check for locks before every read and -write call on a file. Unfortunately with the way fcntl() works this -can be slow and may overstress the rpc.lockd. It is also almost always -unnecessary as clients are supposed to independently make locking -calls before reads and writes anyway if locking is important to -them. By default Samba only makes locking calls when explicitly asked -to by a client, but if you set "strict locking = yes" then it will -make lock checking calls on every read and write. - -You can also disable by range locking completely using "locking = -no". This is useful for those shares that don't support locking or -don't need it (such as cdroms). In this case Samba fakes the return -codes of locking calls to tell clients that everything is OK. - -The second class of locking is the "deny modes". These are set by an -application when it opens a file to determine what types of access -should be allowed simultaneously with its open. A client may ask for -DENY_NONE, DENY_READ, DENY_WRITE or DENY_ALL. There are also special -compatability modes called DENY_FCB and DENY_DOS. - -You can disable share modes using "share modes = no". This may be -useful on a heavily loaded server as the share modes code is very -slow. See also the FAST_SHARE_MODES option in the Makefile for a way -to do full share modes very fast using shared memory (if your OS -supports it). - - -MAPPING USERNAMES -================= - -If you have different usernames on the PCs and the unix server then -take a look at the "username map" option. See the smb.conf man page -for details. - - -OTHER CHARACTER SETS -==================== - -If you have problems using filenames with accented characters in them -(like the German, French or Scandinavian character sets) then I -recommmend you look at the "valid chars" option in smb.conf and also -take a look at the validchars package in the examples directory. diff --git a/docs/textdocs/samba-pdc-faq.txt b/docs/textdocs/samba-pdc-faq.txt deleted file mode 100644 index e6222ad422..0000000000 --- a/docs/textdocs/samba-pdc-faq.txt +++ /dev/null @@ -1,939 +0,0 @@ - -The Samba 2.2 PDC FAQ - -David Bannon - - La Trobe University - _________________________________________________________________ - _________________________________________________________________ - - Comments, corrections and additions to - - This is the FAQ for Samba 2.2 as an NTDomain controller. This document - is derived from the origional FAQ that was built and maintained by - Gerald Carter from the early days of Samba NTDomain development up - until recently. It is now being updated as significent changes are - made to 2.2.0. - - Please note it does not apply to Samba2.2alpha0, Samba2.2alpha1, Samba - 2.0.7, TNG nor HEAD branch. - - I'll repeat, it does not apply to the current snapshot [ftp - mirror]:/pub/samba/alpha/samba-2.2.0-alpha1.tar.gz, only to the to the - current cvs. - - Also available is a Samba 2.2 PDC HowTo that takes you, step by step, - over the process of setting up a very basic Samba 2.2 Primary Domain - Controller - - Note: Please read the Introduction for the current state of play. - - Table of Contents - 1. Introduction - - State of Play - Introduction - - 2. General Information - - What can we do ? - - What can Samba Primary Domain Controller (PDC) do ? - Can I have a Windows 2000 client logon to a Samba - controlled domain? - - What's the status of print spool (spoolss) support in the - NTDOM code? - - CVS - - What are the different Samba branches available in CVS ? - What are the CVS commands ? - - 3. Establishing Connections - - How do I get my NT4 or W2000 Workstation to login to the - Samba controlled Domain? - - What is a 'machine account' ? - "The machine account for this computer either does not - exist or is not accessable." - - How do I create machine accounts manually ? - I cannot include a '$' in a machine name. - I get told "You already have a connection to the - Domain...." when creating a machine account. - - I get told "Cannot join domain, the credentials supplied - conflict with an existing set.." - - "The system can not log you on (C000019B)...." - - 4. User Account Management - - Domain Admins - - How do I configure an account as a domain administrator? - - Profiles - - Why is it bad to set "logon path = \\%N\%U\profile" in - smb.conf? ? - - Why are all the users listed in the "domain admin users" - using the same profile? - - The roaming profiles do not seem to be updating on the - server. - - Policies - - What are 'Policies' ?. - I can't get system policies to work. - What about Windows NT Policy Editor ? - Can Win95 do Policies ? - - Passwords - - What is password sync and should I use it ? - How do I get remote password (unix and SMB) changing - working ? - - 5. Miscellaneous - - What editor can I use in DOS/Windows that won't mess with - my unix EOF - - How do I get 'User Manager' and 'Server Manager' - The time setting from a Samba server does not work. - "trust account xxx should be in DOMAIN_GROUP_RID_USERS" - How do I get my samba server to become a member ( not PDC ) - of an NT domain? - - 6. Troubleshooting and Bug Reporting - - Diagnostic tools - - What are some diagnostics tools I can use to debug the - domain logon process and where can I find them? - - How do I install 'Network Monitor' on an NT Workstation or - a Windows 9x box? - - What other help can I get ? - - URLs and similar - How do I get help from the mailing lists ? - How do I get off the mailing lists ? - _________________________________________________________________ - -Chapter 1. Introduction - -State of Play - - It should be noted that 2.2.0 in its pre-release form still has a few - problems, I'll try and keep this section current while things are - still dynamic. At the time of this update (December 15, 2000) the - current state of play is : - - Comments here about W2K joining the domain apply only to Samba 2.2 - from the CVS after November 27th. The 'snapshot' release - Samba2.2alpha1 does not work !!! See below on how to get a CVS tree. - - Known Bug !W2K machines will not successfully join a domain with a - name that is made up from an even number of characters. Yep, thats - right ! BIOTEST is OK as is MYDOMAI but MYDOMAIN will not work until - this bug is fixed. Hmm.., we believe that this bug is fixed, but see - below. - - Known Bug !After some bugs were fixed just before Christmas, W2K SP1 - machines cannot join the domain. Expected to be fixed early in the new - year. Whats that ? yeah, samba developers have a Christmas break too ! - - Know Bug !NTs (and possibly W2K ?) are not told the logged on user is - a domain admin if the parameter "domain admin users = user" is used. - The alternative, "domain admin group" does work. See the HowTo. - - Client Side creation of Machine accounts does work but is not - complete. Firstly, the add user script runs as the user who's name was - entered, not as root. Secondly, the machine name passed to the script - (%U) has an underscore at the end, not a '$'. One alternative is to - use %m and add the $. This method is documented in the HowTo. And - thirdly, it does not work with NT4ws. - - A W2K machine can join the domain. See the HowTo which explains the - process. The methods described are 'work arounds' and should be - regarded as temporary. Although I (drb) have tested these procedures a - number of people have had difficulty so there may be other issues at - work. JFM is aware of these problems and will attend to them when he - can. - - A Domain Admin account is required and at present it appears that only - root is a suitable candidate. - - Much of the related code does work. For example, if an NT is removed - from the domain and then rejoins, the Create a Computer Account in the - Domain dialog will let you reset the smbpasswd. That is you don't need - to do it from the unix box. However, at the present, you do need to - have root as an administrator and use the root user name and password. - - Actually I'm not sure that last paragraph is correct .... - - Policies do work on a W2K machine. MS says that recent builds of W2K - dont observe an NT policy but it appears it does in 'legacy' mode. - _________________________________________________________________ - -Introduction - - This FAQ was origionally compiled by Jerry Carter (gc) chiefly dealing - with the 'old head' version of Samba and its NTDomain facilities. It - is being rewritten by David Bannon (drb) so that it addresses more - accurately the Samba 2.2 planned for release late 2000. - - This document probably still contains some material that does not - apply to Samba 