There are sample configuration files in the examples subdirectory in the distribution. I suggest you read them carefully so you can see how the options go together in practice. See the man page for all the options.

The simplest useful configuration file would be something like this:

[global]
	workgroup = MYGROUP

[homes]
	guest ok = no
	read only = no
	

which would allow connections by anyone with an account on the server, using either their login name or "homes" as the service name. (Note that I also set the workgroup that Samba is part of. See BROWSING.txt for details)

Make sure you put the smb.conf file in the same place you specified in theMakefile (the default is to look for it in /usr/local/samba/lib/).

For more information about security settings for the [homes] share please refer to the chapter Securing Samba.

SWAT is a web-based interface that helps you configure samba. SWAT might not be available in the samba package on your platform, but in a separate package. Please read the swat manpage on compiling, installing and configuring swat from source.

To launch SWAT just run your favorite web browser and point it at "http://localhost:901/". Replace localhost with the name of the computer you are running samba on if you are running samba on a different computer than your browser.

Note that you can attach to SWAT from any IP connected machine but connecting from a remote machine leaves your connection open to password sniffing as passwords will be sent in the clear over the wire.

The Primary Domain Controller or PDC plays an important role in the MS Windows NT3 and NT4 Domain Control architecture, but not in the manner that so many expect. The PDC seeds the Domain Control database (a part of the Windows registry) and it plays a key part in synchronisation of the domain authentication database.

New to Samba-3.0.0 is the ability to use a back-end file that holds the same type of data as the NT4 style SAM (Security Account Manager) database (one of the registry files). The samba-3.0.0 SAM can be specified via the smb.conf file parameter "passwd backend" and valid options include smbpasswd tdbsam ldapsam nisplussam plugin unixsam. The smbpasswd, tdbsam and ldapsam options can have a "_nua" suffix to indicate that No Unix Accounts need to be created. In other words, the Samba SAM will be independant of Unix/Linux system accounts, provided a uid range is defined from which SAM accounts can be created.

The Backup Domain Controller or BDC plays a key role in servicing network authentication requests. The BDC is biased to answer logon requests so that on a network segment that has a BDC and a PDC the BDC will be most likely to service network logon requests. The PDC will answer network logon requests when the BDC is too busy (high load). A BDC can be promoted to a PDC. If the PDC is on line at the time that the BDC is promoted to PDC the previous PDC is automatically demoted to a BDC.

At this time Samba is NOT capable of acting as an ADS Domain Controller.

I'll describe user level security first, as its simpler. In user level security the client will send a "session setup" command directly after the protocol negotiation. This contains a username and password. The server can either accept or reject that username/password combination. Note that at this stage the server has no idea what share the client will eventually try to connect to, so it can't base the "accept/reject" on anything other than:

If the server accepts the username/password then the client expects to be able to mount any share (using a "tree connection") without specifying a password. It expects that all access rights will be as the username/password specified in the "session setup".

It is also possible for a client to send multiple "session setup" requests. When the server responds it gives the client a "uid" to use as an authentication tag for that username/password. The client can maintain multiple authentication contexts in this way (WinDD is an example of an application that does this)

Ok, now for share level security. In share level security the client authenticates itself separately for each share. It will send a password along with each "tree connection" (share mount). It does not explicitly send a username with this operation. The client is expecting a password to be associated with each share, independent of the user. This means that samba has to work out what username the client probably wants to use. It is never explicitly sent the username. Some commercial SMB servers such as NT actually associate passwords directly with shares in share level security, but samba always uses the unix authentication scheme where it is a username/password that is authenticated, not a "share/password".

Many clients send a "session setup" even if the server is in share level security. They normally send a valid username but no password. Samba records this username in a list of "possible usernames". When the client then does a "tree connection" it also adds to this list the name of the share they try to connect to (useful for home directories) and any users listed in the user = smb.conf line. The password is then checked in turn against these "possible usernames". If a match is found then the client is authenticated as that user.

Finally "server level" security. In server level security the samba server reports to the client that it is in user level security. The client then does a "session setup" as described earlier. The samba server takes the username/password that the client sends and attempts to login to the "password server" by sending exactly the same username/password that it got from the client. If that server is in user level security and accepts the password then samba accepts the clients connection. This allows the samba server to use another SMB server as the "password server".

You should also note that at the very start of all this, where the server tells the client what security level it is in, it also tells the client if it supports encryption. If it does then it supplies the client with a random "cryptkey". The client will then send all passwords in encrypted form. You have to compile samba with encryption enabled to support this feature, and you have to maintain a separate smbpasswd file with SMB style encrypted passwords. It is cryptographically impossible to translate from unix style encryption to SMB style encryption, although there are some fairly simple management schemes by which the two could be kept in sync.

"security = server" means that Samba reports to clients that it is running in "user mode" but actually passes off all authentication requests to another "user mode" server. This requires an additional parameter "password server =" that points to the real authentication server. That real authentication server can be another Samba server or can be a Windows NT server, the later natively capable of encrypted password support.

	passsword level = integer
	username level = integer

	encrypt passwords = Yes
	security = server
	password server = "NetBIOS_name_of_PDC"

When samba is operating in security = domain mode this means that the Samba server has a domain security trust account (a machine account) and will cause all authentication requests to be passed through to the domain controllers.

	encrypt passwords = Yes
	security = domain
	workgroup = "name of NT domain"
	password server = *

For information about the configuration option please refer to the entire section entitled Samba as an ADS Domain Member.