2.2 but most (all?) of the really misleading stuff has - been removed. Some issues are not dealt with or are dealt with badly. - Please send corrections and additions to David Bannon at - D.Bannon@latrobe.edu.au - - Hopefully, as we all become familiar with the Samba 2.2 as a PDC this - document will become much more usefull. - _________________________________________________________________ - -Chapter 2. General Information - -What can we do ? - -What can Samba Primary Domain Controller (PDC) do ? - - If you wish to have Samba act as a PDC for Windows NT 3.51.and 4.0 or - W2000 client, then you will need to obtain the 2.2.0 version, - currently in pre-release. Release of a stable, full featured Samba PDC - is currently slated for version 3.0. - - The following is a list of included features currently in Samba 2.2: - - * The ability to act as a limited PDC for Windows NT and W2000 - clients. This includes adding NT and W2K machines to the domain - and authenticating users logging into the domain. - * Domain account can be viewed using the User Manager for Domains - ???? - * Viewing resources on the Samba PDC via the Server Manager for - Domains from the NT client. ?? - * Windows 95 clients will allow user level security to be set but - will not currently allow browsing of accounts. - * Machine account password updates. - * Changing of user passwords from an NT client. - * Partial support for Windows NT group and username mapping. - * Support for a LDAP password database backend. - * Printing. - - These things are note expected to work in the forseeable future - * Trust relationships - * PDC and BDC integration - * Windows NT ACLs (on the Samba shares) - * Offer a list of domain users to User Manager for Domains (or the - Security Tab etc). - _________________________________________________________________ - -Can I have a Windows 2000 client logon to a Samba controlled domain? - - The 2.2 release branch of Samba supports Windows 2000 domain clients - in legacy mode, ie as if the PDC is a NTServer, not a W2K server. - _________________________________________________________________ - -What's the status of print spool (spoolss) support in the NTDOM code? - - The implementation of support for SPOOLSS pipe is complete and it will - be available in the 2.2.0 release. This means that Samba will support - the automatic downloading of printer drivers for Windows NT clients - just as it currently does for Windows 9x clients. - _________________________________________________________________ - -CVS - - CVS is a programme (publically available) that the Samba developers - use to maintain the central source code. Non developers can get access - to the source in a read only capacity. Many flavours of unix now - arrive with cvs installed. - _________________________________________________________________ - -What are the different Samba branches available in CVS ? - - You can find out more about obtaining Samba's via anonymous CVS from - http://pserver.samba.org/samba/cvs.html". - - There are basically four branches to watch at the moment : - - HEAD - Samba 3.0 ? This code boasts all the main development work in - Samba. Two things that most people are not aware of which live - in the HEAD branch code are winbind NSS module and Tim Potter's - VFS implementation. Due to its developmental nature, its not - really suitable for production work. - - SAMBA_2_0 - This branch contains the current stable release release. At the - moment it contains 2.0.7, a version that will do some limited - PDC stuff. If you are really going to do PDC things then I - (drb) suggest that you consider 2.2 instead. - - SAMBA_2_2 - The next stable release, currently in a 'alpha' form. It - provides the Samba developers, testers and interested people - with an approximation of what is to come. This document - addresses only SAMBA_2_2. - - SAMBA_TNG - This branch is no longer maintained from the Samba sites. - Please see http://www.samba-tng.org/. It has been requested - that questions about TNG are not posted to the regular Samba - mailing lists including samba-ntdom and samba-technical. - _________________________________________________________________ - -What are the CVS commands ? - - See http://pserver.samba.org/samba/cvs.html - - To get the Samba 2.2 version, tag SAMBA_2_2 you would do : - * For example : cd /usr/local/src/ - * cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login - * When prompted enter a password of cvs - * cvs -d :pserver:cvs@pserver.samba.org:/cvsroot co -r SAMBA_2_2 - samba - - Then to update that directory at some later time, - * cd /usr/local/src/samba - * cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login - * When prompted enter a password of 'cvs'. - * cvs update -d -P - _________________________________________________________________ - -Chapter 3. Establishing Connections - -How do I get my NT4 or W2000 Workstation to login to the Samba controlled -Domain? - - There is a comprehensive Samba PDC HowTo accessable from the samba web - site under 'Documentation'. Its currently located at - http://bioserve.latrobe.edu.au/samba. Read it. - _________________________________________________________________ - -What is a 'machine account' ? - - Every NT, W2K or Samba machine that joins a Samba controlled domain - must be known to the Samba PDC. There are two entries required, one in - (typically) /etc/passwd and the other in (typically) - /usr/local/samba/private/smbpasswd. Under some circumstances these - entries are made manually, the HowTo discusses ways of creating them - automatically. - _________________________________________________________________ - -"The machine account for this computer either does not exist or is not -accessable." - - When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessable". Whats - wrong ? - - This problem is caused by the PDC not having a suitable machine - account. If you are using the add user script = method to create - accounts then this would indicate that it has not worked. Ensure the - domain admin user system is working. - - Alternatively if you are creating account entries manually then they - have not been created correctly. Make sure that you have the entry - correct for the machine account in smbpasswd file on the Samba PDC. If - you added the account using an editor rather than using the smbpasswd - utility, make sure that the account name is the machine netbios name - with a '$' appended to it ( ie. computer_name$ ). There must be an - entry in both /etc/passwd and the smbpasswd file. Some people have - reported that inconsistent subnet masks between the Samba server and - the NT client have caused this problem. Make sure that these are - consistent for both client and server. - _________________________________________________________________ - -How do I create machine accounts manually ? - - This was the only option until recently, now in version 2.2 better - means are available. You might still need to do it manually for a - couple of reasons. A machine account consists of two entries (assuming - a standard install and /etc/passwd use), one in /etc/passwd and the - other in /usr/local/samba/private/smbpasswd. The /etc/passwd entry - will list the machine name with a $ appended, won't have a passwd, - will have a null shell and no home directory. For example a machine - called 'doppy' would have an /etc/passwd entry like this : - - doppy$:x:505:501:NTMachine:/dev/null:/bin/false - - On a linux system for example, you would typically add it like this : - - adduser -g machines -c NTMachine -d /dev/null -s /bin/false -n doppy$ - - Then you need to add that entry to smbpasswd, assuming you have a - suitable path to the smbpasswd programme, do this : - - smbpasswd -a -m doppy$ - - The entry will be created with a well known password, so any machine - that says its doppy could join the domain as long as it gets in first. - So don't create the accounts any earlier than you need them. - _________________________________________________________________ - -I cannot include a '$' in a machine name. - - A 'machine name' in (typically) /etc/passwd consists of the machine - name with a '$' appended. FreeBSD (and other BSD systems ?) won't - create a user with a '$' in their name. - - The problem is only in the program used to make the entry, once made, - it works perfectly. So create a user without the '$' and use vipw to - edit the entry, adding the '$'. Or create the whole entry with vipw if - you like, make sure you use a unique uid ! - _________________________________________________________________ - -I get told "You already have a connection to the Domain...." when creating a -machine account. - - This happens if you try to create a machine account from the machine - itself and use a user name that does not work (for whatever reason) - and then try another (possibly valid) user name. Exit out of the - network applet to close the initial connection and try again. - - Further, if the machine is a already a 'member of a workgroup' that is - the same name as the domain you are joining (bad idea) you will get - this message. Change the workgroup name to something else, it does not - matter what, reboot, and try again. - _________________________________________________________________ - -I get told "Cannot join domain, the credentials supplied conflict with an -existing set.." - - This is the same basic problem as mentioned above, "You already have a - connection..." - _________________________________________________________________ - -"The system can not log you on (C000019B)...." - - I joined the domain successfully but after upgrading to a newer - version of the Samba code I get the message, "The system can not log - you on (C000019B), Please try a gain or consult your system - administrator" when attempting to logon. - - This occurs when the domain SID stored in private/WORKGROUP.SID is - changed. For example, you remove the file and smbd automatically - creates a new one. Or you are swapping back and forth between versions - 2.0.7, TNG and the HEAD branch code (not recommended). The only way to - correct the problem is to restore the original domain SID or remove - the domain client from the domain and rejoin. - _________________________________________________________________ - -Chapter 4. User Account Management - -Domain Admins - -How do I configure an account as a domain administrator? - - See the NTDom HowTo. - _________________________________________________________________ - -Profiles - -Why is it bad to set "logon path = \\%N\%U\profile" in smb.conf? ? - - Sometimes Windows clients will maintain a connection to the \\homes\ ( - or [%U] ) share even after the user has logged out. Consider the - following scenario. - - * user1 logs into the Windows NT machine. Therefore the [homes] - share is set to \\server\user1. - * user1 works for a while and then logs out. - * user2 logs into the same Windows NT machine. - - However, since the NT box has maintained a connection to [homes] which - was previously set to \\server\user1, when the operating system - attempts to get the profile and if it can read users1's profile, will - get it otherwise it will return an error. You get the picture. - - A better solution is to use a separate [profiles] share and set the - "logon path = \\%N\profiles\%U" - - Note: Is this still a problem ???? - _________________________________________________________________ - -Why are all the users listed in the "domain admin users" using the same -profile? - - You are using a very very old development version of Samba. Upgrade. - _________________________________________________________________ - -The roaming profiles do not seem to be updating on the server. - - There can be several reasons for this. - - Make sure that the time on the client and the PDC are synchronized. - You can accomplish this by executing a net time \\server /set /yes - replacing server with the name of your PDC (or another synchronized - SMB server). See about Setting Time - - Make sure that the logon path is writeable by the user and make sure - that the connection to the logon path location is by the current user. - Sometimes Windows client do not drop the connection immediately upon - logoff. - - Some people have reported that the logon path location should also be - browseable. I (GC) have yet to emperically verify this, but you can - try. - _________________________________________________________________ - -Policies - -What are 'Policies' ?. - - When a user logs onto the domain via a client machine, the PDC sends - the client machine a list of things contained in the 'policy' (if it - exists). This list may do things like suppress a splach screen, format - the dates the way you like them or perhaps remove locally stored - profiles. - - On a samba PDC this list is obtained from a file called ntconfig.pol - and located in the [netlogon]share. The file is created with a policy - editor and must be readable by anyone and writeable by only root. See - below for how to get a suitable editor. - _________________________________________________________________ - -I can't get system policies to work. - - There are two possible reasons for system policies not functioning - correctly. Make sure that you have the following parameters set in - smb.conf - [netlogon] - .... - locking = no - public = no - browseable = yes - .... - - - A policy file must be in the [netlogon] share and must be readable by - everyone and writeable by only root. The file must be created by an - NTServer Policy Editor. - - Last time I (drb) looked in the source, it was looking for - ntconfig.pol first then several other combinations of upper and lower - case. People have reported success using NTconfig.pol, NTconfig.POL - and ntconfig.pol. These are the case settings that I (GC) use with the - filename ntconfig.pol - case sensitive = no - case preserve = yes - default case = yes - - _________________________________________________________________ - -What about Windows NT Policy Editor ? - - To create or edit ntconfig.pol you must use the NT Server Policy - Editor, poledit.exe which is included with NT Server but not NT - Workstation. There is a Policy Editor on a NTws but it is not suitable - for creating Domain Policies. Further, although the Windows 95 Policy - Editor can be installed on an NT Workstation/Server, it will not work - with NT policies because the registry key that are set by the policy - templates. However, the files from the NT Server will run happily - enough on an NTws. You need poledit.exe, common.adm and winnt.adm. It - is convenient to put the two *.adm files in c:\winnt\inf which is - where the binary will look for them unless told otherwise. Note also - that that directory is 'hidden'. - - The Windows NT policy editor is also included with the Service Pack 3 - (and later) for Windows NT 4.0. Extract the files using - servicepackname /x, ie thats Nt4sp6ai.exe /x for service pack 6a. The - policy editor, poledt.exe and the associated template files (*.adm) - should be extracted as well. It is also possible to downloaded the - policy template files for Office97 and get a copy of the policy - editor. Another possible location is with the Zero Administration Kit - available for download from Microsoft. - _________________________________________________________________ - -Can Win95 do Policies ? - - Install the group policy handler for Win9x to pick up group policies. - Look on the Win98 CD in \tools\reskit\netadmin\poledit. Install group - policies on a Win9x client by double-clicking grouppol.inf. Log off - and on again a couple of times and see if Win98 picks up group - policies. Unfortunately this needs to be done on every Win9x machine - that uses group policies.... - - If group policies don't work one reports suggests getting the updated - (read: working) grouppol.dll for Windows 9x. The group list is grabbed - from /etc/group. - _________________________________________________________________ - -Passwords - -What is password sync and should I use it ? - - NTws users can change their domain password by pressing Ctrl-Alt-Del - and choosing 'Change Password'. By default however, this does not - change the unix password (typically in /etc/passwd or /etc/shadow). In - lots of situations thats OK, for example : - - * The server is only accessible to the user via samba. - * Pam_smb or similar is installed so other applications still refer - to the samba password. - - But sometimes you really do need to maintain two seperate password - databases and there are good reasons to keep then in sync. Trying to - explain to users that they need to change their passwords in two - seperate places or use two seperate passwords is not fun. - - However do understand that setting up password sync is not without - problems either. The chief difficulty is the interface between Samba - and the passwd command, it can be a fiddle to set up and if the - password the user has entered fails, the resulting errors are - ambiguously reported and the user is confused. Further, you need to - take steps to ensure that users only ever change their passwords via - samba (or use smbpasswd), otherwise they will only be changing the - unix