The first step in manually creating a machine trust account is to manually create the corresponding Unix account in /etc/passwd. This can be done using vipw or other 'add user' command that is normally used to create new Unix accounts. The following is an example for a Linux based Samba server:

root# /usr/sbin/useradd -g 100 -d /dev/null -c "machine nickname" -s /bin/false machine_name$

root# passwd -l machine_name$

On *BSD systems, this can be done using the 'chpass' utility:

root# chpass -a "machine_name$:*:101:100::0:0:Workstation machine_name:/dev/null:/sbin/nologin"

The /etc/passwd entry will list the machine name with a "$" appended, won't have a password, will have a null shell and no home directory. For example a machine named 'doppy' would have an /etc/passwd entry like this:

doppy$:x:505:501:machine_nickname:/dev/null:/bin/false

Above, machine_nickname can be any descriptive name for the client, i.e., BasementComputer. machine_name absolutely must be the NetBIOS name of the client to be joined to the domain. The "$" must be appended to the NetBIOS name of the client or Samba will not recognize this as a machine trust account.

Now that the corresponding Unix account has been created, the next step is to create the Samba account for the client containing the well-known initial machine trust account password. This can be done using the smbpasswd(8) command as shown here:

root# smbpasswd -a -m machine_name

where machine_name is the machine's NetBIOS name. The RID of the new machine account is generated from the UID of the corresponding Unix account.

The second (and recommended) way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the client is joined to the domain.

Since each Samba machine trust account requires a corresponding Unix account, a method for automatically creating the Unix account is usually supplied; this requires configuration of the add user script option in smb.conf. This method is not required, however; corresponding Unix accounts may also be created manually.

Below is an example for a RedHat 6.2 Linux system.

[global]
   # <...remainder of parameters...>
   add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u 

The procedure for joining a client to the domain varies with the version of Windows.

A 'machine name' in (typically) /etc/passwd of the machine name with a '$' appended. FreeBSD (and other BSD systems?) won't create a user with a '$' in their name.

The problem is only in the program used to make the entry. Once made, it works perfectly. Create a user without the '$' using vipw to edit the entry, adding the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID!

This happens if you try to create a machine trust account from the machine itself and already have a connection (e.g. mapped drive) to a share (or IPC$) on the Samba PDC. The following command will remove all network drive connections:

C:\WINNT\> net use * /d

Further, if the machine is already a 'member of a workgroup' that is the same name as the domain you are joining (bad idea) you will get this message. Change the workgroup name to something else, it does not matter what, reboot, and try again.

I joined the domain successfully but after upgrading to a newer version of the Samba code I get the message, "The system can not log you on (C000019B), Please try again or consult your system administrator" when attempting to logon.

This occurs when the domain SID stored in the secrets.tdb database is changed. The most common cause of a change in domain SID is when the domain name and/or the server name (netbios name) is changed. The only way to correct the problem is to restore the original domain SID or remove the domain client from the domain and rejoin. The domain SID may be reset using either the net or rpcclient utilities.

The reset or change the domain SID you can use the net command as follows:

	net getlocalsid 'OLDNAME'
	net setlocalsid 'SID'

When I try to join the domain I get the message "The machine account for this computer either does not exist or is not accessible". What's wrong?

This problem is caused by the PDC not having a suitable machine trust account. If you are using the add user script method to create accounts then this would indicate that it has not worked. Ensure the domain admin user system is working.

Alternatively if you are creating account entries manually then they have not been created correctly. Make sure that you have the entry correct for the machine trust account in smbpasswd file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, make sure that the account name is the machine NetBIOS name with a '$' appended to it ( i.e. computer_name$ ). There must be an entry in both /etc/passwd and the smbpasswd file. Some people have reported that inconsistent subnet masks between the Samba server and the NT client have caused this problem. Make sure that these are consistent for both client and server.

At first be ensure to enable the useraccounts with smbpasswd -e %user%, this is normally done, when you create an account.

The main difference between a PDC and a Windows 9x logon server configuration is that

Therefore, a Samba PDC will also act as a Windows 9x logon server.

A NT workstation in the domain SAMBA that wants a local user to be authenticated has to find the domain controller for SAMBA. It does this by doing a NetBIOS name query for the group name SAMBA#1c. It assumes that each of the machines it gets back from the queries is a domain controller and can answer logon requests. To not open security holes both the workstation and the selected (TODO: How is the DC chosen) domain controller authenticate each other. After that the workstation sends the user's credentials (his name and password) to the domain controller, asking for approval.

Whenever a user wants to change his password, this has to be done on the PDC. To find the PDC, the workstation does a NetBIOS name query for SAMBA#1b, assuming this machine maintains the master copy of the SAM. The workstation contacts the PDC, both mutually authenticate and the password change is done.

Replication of the smbpasswd file is sensitive. It has to be done whenever changes to the SAM are made. Every user's password change is done in the smbpasswd file and has to be replicated to the BDC. So replicating the smbpasswd file very often is necessary.

As the smbpasswd file contains plain text password equivalents, it must not be sent unencrypted over the wire. The best way to set up smbpasswd replication from the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport. ssh itself can be set up to accept *only* rsync transfer without requiring the user to type a password.

The simple answer is YES. Samba's pdb_ldap code supports binding to a replica LDAP server, and will also follow referrals and rebind to the master if it ever needs to make a modification to the database. (Normally BDCs are read only, so this will not occur often).

To set up cross subnet browsing on a network containing machines in up to be in a WORKGROUP, not an NT Domain you need to set up one Samba server to be the Domain Master Browser (note that this is *NOT* the same as a Primary Domain Controller, although in an NT Domain the same machine plays both roles). The role of a Domain master browser is to collate the browse lists from local master browsers on all the subnets that have a machine participating in the workgroup. Without one machine configured as a domain master browser each subnet would be an isolated workgroup, unable to see any machines on any other subnet. It is the presense of a domain master browser that makes cross subnet browsing possible for a workgroup.

In an WORKGROUP environment the domain master browser must be a Samba server, and there must only be one domain master browser per workgroup name. To set up a Samba server as a domain master browser, set the following option in the [global] section of the smb.conf file :

	domain master = yes

The domain master browser should also preferrably be the local master browser for its own subnet. In order to achieve this set the following options in the [global] section of the smb.conf file :

	domain master = yes
	local master = yes
	preferred master = yes
	os level = 65

The domain master browser may be the same machine as the WINS server, if you require.

Next, you should ensure that each of the subnets contains a machine that can act as a local master browser for the workgroup. Any MS Windows NT/2K/XP/2003 machine should be able to do this, as will Windows 9x machines (although these tend to get rebooted more often, so it's not such a good idea to use these). To make a Samba server a local master browser set the following options in the [global] section of the smb.conf file :

	domain master = no
	local master = yes
	preferred master = yes
	os level = 65

Do not do this for more than one Samba server on each subnet, or they will war with each other over which is to be the local master browser.

The local master parameter allows Samba to act as a local master browser. The preferred master causes nmbd to force a browser election on startup and the os level parameter sets Samba high enough so that it should win any browser elections.

If you have an NT machine on the subnet that you wish to be the local master browser then you can disable Samba from becoming a local master browser by setting the following options in the [global] section of the smb.conf file :

	domain master = no
	local master = no
	preferred master = no
	os level = 0

If you are adding Samba servers to a Windows NT Domain then you must not set up a Samba server as a domain master browser. By default, a Windows NT Primary Domain Controller for a Domain name is also the Domain master browser for that name, and many things will break if a Samba server registers the Domain master browser NetBIOS name (DOMAIN<1B>) with WINS instead of the PDC.

For subnets other than the one containing the Windows NT PDC you may set up Samba servers as local master browsers as described. To make a Samba server a local master browser set the following options in the [global] section of the smb.conf file :

	domain master = no
	local master = yes
	preferred master = yes
	os level = 65

If you wish to have a Samba server fight the election with machines on the same subnet you may set the os level parameter to lower levels. By doing this you can tune the order of machines that will become local master browsers if they are running. For more details on this see the section Forcing samba to be the master browser below.

If you have Windows NT machines that are members of the domain on all subnets, and you are sure they will always be running then you can disable Samba from taking part in browser elections and ever becoming a local master browser by setting following options in the [global] section of the smb.conf file :

        domain master = no
        local master = no
        preferred master = no
        os level = 0

Who becomes the master browser is determined by an election process using broadcasts. Each election packet contains a number of parameters which determine what precedence (bias) a host should have in the election. By default Samba uses a very low precedence and thus loses elections to just about anyone else.

If you want Samba to win elections then just set the os level global option in smb.conf to a higher number. It defaults to 0. Using 34 would make it win all elections over every other system (except other samba systems!)

A os level of 2 would make it beat WfWg and Win95, but not MS Windows NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32.

The maximum os level is 255

If you want samba to force an election on startup, then set the preferred master global option in smb.conf to "yes". Samba will then have a slight advantage over other potential master browsers that are not preferred master browsers. Use this parameter with care, as if you have two hosts (whether they are windows 95 or NT or samba) on the same local subnet both set with preferred master to "yes", then periodically and continually they will force an election in order to become the local master browser.

If you want samba to be a domain master browser, then it is recommended that you also set preferred master to "yes", because samba will not become a domain master browser for the whole of your LAN or WAN if it is not also a local master browser on its own broadcast isolated subnet.

It is possible to configure two samba servers to attempt to become the domain master browser for a domain. The first server that comes up will be the domain master browser. All other samba servers will attempt to become the domain master browser every 5 minutes. They will find that another samba server is already the domain master browser and will fail. This provides automatic redundancy, should the current domain master browser fail.

The domain master is responsible for collating the browse lists of multiple subnets so that browsing can occur between subnets. You can make samba act as the domain master by setting domain master = yes in smb.conf. By default it will not be a domain master.

Note that you should NOT set Samba to be the domain master for a workgroup that has the same name as an NT Domain.

When samba is the domain master and the master browser it will listen for master announcements (made roughly every twelve minutes) from local master browsers on other subnets and then contact them to synchronise browse lists.

If you want samba to be the domain master then I suggest you also set the os level high enough to make sure it wins elections, and set preferred master to "yes", to get samba to force an election on startup.