password. - _________________________________________________________________ - -How do I get remote password (unix and SMB) changing working ? - - Have a practice changing a user's password (as root) to see what - discussion takes place and change the text in the 'passwd chat' line - below as necessary. The line as shown works for recent RH Linux but - most other systems seem to like to do something different. The '*' is - a wild card and will match anything (or nothing). - - Add these lines to smb.conf under [Global] - - - unix password sync = true - passwd program = /usr/bin/passwd %u - passwd chat = *password* %n\n *password* %n\n *successful* - - As mentioned above, the change to the unix password happens as root, - not as the user, as is indicated in ~/smbd/chgpasswd.c If you are - using NIS, the Samba server must be running on the NIS master machine. - _________________________________________________________________ - -Chapter 5. Miscellaneous - -What editor can I use in DOS/Windows that won't mess with my unix EOF - - There are a number of Windows or DOS based editors that will - understand, and leave intact, the unix eof (as opposed to a DOS - CL/LF). List members suggested : - - * UltraEdit at www.ultraedit.com - * VI for windows at home.snafu.de/ramo/WinViEn.htm - * The author prefers PFE at www.lancs.ac.uk/people/cpaap/pfe/ but - its no longer being developed... - _________________________________________________________________ - -How do I get 'User Manager' and 'Server Manager' - - Since I don't need to buy an NT Server CD now, how do I get the 'User - Manager for Domains', the 'Server Manager' ? - - Microsoft distributes a version of these tools called nexus for - installation on Windows 95 systems. The tools set includes - * Server Manager - * User Manager for Domains - * Event Viewer - - Click here to download the archived file - ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE - - The Windows NT 4.0 version of the 'User Manager for Domains' and - 'Server Manager' are available from Microsoft via ftp from - ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE - _________________________________________________________________ - -The time setting from a Samba server does not work. - - If it works OK when you log on as Domain Admin then the problem is - that ordinary users don't have permission to change the time. (The - system is running with their permission at logon time.) This is not a - Samba problem, you will have the same problem where ever you connect. - You can give 'everyone' permission to change the time from the User - Manager. - - Anyone know what the registry settings are so this could be done with - a Policy ? - _________________________________________________________________ - -"trust account xxx should be in DOMAIN_GROUP_RID_USERS" - - I keep getting the message "trust account xxx should be in - DOMAIN_GROUP_RID_USERS." in the logs. What do I need to do? - - You are using one of the old development versions. Upgrade. (The - message is unimportant, was a reminder to a developer) - _________________________________________________________________ - -How do I get my samba server to become a member ( not PDC ) of an NT domain? - - In a domain that has a number of servers you only need one password - database. The machines that don't have their own ask the PDC to check - for them. This will work fine for a domain controlled by either a - Samba or NT machine. The following lines in smb.conf are typical, - 'password server' points to the samba machine (or an NT) that has the - password list : - - - [global] - ... - security = domain - workgroup = { Put your domain name here } - password server = { Put the ip of the PDC here } - encrypt passwords = yes - ... - - The samba server in question will have to 'join the domain', that - requires the domain controller to have a machine account for it. This - is no different to the machine account requirements to allow a NTws to - join the domain. For example, if we want a unix box called sleepy to - ask the PDC called grumpy to do its authentication then grumpy will - need an entry in its smbpasswd (assuming it's also samba) that starts - with sleepy$. It would have to be created manually. - - If the domain is controlled by an NTServer then the "Server Manager - for Domains" tool must be used to add 'sleepy' to the domain list. - - In either case we then join the domain. If the domain is called forest - then on sleepy we would join the domain by typing : - - smbpasswd -j forest - - Note that the directory where the smbpasswd file would be located - should exist as this is where smbd will generate the MACHINE.SID file. - This might be /usr/local/samba/private/FOREST.SLEEPY.SID and it - contains the trust account password for the domain member. The - permissions are (and should remain) "rw------- - - Note the Samba Servers without the password list will most likely - still need an account for each user, this means a line in its - /etc/passwd. Because authentication is being handled at the domain - level the /etc/passwd line does not need a password. If the shares - being offered are not user specific, ie a common (read only ?) area or - perhaps just printing then the user's /etc/passwd does not need a home - directory. A typical line in /etc/passwd for a server that allows - domain users to connect to the samba shares but does not offer a home - share ('cos that's on the PDC) and does not allow logon to the unix - prompt would be like this : -jblow:x:542:100:Joe Blow:/dev/null:/bin/false - - * When removing those 'dummy' users, watch the 'remove user' - scripts, some OS think they should remove a users directory even - when its not owned by the user ! - * The username map = parameter might help you to avoid having all - those accounts created. - * You should investigate the smb.conf parameter 'add user script', - it will be used to create accounts on secondary servers when that - account already exists on the PDC. Very nice. Something like : - [Global] - .... - add user script = /usr/sbin/adduser -n -g users -c User -d /dev/null -s /bi -n/false %U - .... - _________________________________________________________________ - -Chapter 6. Troubleshooting and Bug Reporting - -Diagnostic tools - -What are some diagnostics tools I can use to debug the domain logon process -and where can I find them? - - One of the best diagnostic tools for debugging problems is Samba - itself. You can use the -d option for both smbd and nmbd to specifiy - what 'debug level' at which to run. See the man pages on smbd, nmbd - and smb.conf for more information on debugging options. The debug - level can range from 1 (the default) to around 100 but a debug level - of about 20 will normally help you find any errors that samba is - encountering. Another helpful method of debugging is to compile samba - using the gcc -g flag. This will include debug information in the - binaries and allow you to attch gdb to the running smbd / nmbd - process. In order to attach gdb to an smbd process for an NT - workstation, first get the workstation to make the connection. - Pressing ctrl-alt-delete and going down to the domain box is - sufficient (at least, on the first time you join the domain) to - generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation - maintains an open connection, and therefore there will be an smbd - process running (assuming that you haven't set a really short smbd - idle timeout) So, in between pressing ctrl alt delete, and actually - typing in your password, you can gdb attach and continue. - - Some usefull samba commands worth investigating: - * testparam | more - * smbclient -L //{netbios name of server} - - An SMB enabled version of tcpdump is available from - ftp://samba.org/pub/samba/tcpdump-smb/ - - Capconvert is a small C program for translating output from - tcpdump-smb to CAP format that can be read by netmon. You will need to - use the raw output from tcp dump ( ie. tcpdump -w output.dump ). Good - news! Now you can convert Solaris' snoop output as well. The C source - code for snoop2cap is available for download. - - For tracing things on the Microsoft Windows NT, Network Monitor (aka. - netmon) is available on the Microsoft Developer Network CD's, the - Windows NT Server install CD and the SMS CD's. The version of netmon - that ships with SMS allows for dumping packets between any two - computers (ie. placing the network interface in promiscuous mode). The - version on the NT Server install CD will only allow monitoring of - network traffic directed to the local NT box and broadcasts on the - local subnet. - _________________________________________________________________ - -How do I install 'Network Monitor' on an NT Workstation or a Windows 9x box? - - Installing netmon on an NT workstation requires a couple of steps. The - following are for installing Netmon V4.00.349, which comes with - Microsoft Windows NT Server 4.0, on Microsoft Windows NT Workstation - 4.0. The process should be similar for other version of Windows NT / - Netmon. You will need both the Microsoft Windows NT Server 4.0 Install - CD and the Workstation 4.0 Install CD. - - Initially you will need to install 'Network Monitor Tools and Agent' - on the NT Server. To do this - - * Goto Start - Settings - Control Panel - Network - Services - Add - * Select the 'Network Monitor Tools and Agent' and click on 'OK'. - * Click 'OK' on the Network Control Panel. - * Insert the Windows NT Server 4.0 install CD when prompted. - - At this point the Netmon files should exist in - %SYSTEMROOT%\System32\netmon\*.*. Two subdirectories exist as well, - parsers\ which contains the necessary DLL's for parsing the netmon - packet dump, and captures\. - - In order to install the Netmon tools on an NT Workstation, you will - first need to install the 'Network Monitor Agent' from the Workstation - install CD. - - * Goto Start - Settings - Control Panel - Network - Services - Add - * Select the 'Network Monitor Agent' and click on 'OK'. - * Click 'OK' on the Network Control Panel. - * Insert the Windows NT Workstation 4.0 install CD when prompted. - - Now copy the files from the NT Server in - %SYSTEMROOT%\System32\netmon\*.* to %SYSTEMROOT%\System32\netmon\*.* - on the Workstation and set permissions as you deem appropriate for - your site. You will need administrative rights on the NT box to run - netmon. - - To install Netmon on a Windows 9x box install the network monitor - agent from the Windows 9x CD (\admin\nettools\netmon). There is a - readme file located with the netmon driver files on the CD if you need - information on how to do this. Copy the files from a working Netmon - installation. - _________________________________________________________________ - -What other help can I get ? - - There are many sources of information available in the form of mailing - lists, RFC's and documentation. The docs that come with the samba - distribution contain very good explanations of general SMB topics such - as browsing. - _________________________________________________________________ - -URLs and similar - - * Home of Samba site http://samba.org. We have a mirror near you ! - * The Development document on the Samba mirrors might mention your - problem. If so, it might mean that the developers are working on - it. - * Ignacio Coupeau has a very comprehesive look at LDAP with Samba at - http://www.unav.es/cti/ldap-smb-howto.html Be a little carefull - however, I suspect that it does not specificly address samba - 2.2.x. The HEAD pre-2.1 may possibly be the best stream to look - at. - * Lars Kneschke's site covers Samba-TNG at - http://www.kneschke.de/projekte/samba_tng, but again, a lot of it - does not apply to the main stream Samba. - * See how Scott Merrill simulates a BDC behaviour at - http://www.skippy.net/linux/smb-howto.html. - * Although 2.0.7 has almost had its day as a PDC, I (drb) will keep - the 2.0.7 PDC pages at http://bioserve.latrobe.edu.au/samba going - for a while yet. - * Misc links to CIFS information http://samba.org/cifs/ - * NT Domains for Unix http://mailhost.cb1.com/~lkcl/ntdom/ - * FTP site for older SMB specs: - ftp://ftp.microsoft.com/developr/drg/CIFS/ - - There are a number of documents that no longer appear to live at their - origional home. Any one know where the following may be found ? - * CIFS/E Browser Protocol draft-leach-cifs-browser-spec-00.txt - * CIFS Remote Administration Protocol - draft-leach-cifs-rap-spec-00.txt - * CIFS Logon and Pass Through Authentication - draft-leach-cifs-logon-spec-00.txt - * A Common Internet File System (CIFS/1.0) Protocol - draft-leach-cifs-v1-spec-01.txt - * CIFS Printing Specification draft-leach-cifs-print-spec-00.txt - * RFC1001 (March '87) Protocol standard for a NetBIOS service on a - TCP/UDP transport: Concepts and methods. - http://ds.internic.net/rfc/rfc1001.txt - * RFC1002 (March '87) Protocol standard for a NetBIOS service on a - TCP/UDP transport: Detailed specifications. - http://ds.internic.net/rfc/rfc1002.txt - * Microsoft's main CIFS page: - http://www.microsoft.com/workshop/networking/cifs/ - _________________________________________________________________ - -How do I get help from the mailing lists ? - - There are a number of Samba related mailing lists. Go to - http://samba.org, click on your nearest mirror and then click on - Support and then click on Samba related mailing lists. - - For questions relating to Samba TNG go to http://www.samba-tng.org/ It - has been requested that you don't post questions about Samba-TNG to - the main stream Samba lists. - - If you post a message to one of the lists please observe the following - guide lines : - * Always remember that the developers are volunteers, they are not - paid and they never guarantee to produce a particular feature at a - particular time. Any time lines are 'best guess' and nothing more. - * Always mention what version of samba you are using and what - operating system its running under. You should probably list the - relevant sections of your smb.conf file, at least the options in - [global] that affect PDC support. - * In addition to the version, if you obtained Samba via CVS mention - the date when you last checked it out. - * Try and make your question clear and brief, lots of long, - convoluted questions get deleted before they are completely read ! - Don't post html encoded messages (if you can select colour or font - size its html). - * If you run one of those niffy 'I'm on holidays' things when you - are away, make sure its configured to not answer mailing lists. - * Don't cross post. Work out which is the best list to post to and - see what happens, ie don't post to both samba-ntdom and - samba-technical. Many people active on the lists subscribe to more - than one list and get annoyed to see the same message two or more - times. Often someone will see a message and thinking it would be - better dealt with on another, will forward it on for you. - * You might include partial log files written at a debug level set - to as much as 20. Please don't send the entire log but enough to - give the context of the error messages. - * (Possibly) If you have a complete netmon trace ( from the opening - of the pipe to the error ) you can send the *.CAP file as well. - * Please think carefully before attaching a document to an email. - Consider pasting the relevant parts into the body of the message. - The samba mailing lists go to a huge number of people, do they all - need a copy of your smb.conf in their attach directory ? - _________________________________________________________________ - -How do I get off the mailing lists ? - - To have your name removed from a samba mailing list, go to the same - place you went to to get on it. Go to http://samba.org, click on your - nearest mirror and then click on Support and then click on Samba - related mailing lists. Or perhaps see here - - Please don't post messages to the list asking to be removed, you will - just be refered to the above address (unless that process failed in - some way...) diff --git a/docs/textdocs/samba-pdc-howto.txt b/docs/textdocs/samba-pdc-howto.txt deleted file mode 100644 index 5ed15cdf4a..0000000000 --- a/docs/textdocs/samba-pdc-howto.txt +++ /dev/null @@ -1,712 +0,0 @@ - -The Samba 2.2 PDC HowTo - -David Bannon - - La Trobe University - _________________________________________________________________ - _________________________________________________________________ - - Comments, corrections and additions to - - This document explains how to setup Samba as a Primary Domain - Controller and applies to version 2.2.0. Before using these functions - make sure you understand what the controller can and cannot do. Please - read the sections below in the Introduction. As 2.2.0 is incrementally - updated this document will change or become out of date very quickly, - make sure you are reading the most current version. - - Please note this document does not apply to Samba2.2alpha0, - Samba2.2alpha1, Samba 2.0.7, TNG nor HEAD branch. - - It does apply to the current (post November 27th) cvs. - - Also available is an updated version of Jerry Carter's NTDom FAQ that - will answer lots of the special 'tuning' questions