Note that all your servers (including samba) and clients should be using a WINS server to resolve NetBIOS names. If your clients are only using broadcasting to resolve NetBIOS names, then two things will occur:

If, however, both samba and your clients are using a WINS server, then:

If your network uses a "0" based broadcast address (for example if it ends in a 0) then you will strike problems. Windows for Workgroups does not seem to support a 0's broadcast and you will probably find that browsing and name lookups won't work.

Samba now supports machines with multiple network interfaces. If you have multiple interfaces then you will need to use the interfaces option in smb.conf to configure them.

The remote announce parameter of smb.conf can be used to forcibly ensure that all the NetBIOS names on a network get announced to a remote network. The syntax of the remote announce parameter is:

	remote announce = a.b.c.d [e.f.g.h] ...

_or_

	remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...

where:

The remote browse sync parameter of smb.conf is used to announce to another LMB that it must synchronise it's NetBIOS name list with our Samba LMB. It works ONLY if the Samba server that has this option is simultaneously the LMB on it's network segment.

The syntax of the remote browse sync parameter is:

remote browse sync = a.b.c.d

where a.b.c.d is either the IP address of the remote LMB or else is the network broadcast address of the remote segment.

Either a Samba machine or a Windows NT Server machine may be set up as a WINS server. To set a Samba machine to be a WINS server you must add the following option to the smb.conf file on the selected machine : in the [globals] section add the line

	wins support = yes

Versions of Samba prior to 1.9.17 had this parameter default to yes. If you have any older versions of Samba on your network it is strongly suggested you upgrade to a recent version, or at the very least set the parameter to 'no' on all these machines.

Machines with wins support = yes will keep a list of all NetBIOS names registered with them, acting as a DNS for NetBIOS names.

You should set up only ONE wins server. Do NOT set the wins support = yes option on more than one Samba server.

To set up a Windows NT Server as a WINS server you need to set up the WINS service - see your NT documentation for details. Note that Windows NT WINS Servers can replicate to each other, allowing more than one to be set up in a complex subnet environment. As Microsoft refuse to document these replication protocols Samba cannot currently participate in these replications. It is possible in the future that a Samba->Samba WINS replication protocol may be defined, in which case more than one Samba machine could be set up as a WINS server but currently only one Samba server should have the wins support = yes parameter set.

After the WINS server has been configured you must ensure that all machines participating on the network are configured with the address of this WINS server. If your WINS server is a Samba machine, fill in the Samba machine IP address in the "Primary WINS Server" field of the "Control Panel->Network->Protocols->TCP->WINS Server" dialogs in Windows 95 or Windows NT. To tell a Samba server the IP address of the WINS server add the following line to the [global] section of all smb.conf files :

	wins server = <name or IP address>

where <name or IP address> is either the DNS name of the WINS server machine or its IP address.

Note that this line MUST NOT BE SET in the smb.conf file of the Samba server acting as the WINS server itself. If you set both the wins support = yes option and the wins server = <name> option then nmbd will fail to start.

There are two possible scenarios for setting up cross subnet browsing. The first details setting up cross subnet browsing on a network containing Windows 95, Samba and Windows NT machines that are not configured as part of a Windows NT Domain. The second details setting up cross subnet browsing on networks that contain NT Domains.

Samba-3 permits WINS replication through the use of the wrepld utility. This tool is not currently capable of being used as it is still in active development. As soon as this tool becomes moderately functional we will prepare man pages and enhance this section of the documentation to provide usage and technical details.

New to Samba-3 is a tool called winsedit that may be used to add static WINS entries to the WINS database. This tool can be used also to modify entries existing in the WINS database.

The development of the winsedit tool was made necessary due to the migration of the older style wins.dat file into a new tdb binary backend data store.

A very common cause of browsing problems results from installing more than one protocol on an MS Windows machine.

Every NetBIOS machine takes part in a process of electing the LMB (and DMB) every 15 minutes. A set of election criteria is used to determine the order of precidence for winning this election process. A machine running Samba or Windows NT will be biased so that the most suitable machine will predictably win and thus retain it's role.

The election process is "fought out" so to speak over every NetBIOS network interface. In the case of a Windows 9x machine that has both TCP/IP and IPX installed and has NetBIOS enabled over both protocols the election will be decided over both protocols. As often happens, if the Windows 9x machine is the only one with both protocols then the LMB may be won on the NetBIOS interface over the IPX protocol. Samba will then lose the LMB role as Windows 9x will insist it knows who the LMB is. Samba will then cease to function as an LMB and thus browse list operation on all TCP/IP only machines will fail.

Windows 95, 98, 98se, Me are referred to generically as Windows 9x. The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly referred to as the WinNT family, but it should be recognised that 2000 and XP/2003 introduce new protocol extensions that cause them to behave differently from MS Windows NT4. Generally, where a server does NOT support the newer or extended protocol, these will fall back to the NT4 protocols.

The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!

Resolution of NetBIOS names to IP addresses can take place using a number of methods. The only ones that can provide NetBIOS name_type information are:

Alternative means of name resolution includes:

Many sites want to restrict DNS lookups and want to avoid broadcast name resolution traffic. The "name resolve order" parameter is of great help here. The syntax of the "name resolve order" parameter is:

name resolve order = wins lmhosts bcast host

_or_

name resolve order = wins lmhosts  	(eliminates bcast and host)

The default is:

name  resolve order = host lmhost wins bcast

where "host" refers the the native methods used by the Unix system to implement the gethostbyname() function call. This is normally controlled by /etc/host.conf, /etc/nsswitch.conf and /etc/resolv.conf.