that are not - covered here. Over the next couple of weeks some of the items here - will be moved to the FAQ. - - Table of Contents - 1. Introduction - - What can we do ? - What can't we do ? - - 2. Installing - - Start Up Script - Config File - - A sample conf file - PDC Config Parameters - - Special directories - - 3. User and Machine Accounts - - Logon Accounts - Machine Accounts - Joining the Domain - User Accounts - Domain Admin Accounts - - 4. Profiles, Policies and Logon Scripts - - Profiles - Policies - Logon Scripts - - 5. Passwords and Authentication - - Syncing Passwords - Using PAM - Authenticating other Samba Servers - - 6. Background - - History - The Future - Getting further help - _________________________________________________________________ - -Chapter 1. Introduction - - This document will show you one way of making Version 2.2.0 of Samba - perform some of the tasks of a NT Primary Domain Controller. The - facilities described are built into Samba as a result of development - work done over a number of years by a large number of people. These - facilities are only just beginning to be officially supported and - although they do appear to work reliably, if you use them then you - take the risks upon your self. This document does not cover the - developmental versions of Samba, particularly Samba-TNG - - Note that Samba 2.0.7 supports significently less of the NT Domain - facilities compared with 2.2.0 - - This document does not replace the text files DOMAIN_CONTROL.txt, - DOMAIN.txt (by John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth - Casson Leighton). Those documents provide more detail and an insight - to the development cycle and should be considered 'further reading'. - _________________________________________________________________ - -What can we do ? - - * Permit 'domain logons' for Win95/98, NT4 and W2K workstations from - one central password database. WRT W2K, please see the section - about adding machine accounts and the Intro in the FAQ. - * Grant Administrator privileges to particular domain users on an NT - or W2K workstation. - * Apply policies from a domain policy file to NT and W2K (?) - workstation. - * Run the appropriate logon script when a user logs on to the domain - . - * Maintain a user's local profile on the server. - * Validate a user using another system via smb (such as smb_pam) and - soon winbind (?). - _________________________________________________________________ - -What can't we do ? - - * Become or work with a Backup Domain Controller (a BDC). - * Participate in any sort of trust relationship (with either Samba - or NT Servers). - * Offer a list of domain users to User Manager for Domains on the - Security Tab etc). - * Be a W2K type of Domain Controller. Samba PDC will behave like an - NT PDC, W2K workstations connect in legacy mode. - _________________________________________________________________ - -Chapter 2. Installing - - Installing consists of the usual download, configure, make and make - install process. These steps are well documented elsewhere. The FAQ - discusses getting pre-release versions via CVS. Then you need to - configure the server. - _________________________________________________________________ - -Start Up Script - - Skip this section if you have a working Samba already. Everyone has - their own favourite startup script. Here is mine, offered with no - warrantee at all ! - - - #!/bin/sh - # Script to control Samba server, David Bannon, 14-6-96 - # - # - PATH=/bin:/usr/sbin:/usr/bin - export PATH - case "$1" in - 'start') - if [ -f /usr/local/samba/bin/smbd ] - then - /usr/local/samba/bin/smbd -D - /usr/local/samba/bin/nmbd -D - echo "Starting Samba Server" - fi - ;; - 'conf') - if [ -f /usr/local/samba/lib/smb.conf ] - then - vi /usr/local/samba/lib/smb.conf - fi - ;; - 'pw') - if [ -f /usr/local/samba/private/smbpasswd ] - then - vi /usr/local/samba/private/smbpasswd - fi - ;; - 'who') - /usr/local/samba/bin/smbstatus -b - ;; - 'restart') - psline=`/bin/ps x | grep smbd | grep -v grep` - - if [ "$psline" != "" ] - then - while [ "$psline" != "" ] - do - psline=`/bin/ps x | fgrep smbd | grep -v grep` - if [ "$psline" ] - then - set -- $psline - pid=$1 - /bin/kill -HUP $pid - echo "Stopped $pid line = $psline" - sleep 2 - fi - done - fi - echo "Stopped Samba servers" - ;; - 'stop') - psline=`/bin/ps x | grep smbd | grep -v grep` - - if [ "$psline" != "" ] - then - while [ "$psline" != "" ] - do - psline=`/bin/ps x | fgrep smbd | grep -v grep` - if [ "$psline" ] - then - set -- $psline - pid=$1 - /bin/kill -9 $pid - echo "Stopped $pid line = $psline" - sleep 2 - fi - done - fi - echo "Stopped Samba servers" - psline=`/bin/ps x | grep nmbd | grep -v grep` - if [ "$psline" ] - then - set -- $psline - pid=$1 - /bin/kill -9 $pid - echo "Stopped Name Server " - fi - echo "Stopped Name Servers" - ;; - *) - echo "usage: samba {start | restart |stop | conf | pw | who}" - ;; - esac - - - Use this script, or some other one, you will need to ensure its used - while the machine is booting. (This typically involves /etc/rc.d, - we'll be assuming that there is a script called samba in - /etc/rc.d/init.d further down in this document.) - _________________________________________________________________ - -Config File - -A sample conf file - - Here is a fairly minimal config file to do PDC. It will also make the - server become the browse master for the specified domain (not - necessary but usually desirable). You will need to change only two - parameters to make this file work, wins server and workgroup, plus you - will need to put your own name (not mine!) in the domain admin users - fields. Some of the parameters are discussed further down this - document. - - Assuming you have used the default install directories, this file - should appear as /usr/local/samba/lib/smb.conf. It should not be - writable by anyone except root. - - Note: The 'add user script' parameter is a work-around, watch for - changes ! - - - - [global] - security = user - status = yes - workgroup = { Your domain name here } - wins server = { ip of a wins server if you have one } - encrypt passwords = yes - domain logons =yes - logon script = scripts\%U.bat - domain admin group = @adm - add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/n -ull -s /bin/false %m$ - guest account = ftp - share modes=no - os level=65 - [homes] - guest ok = no - read only = no - create mask = 0700 - directory mask = 0700 - oplocks = false - locking = no - [netlogon] - path = /usr/local/samba/netlogon - writeable = no - guest ok = no - - _________________________________________________________________ - -PDC Config Parameters - - There are a huge range of parameters that may appear in a smb.conf - file. Some that may be of interest to a PDC are : - - add user script - This parameter specifies a script (or program) that will be run - to add a user to the system. Here it is being used to add a - machine, not a user. This is probably not very nice and may - change. But it does work ! - - For this example, I have a group called 'machines', entries can - be added to /etc/passwd using a programme called /usr/adduser - and the other parameters are chosen as suitable for a machine - account. Works for RH Linux, your system may require changes. - - domain admin group = @adm - This parameter specifies a unix group whose members will be - granted admin privileges on a NT workstation when logged onto - that workstation. See the section called Domain Admin Accounts. - - domain admin users = user1 users2 - It appears that this parameter does not funtion correctly at - present. Use the 'domain admin group' instread. This parameter - specifies a unix user who will be granted admin privileges on a - NT workstation when logged onto that workstation. See the - section called Domain Admin Accounts. - - encrypt passwords = yes - This parameter must be 'yes' to allow any of the recent service - pack NTs to logon. There are some reg hacks that turn off - encrypted passwords on the NTws itself but if you are going to - use the smbpasswd system (and you should) you must use - encrypted passwords. - - logon script = scripts\%U.bat - This will make samba look for a logon script named after the - user (eg joeblow.bat). See the section further on called Logon - Scripts - - Note: Note that the slash is like this '\', not like this '/'. NT - is happy with both, win95 is not ! - - logon path - Lets you specify where you would like users profiles kept. The - default, that is in the users home directory, does encourage a - bit of fiddling. - _________________________________________________________________ - -Special directories - - You need to create a couple of special files and directories. Its nice - to have some of the binaries handy too, so I create links to them. - Assuming you have used the default samba location and have not changed - the locations mentioned in the sample config file, do the following : - - - mkdir /usr/local/samba/netlogon - mkdir /usr/local/samba/netlogon/scripts - mkdir /usr/local/samba/private - touch /usr/local/samba/private/smbpasswd - chmod go-rwx /usr/local/samba/private/smbpasswd - cd /usr/local/sbin - ln -s /usr/local/samba/bin/smbpasswd - ln -s /usr/local/samba/bin/smbclient - ln -s /etc/rc.d/init.d/samba - - Make sure permissions are appropriate ! - - OK, if you have used the scripts above and have a path to where the - links are do this to start up the Samba Server : - - samba start - - Instead, you might like to reboot the machine to make sure that you - got the init stuff right. Any way, a quick look in the logs - /usr/local/samba/var/log.smbd and /usr/local/samba/var/log/nmbd will - give you an idea of what's happening. Assuming all is well, lets - create some accounts... - _________________________________________________________________ - -Chapter 3. User and Machine Accounts - -Logon Accounts - - This section is very nearly out of date already ! It appears that - while you are reading it, Jean Francois Micou is making it redundant ! - Jean Francois is adding facilities to add users (via User Manager) and - machines (when joining the domain) and it looks like these facilities - will make it into the official release of 2.2. - - Every user and NTws (and other samba servers) that will be on the - domain must have its own passwd entry in both /etc/passwd and - /usr/local/samba/private/smbpasswd . The /etc/passwd entry is really - only to reserve a user ID. The NT encrypted password is stored in - /usr/local/samba/private/smbpasswd. (Note that win95/98 machines don't - need an account as they don't do any security aware things.) - - Samba 2.2 will now create these entries for us. Carefull set up is - required and there may well be some changes to this system before its - released. - _________________________________________________________________ - -Machine Accounts - - Note: There is an entry in the ntdom FAQ explaining how to create - machine entries manually. - - At present to have the machine accounts created when a machine joins - the domain a number of conditions must be met : - - Only root can do it ! - There must be an entry in /usr/local/samba/private/smbpasswd - for root and root must be mentioned in domain admins. This may - be fixed some time in the future so any 'domain admin' can do - it. If you don't like having root as a windows logon account, - make the machine entries manually (both of them). - - Use the add user script - Again, this looks a bit like a 'work around'. Use a suitable - command line to add a machine account see above, and pass it - %m$, that is %m to get machine name plus the '$'. Now, this - means you cannot use the add user script to really add users - .... - - Only for W2K - This automatic creation of machine accounts does not work for - NT4ws at present. Watch this space. - _________________________________________________________________ - -Joining the Domain - - You must have either added the machine account entries manually (NT4 - ws) or set up the automatic system (W2K), see Machine Accounts before - proceeding. - - Windows NT - - + (this step may not be necessary some time in the near - future). On the samba server that is the PDC, add a machine - account manually as per the instructions in the FAQ Then give - the command smbpasswd -a -m {machine} substituting in the - client machine name. - + Logon to the NTws in question as a local admin, go to the - Control Panel, Network IdentificationTag. - + Press the Change button. - + Enter the Domain name (from the 'Workgroup' parameter, - smb.conf) in the Domain Field. - + Press OK and after a few seconds you will get a 'Welcome to - Whatever Domain'. Allow to reboot. - - Windows 2000 - - + Logon to the W2k machine as Administrator, go to the Control - Panel and double click on Network and Dialup Connections. - + Pull down the Advanced menu and choose Network - Identification. Press Properties . - + Choose Domain and enter the domain name. Press 'OK'. - + Now enter a user name and password for a Domain Admin (Who - must be root until a pre-release bug is fixed) and press - 'OK'. - + Wait for the confirmation, reboot when prompted. - - To remove a W2K machine from the domain, follow the first two - steps then choose Workgroup, enter a work group name (or just - WORKGROUP) and follow the prompts. - _________________________________________________________________ - -User Accounts - - Again, doing it manually (cos' the auto way is not working - pre-release). In our simple case every domain user should have an - account on the PDC. The account may have a null shell if they are not - allowed to log on to the unix prompt. Again they need an entry in both - the /etc/passwd and /usr/local/samba/private/smbpasswd. Again a - password is not necessary in /etc/passwd but the location of the home - directory is honoured. To make an entry for a user called Joe Blow you - would typically do the following : - - adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow - - smbpasswd -a joeblow - - And you will prompted to enter a password for Joe. Ideally he will be - hovering over your shoulder and will, when asked, type in a password - of his choice. There are a number of scripts and systems to ease the - migration of users from somewhere to samba. Better start looking ! - _________________________________________________________________ - -Domain Admin Accounts - - Certain operations demand that the logged on user has Administrator - privileges, typically installing software and doing maintenance tasks. - It is very simple to appoint some users as Domain Admins, most likely - yourself. Make sure you trust the appointee ! - - Samba 2.2 recognizes particular users as being domain admins and tells - the NTws when it thinks that it has got one logged on. In the smb.conf - file we declare that the Domain Admin group = @adm. Any user who is a - menber of the unix group 'adm' is treated as a Domain Admin by a NTws - when logged onto the Domain. They will have full Administrator rights - including the rights to change permissions on files and run the system - utilities such as Disk Administrator. Add users to the group by - editing /etc/group/. You do not need to use the 'adm' group, choose - any one you like. - - Further, and this is very new, they will be allowed to create a new - machine account when first connecting a new NT or W2K machine to the - domain. However, at present, ie pre-release, only a Domain Admin who - also happens to be root can do so. - _________________________________________________________________ - -Chapter 4. Profiles, Policies and Logon Scripts - -Profiles - - NT Profiles should work if you have followed the setup so far. A - user's profile contains a whole lot of their personal settings, the - contents of their desktop, personal 'My Documents' and so on. When - they log off, all of the profile is copied to their directory on the - server and is downloaded again when they logon on again, possibly on - another client machine. - - Sounds great but can be a bit of a bug bear sometimes. Users let their - profiles get too big and then complain about how long it takes to log - on each time. This sample setup only supports NT profiles, rumor has - it that it is also possible to do the same on Win95, my users don't - know and I'm not telling them. - - Note: There is more info about Profiles (including for W95/98) in - the FAQ. - _________________________________________________________________ - -Policies - - Policies are an easy way to make or enforce specific characteristics - across your network. You create a ntconfig.pol file and every time - someone logs on with their NTws, the settings you put in ntconfig.pol - are applied to the NTws. Typical setting are things like making the - date appear the way you want it (none of these 2 figure years here) or - maybe suppressing one of the splash screens. Perhaps you want to set - the NTws so it does not keep users profiles on the local machine. - Cool. The only problem is making the ntconfig.pol file itself. You - cannot use the policy editor that comes with NTws. - - Note: See the FAQ for pointers on how to get a suitable Policy - Editor. - - The Policy Editor (and associated