Samba facilitates browsing. The browsing is supported by nmbd and is also controlled by options in the smb.conf file. Samba can act as a local browse master for a workgroup and the ability to support domain logons and scripts is now available.

Samba can also act as a domain master browser for a workgroup. This means that it will collate lists from local browse masters into a wide area network server list. In order for browse clients to resolve the names they may find in this list, it is recommended that both samba and your clients use a WINS server.

Note that you should NOT set Samba to be the domain master for a workgroup that has the same name as an NT Domain: on each wide area network, you must only ever have one domain master browser per workgroup, regardless of whether it is NT, Samba or any other type of domain master that is providing this service.

To get browsing to work you need to run nmbd as usual, but will need to use the workgroup option in smb.conf to control what workgroup Samba becomes a part of.

Samba also has a useful option for a Samba server to offer itself for browsing on another subnet. It is recommended that this option is only used for 'unusual' purposes: announcements over the internet, for example. See remote announce in the smb.conf man page.

If something doesn't work then hopefully the log.nmb file will help you track down the problem. Try a debug level of 2 or 3 for finding problems. Also note that the current browse list usually gets stored in text form in a file called browse.dat.

Note that if it doesn't work for you, then you should still be able to type the server name as \\SERVER in filemanager then hit enter and filemanager should display the list of available shares.

Some people find browsing fails because they don't have the global guest account set to a valid account. Remember that the IPC$ connection that lists the shares is done as guest, and thus you must have a valid guest account.

MS Windows 2000 and upwards (as with Samba) can be configured to disallow anonymous (ie: Guest account) access to the IPC$ share. In that case, the MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the name of the currently logged in user to query the IPC$ share. MS Windows 9X clients are not able to do this and thus will NOT be able to browse server resources.

The other big problem people have is that their broadcast address, netmask or IP address is wrong (specified with the "interfaces" option in smb.conf)

Since the release of Samba 1.9.17(alpha1) Samba has been updated to enable it to support the replication of browse lists across subnet boundaries. New code and options have been added to achieve this. This section describes how to set this feature up in different settings.

To see browse lists that span TCP/IP subnets (ie. networks separated by routers that don't pass broadcast traffic) you must set up at least one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing NetBIOS name to IP address translation to be done by doing a direct query of the WINS server. This is done via a directed UDP packet on port 137 to the WINS server machine. The reason for a WINS server is that by default, all NetBIOS name to IP address translation is done by broadcasts from the querying machine. This means that machines on one subnet will not be able to resolve the names of machines on another subnet without using a WINS server.

Remember, for browsing across subnets to work correctly, all machines, be they Windows 95, Windows NT, or Samba servers must have the IP address of a WINS server given to them by a DHCP server, or by manual configuration (for Win95 and WinNT, this is in the TCP/IP Properties, under Network settings) for Samba this is in the smb.conf file.

                                   (DMB)
             N1_A      N1_B        N1_C       N1_D        N1_E
              |          |           |          |           |
          -------------------------------------------------------
            |          subnet 1                       |
          +---+                                      +---+
          |R1 | Router 1                  Router 2   |R2 |
          +---+                                      +---+
            |                                          |
            |  subnet 2              subnet 3          |
  --------------------------       ------------------------------------
  |     |     |      |               |        |         |           |
 N2_A  N2_B  N2_C   N2_D           N3_A     N3_B      N3_C        N3_D 
                    (WINS)

Subnet           Browse Master   List
------           -------------   ----
Subnet1          N1_C            N1_A, N1_B, N1_C, N1_D, N1_E

Subnet2          N2_B            N2_A, N2_B, N2_C, N2_D

Subnet3          N3_D            N3_A, N3_B, N3_C, N3_D

Subnet           Browse Master   List
------           -------------   ----
Subnet1          N1_C            N1_A, N1_B, N1_C, N1_D, N1_E, 
                                 N2_A(*), N2_B(*), N2_C(*), N2_D(*)

Subnet2          N2_B            N2_A, N2_B, N2_C, N2_D
                                 N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)

Subnet3          N3_D            N3_A, N3_B, N3_C, N3_D

Servers with a (*) after them are non-authoritative names.

Subnet           Browse Master   List
------           -------------   ----
Subnet1          N1_C            N1_A, N1_B, N1_C, N1_D, N1_E, 
                                 N2_A(*), N2_B(*), N2_C(*), N2_D(*),
                                 N3_A(*), N3_B(*), N3_C(*), N3_D(*)

Subnet2          N2_B            N2_A, N2_B, N2_C, N2_D
                                 N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)

Subnet3          N3_D            N3_A, N3_B, N3_C, N3_D
                                 N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
                                 N2_A(*), N2_B(*), N2_C(*), N2_D(*)

Servers with a (*) after them are non-authoritative names.

Subnet           Browse Master   List
------           -------------   ----
Subnet1          N1_C            N1_A, N1_B, N1_C, N1_D, N1_E, 
                                 N2_A(*), N2_B(*), N2_C(*), N2_D(*),
                                 N3_A(*), N3_B(*), N3_C(*), N3_D(*)

Subnet2          N2_B            N2_A, N2_B, N2_C, N2_D
                                 N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
                                 N3_A(*), N3_B(*), N3_C(*), N3_D(*)

Subnet3          N3_D            N3_A, N3_B, N3_C, N3_D
                                 N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
                                 N2_A(*), N2_B(*), N2_C(*), N2_D(*)
	
Servers with a (*) after them are non-authoritative names.

This document describes how to use an LDAP directory for storing Samba user account information traditionally stored in the smbpasswd(5) file. It is assumed that the reader already has a basic understanding of LDAP concepts and has a working directory server already installed. For more information on LDAP architectures and Directories, please refer to the following sites.

Note that O'Reilly Publishing is working on a guide to LDAP for System Administrators which has a planned release date of early summer, 2002.

Two additional Samba resources which may prove to be helpful are

Traditionally, when configuring "encrypt passwords = yes" in Samba's smb.conf file, user account information such as username, LM/NT password hashes, password change times, and account flags have been stored in the smbpasswd(5) file. There are several disadvantages to this approach for sites with very large numbers of users (counted in the thousands).

As a result of these defeciencies, a more robust means of storing user attributes used by smbd was developed. The API which defines access to user accounts is commonly referred to as the samdb interface (previously this was called the passdb API, and is still so named in the CVS trees).

There are a few points to stress about that the ldapsam does not provide. The LDAP support referred to in the this documentation does not include:

The second item can be accomplished by using LDAP NSS and PAM modules. LGPL versions of these libraries can be obtained from PADL Software (http://www.padl.com/). More information about the configuration of these packages may be found at "LDAP, System Administration; Gerald Carter, O'Reilly; Chapter 6: Replacing NIS".

The LDAP samdb code in 2.2.3 (and later) has been developed and tested using the OpenLDAP 2.0 server and client libraries. The same code should be able to work with Netscape's Directory Server and client SDK. However, due to lack of testing so far, there are bound to be compile errors and bugs. These should not be hard to fix. If you are so inclined, please be sure to forward all patches to samba-patches@samba.org and jerry@samba.org.

Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in examples/LDAP/samba.schema. The sambaAccount objectclass is given here:

objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top AUXILIARY
     DESC 'Samba Account'
     MUST ( uid $ rid )
     MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
            logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
            displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
            description $ userWorkstations $ primaryGroupID $ domain ))

The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are owned by the Samba Team and as such is legal to be openly published. If you translate the schema to be used with Netscape DS, please submit the modified schema file as a patch to jerry@samba.org

Just as the smbpasswd file is meant to store information which supplements a user's /etc/passwd entry, so is the sambaAccount object meant to supplement the UNIX user account information. A sambaAccount is a STRUCTURAL objectclass so it can be stored individually in the directory. However, there are several fields (e.g. uid) which overlap with the posixAccount objectclass outlined in RFC2307. This is by design.

In order to store all user account information (UNIX and Samba) in the directory, it is necessary to use the sambaAccount and posixAccount objectclasses in combination. However, smbd will still obtain the user's UNIX account information via the standard C library calls (e.g. getpwnam(), et. al.). This means that the Samba server must also have the LDAP NSS library installed and functioning correctly. This division of information makes it possible to store all Samba account information in LDAP, but still maintain UNIX account information in NIS while the network is transitioning to a full LDAP infrastructure.

As users accounts are managed thru the sambaAccount objectclass, you should modify your existing administration tools to deal with sambaAccount attributes.

Machines accounts are managed with the sambaAccount objectclass, just like users accounts. However, it's up to you to store thoses accounts in a different tree of you LDAP namespace: you should use "ou=Groups,dc=plainjoe,dc=org" to store groups and "ou=People,dc=plainjoe,dc=org" to store users. Just configure your NSS and PAM accordingly (usually, in the /etc/ldap.conf configuration file).

In Samba release 3.0, the group management system is based on posix groups. This means that Samba makes usage of the posixGroup objectclass. For now, there is no NT-like group system management (global and local groups).

There are two important points to remember when discussing the security of sambaAccount entries in the directory.

These password hashes are clear text equivalents and can be used to impersonate the user without deriving the original clear text strings. For more information on the details of LM/NT password hashes, refer to the User Database of the Samba-HOWTO-Collection.

To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults to require an encrypted session (ldap ssl = on) using the default port of 636 when contacting the directory server. When using an OpenLDAP 2.0 server, it is possible to use the use the StartTLS LDAP extended operation in the place of LDAPS. In either case, you are strongly discouraged to disable this security (ldap ssl = off).

Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS extended operation. However, the OpenLDAP library still provides support for the older method of securing communication between clients and servers.

The second security precaution is to prevent non-administrative users from harvesting password hashes from the directory. This can be done using the following ACL in slapd.conf:

## allow the "ldap admin dn" access, but deny everyone else
access to attrs=lmPassword,ntPassword
     by dn="cn=Samba Admin,ou=people,dc=plainjoe,dc=org" write
     by * none

The sambaAccount objectclass is composed of the following attributes:

The majority of these parameters are only used when Samba is acting as a PDC of a domain (refer to the Samba-PDC-HOWTO for details on how to configure Samba as a Primary Domain Controller). The following four attributes are only stored with the sambaAccount entry if the values are non-default values:

These attributes are only stored with the sambaAccount entry if the values are non-default values. For example, assume TASHTEGO has now been configured as a PDC and that logon home = \\%L\%u was defined in its smb.conf file. When a user named "becky" logons to the domain, the logon home string is expanded to \\TASHTEGO\becky. If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org", this value is used. However, if this attribute does not exist, then the value of the logon home parameter is used in its place. Samba will only write the attribute value to the directory entry if the value is something other than the default (e.g. \\MOBY\becky).