files) will create a ntconfig.pol - file using the parameters Microsoft thought of and parameters you - specify by making your own template file. - - In our example configuration here, Samba will expect to find the - ntconfig.pol file in /usr/local/samba/netlogon. Needless to say (I - hope !), it is vitally important that ordinary users don't have write - permission to the Policy files. - _________________________________________________________________ - -Logon Scripts - - In the sample config file above there is a line logon script = - scripts\%U.bat - - Note: Note that the slash is like this '\' not like this '/'. NT is - happy with both, win95 is not ! - - This allows you to run a dos batch file every time someone logs on. - The batch file is located on the server, in the sample install - mentioned here, its in /usr/local/samba/netlogon/scripts and is named - after the user with .bat appended, eg Joe Blow's script is called - /usr/local/samba/netlogon/scripts/joeblow.bat. - - Note: There is a suggestion that user names longer than 8 - characters may cause problems with some systems being unable to run - logon scripts. This is confirmed in earlier versions when - connecting using W95, comments about other combinations ?? - - You could use a line like this logon script = default.bat and samba - will supply /usr/local/samba/netlogon/default.bat for any client and - every user. Maybe you could use %m and get a client machine dependant - logon script. You get the idea... - - Note that the file is a dos batch file not a Unix script. It runs dos - commands on the client computer with the logon user's permissions. It - must be a dos file with each line ending with the dos cr/lf not a nice - clean newline. Generally, its best to create the initial file on a DOS - system and copy it across. - - There is lots of very clever uses of the Samba replaceable variables - such ( %U = user, %G = primary group, %H = client machine, see the - 'man 5 smb.conf') to give you control over which script runs when a - particular person logs on. (Gee, it would be nice to have a - default.bat run when nothing else is available.) - - Again, it is vitally important that ordinary users don't have write - permission to other peoples, or even probably their own, logon script - files. - - A typical logon script is reproduced below. Note that it runs separate - commands for win95 and NT, that's because NT has slightly different - behaviour when using the net use .. command. Its useful for lots of - other situations too. I don't know what syntax to use for win98, I - don't use it here. - - - rem Default logon script, create links to this file. - - net time \\bioserve /set /yes - @echo off - if %OS%.==Windows_NT. goto WinNT - - :Win95 - net use k: \\trillion\bio_prog - net use p: \\bcfile\homes - goto end - :WinNT - net use k: \\trillion\bio_prog /persistent:no - net use p: \\bcfile\homes /persistent:no - - :end - _________________________________________________________________ - -Chapter 5. Passwords and Authentication - - So far our configuration assumes that ordinary users don't have unix - logon access. A change to the adduser line above would allow unix - logon but it would be with passwords that may be different from the NT - logon. Clearly that won't suit everyone. Trying to explain to users - that they need to change their passwords in two seperate places is not - fun. Further, even if they cannot do a unix logon there are other - processes that might require authentication. We have a nice securely - encrypted password in /usr/local/samba/private/smbpasswd, why not use - it ? - _________________________________________________________________ - -Syncing Passwords - - Yes, its possible and seems the easiest way (initially anyway). The - FAQ details how to do so in the sections What is password sync and - should I use it ? and How do I get remote password (unix and SMB) - changing working ? - _________________________________________________________________ - -Using PAM - - Pam enabled systems have a much better solution available. The Samba - PDC server will offer to authenticate domain users to other processes - (either on this server or on the domain). With a suitable pam stack - such as Pam_smb you can get any pam aware application looking to the - samba password and can leave the password field in /etc/shadow or - /etc/passwd invalid. - _________________________________________________________________ - -Authenticating other Samba Servers - - In a domain that has a number of servers you only need one password - database. The machines that don't have their own ask the PDC to check - for them. This will work fine for a domain controlled by either a - Samba or NT machine. - - To do so the Samba machine must be told to refer to the PDC and where - the PDC is. See the section in the NTDom FAQ called How do I get my - samba server to become a member ( not PDC ) of an NT domain? - _________________________________________________________________ - -Chapter 6. Background - -History - - It might help you understand the limitations of the PDC in Samba if - you read something of its history. Well, the history as I understand - it anyway. - - For many years the Samba team have been developing Samba, some time - ago a number of people, possibly lead by Luke Leighton started - contributing NT PDC stuff. This was added to the 'head' stream (that - would eventually become the next version) and later to a seperate - stream (NTDom). They did so much that eventually this development - stream was so mutated that it could not be merged back into the main - stream and was abandoned towards the end of 1999. And that was very - sad because many users, myself include had become heavily dependant on - the NTController facilities it offered. Oh well... - - The NTDom team continued on with their new found knowledge however and - built the TNG stream. Intended to be carefully controlled so that it - can be merged back into the main stream and benefiting from what they - learnt, it is a very different product to the origional NTDom product. - However, for a number of reasons, the merge did not take place and now - TNG is being developed at http://www.samba-tng.org. - - Now, the NTDom things that the main strean 2.0.x version does is based - more on the old (initial version) abandoned code than on the TNG - ideas. It appears that version 2.2.0 will also include an improved - version of the 2.0.7 domain controller charactistics, not the TNG - ways. The developers have indicated that 2.2.0 will be further - developed incrementally and the ideas from TNG incorporated into it. - - One more little wriggle is worth mentioning. At one stage the NTDom - stream was called Samba 2.1.0-prealpha and similar names. This is most - unfortunate because at least one book published advises people who - want to use NTDom Samba to get version 2.1.0 or later. As main stream - Samba will soon be called 2.2.0 and NOT officially supporting NTDom - Controlling functions, the potential for confusion is certainly there. - _________________________________________________________________ - -The Future - - There is a document on the Samba mirrors called 'Development' . It - offers the 'best guess' of what is planned for future releases of - Samba. - - The future of Samba as a Primary Domain Controller appears rosie, - however be aware that its the future, not the present. The developers - are strongly committed to building a full featured PDC into Samba but - it will take time. If this version does not meet your requirements - then you should consider (in no particular order) : - - * Wait. No, we don't know how long. Repeated asking won't help. - * Investigate the development versions, TNG perhaps or HEAD where - new code is being added all the time. Realise that development - code is often unstable, poorly documented and subject to change. - You will need to use cvs to download development versions. - * Join one of the Samba mailing lists so that you can find out what - is happening on the 'bleeding edge'. - _________________________________________________________________ - -Getting further help - - This document cannot possibly answer all your questions. Please - understand that its very likely that someone has been confrounted by - the same problem that you have. The FAQ discusses a number of possible - paths to take to get further help : - - * Documents on the Samba Sites. - * Other web sites. - * Mailing list. - - There is some discussion about guide lines for using the Mailing Lists - on the accompanying FAQ, please read them before posting. -- cgit