The following is a working LDIF with the inclusion of the posixAccount objectclass:

dn: uid=guest2, ou=people,dc=plainjoe,dc=org
ntPassword: 878D8014606CDA29677A44EFA1353FC7
pwdMustChange: 2147483647
primaryGroupID: 1201
lmPassword: 552902031BEDE9EFAAD3B435B51404EE
pwdLastSet: 1010179124
logonTime: 0
objectClass: sambaAccount
uid: guest2
kickoffTime: 2147483647
acctFlags: [UX         ]
logoffTime: 2147483647
rid: 19006
pwdCanChange: 0

The following is an LDIF entry for using both the sambaAccount and posixAccount objectclasses:

dn: uid=gcarter, ou=people,dc=plainjoe,dc=org
logonTime: 0
displayName: Gerald Carter
lmPassword: 552902031BEDE9EFAAD3B435B51404EE
primaryGroupID: 1201
objectClass: posixAccount
objectClass: sambaAccount
acctFlags: [UX         ]
userPassword: {crypt}BpM2ej8Rkzogo
uid: gcarter
uidNumber: 9000
cn: Gerald Carter
loginShell: /bin/bash
logoffTime: 2147483647
gidNumber: 100
kickoffTime: 2147483647
pwdLastSet: 1010179230
rid: 19000
homeDirectory: /home/tashtego/gcarter
pwdCanChange: 0
pwdMustChange: 2147483647
ntPassword: 878D8014606CDA29677A44EFA1353FC7

You either can set up your own table and specify the field names to pdb_mysql (see below for the column names) or use the default table. The file examples/pdb/mysql/mysql.dump contains the correct queries to create the required tables. Use the command : mysql -uusername -hhostname -ppassword databasename > /path/to/samba/examples/pdb/mysql/mysql.dump

This plugin lacks some good documentation, but here is some short info:

Add a the following to the passdb backend variable in your smb.conf:

passdb backend = [other-plugins] mysql:identifier [other-plugins]

The identifier can be any string you like, as long as it doesn't collide with the identifiers of other plugins or other instances of pdb_mysql. If you specify multiple pdb_mysql.so entries in 'passdb backend', you also need to use different identifiers!

Additional options can be given thru the smb.conf file in the [global] section.

identifier:mysql host                     - host name, defaults to 'localhost'
identifier:mysql password
identifier:mysql user                     - defaults to 'samba'
identifier:mysql database                 - defaults to 'samba'
identifier:mysql port                     - defaults to 3306
identifier:table                          - Name of the table containing users

Names of the columns in this table(I've added column types those columns should have first):

identifier:logon time column             - int(9)
identifier:logoff time column            - int(9)
identifier:kickoff time column           - int(9)
identifier:pass last set time column     - int(9)
identifier:pass can change time column   - int(9)
identifier:pass must change time column  - int(9)
identifier:username column               - varchar(255) - unix username
identifier:domain column                 - varchar(255) - NT domain user is part of
identifier:nt username column            - varchar(255) - NT username
identifier:fullname column               - varchar(255) - Full name of user
identifier:home dir column               - varchar(255) - Unix homedir path
identifier:dir drive column              - varchar(2)   - Directory drive path (eg: 'H:')
identifier:logon script column           - varchar(255)
					 - Batch file to run on client side when logging on
identifier:profile path column           - varchar(255) - Path of profile
identifier:acct desc column              - varchar(255) - Some ASCII NT user data
identifier:workstations column           - varchar(255)
					 - Workstations user can logon to (or NULL for all)
identifier:unknown string column         - varchar(255) - unknown string
identifier:munged dial column            - varchar(255) - ?
identifier:user sid column               - varchar(255) - NT user SID
identifier:group sid column              - varchar(255) - NT group ID
identifier:lanman pass column            - varchar(255) - encrypted lanman password
identifier:nt pass column                - varchar(255) - encrypted nt passwd
identifier:plain pass column             - varchar(255) - plaintext password
identifier:acct control column           - int(9) - nt user data
identifier:unknown 3 column              - int(9) - unknown
identifier:logon divs column             - int(9) - ?
identifier:hours len column              - int(9) - ?
identifier:unknown 5 column              - int(9) - unknown
identifier:unknown 6 column              - int(9) - unknown

Eventually, you can put a colon (:) after the name of each column, which should specify the column to update when updating the table. You can also specify nothing behind the colon - then the data from the field will not be updated.

I strongly discourage the use of plaintext passwords, however, you can use them:

If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords.

If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default.

It is possible to have not all data in the database and making some 'constant'.

For example, you can set 'identifier:fullname column' to : CONCAT(First_name,' ',Sur_name)

Or, set 'identifier:workstations column' to : NULL

See the MySQL documentation for more language constructs.

The standard UNIX user/group/world triple and the corresponding "read", "write", "execute" permissions triples are mapped by Samba into a three element NT ACL with the 'r', 'w', and 'x' bits mapped into the corresponding NT permissions. The UNIX world permissions are mapped into the global NT group Everyone, followed by the list of permissions allowed for UNIX world. The UNIX owner and group permissions are displayed as an NT user icon and an NT local group icon respectively followed by the list of permissions allowed for the UNIX user and group.

As many UNIX permission sets don't map into common NT names such as "read", "change" or "full control" then usually the permissions will be prefixed by the words "Special Access" in the NT display list.

But what happens if the file has no permissions allowed for a particular UNIX user group or world component ? In order to allow "no permissions" to be seen and modified then Samba overloads the NT "Take Ownership" ACL attribute (which has no meaning in UNIX) and reports a component with no permissions as having the NT "O" bit set. This was chosen of course to make it look like a zero, meaning zero permissions. More details on the decision behind this will be given below.

Directories on an NT NTFS file system have two different sets of permissions. The first set of permissions is the ACL set on the directory itself, this is usually displayed in the first set of parentheses in the normal "RW" NT style. This first set of permissions is created by Samba in exactly the same way as normal file permissions are, described above, and is displayed in the same way.

The second set of directory permissions has no real meaning in the UNIX permissions world and represents the "inherited" permissions that any file created within this directory would inherit.

Samba synthesises these inherited permissions for NT by returning as an NT ACL the UNIX permission mode that a new file created by Samba on this share would receive.

In order to support the uploading of printer driver files, you must first configure a file share named [print$]. The name of this share is hard coded in Samba's internals so the name is very important (print$ is the service used by Windows NT print servers to provide support for printer driver download).

You should modify the server's smb.conf file to add the global parameters and to create the following file share (of course, some of the parameter values, such as 'path' are arbitrary and should be replaced with appropriate values for your site):

[global]
    ; members of the ntadmin group should be able
    ; to add drivers and set printer properties
    ; root is implicitly a 'printer admin'
    printer admin = @ntadmin

[print$]
    path = /usr/local/samba/printers
    guest ok = yes
    browseable = yes
    read only = yes
    ; since this share is configured as read only, then we need
    ; a 'write list'.  Check the file system permissions to make
    ; sure this account can copy files to the share.  If this
    ; is setup to a non-root account, then it should also exist
    ; as a 'printer admin'
    write list = @ntadmin,root

The write list is used to allow administrative level user accounts to have write access in order to update files on the share. See the smb.conf(5) man page for more information on configuring file shares.

The requirement for guest ok = yes depends upon how your site is configured. If users will be guaranteed to have an account on the Samba host, then this is a non-issue.

In order for a Windows NT print server to support the downloading of driver files by multiple client architectures, it must create subdirectories within the [print$] service which correspond to each of the supported client architectures. Samba follows this model as well.

Next create the directory tree below the [print$] share for each architecture you wish to support.

[print$]----- |-W32X86 ; "Windows NT x86" |-WIN40 ; "Windows 95/98" |-W32ALPHA ; "Windows NT Alpha_AXP" |-W32MIPS ; "Windows NT R4000" |-W32PPC ; "Windows NT PowerPC"

Once you have created the required [print$] service and associated subdirectories, simply log onto the Samba server using a root (or printer admin) account from a Windows NT 4.0/2k client. Open "Network Neighbourhood" or "My Network Places" and browse for the Samba host. Once you have located the server, navigate to the "Printers..." folder. You should see an initial listing of printers that matches the printer shares defined on your Samba host.

The initial listing of printers in the Samba host's Printers folder will have no real printer driver assigned to them. This defaults to a NULL string to allow the use of the local Add Printer Wizard on NT/2000 clients. Attempting to view the printer properties for a printer which has this default driver assigned will result in the error message:

Device settings cannot be displayed. The driver for the specified printer is not installed, only spooler properties will be displayed. Do you want to install the driver now?

Click "No" in the error dialog and you will be presented with the printer properties window. The way to assign a driver to a printer is to either

If you wish to install printer drivers for client operating systems other than "Windows NT x86", you will need to use the "Sharing" tab of the printer properties dialog.

Assuming you have connected with a root account, you will also be able modify other printer properties such as ACLs and device settings using this dialog box.

A few closing comments for this section, it is possible on a Windows NT print server to have printers listed in the Printers folder which are not shared. Samba does not make this distinction. By definition, the only printers of which Samba is aware are those which are specified as shares in smb.conf.

Another interesting side note is that Windows NT clients do not use the SMB printer share, but rather can print directly to any printer on another Windows NT host using MS-RPC. This of course assumes that the printing client has the necessary privileges on the remote host serving the printer. The default permissions assigned by Windows NT to a printer gives the "Print" permissions to the "Everyone" well-known group.

One issue that has arisen during the development phase of Samba 2.2 is the need to support driver downloads for 100's of printers. Using the Windows NT APW is somewhat awkward to say the list. If more than one printer are using the same driver, the rpcclient's setdriver command can be used to set the driver associated with an installed driver. The following is example of how this could be accomplished:

$ rpcclient pogo -U root%secret -c "enumdrivers"

 
Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
 
[Windows NT x86]
Printer Driver Info 1:
     Driver Name: [HP LaserJet 4000 Series PS]
 
Printer Driver Info 1:
     Driver Name: [HP LaserJet 2100 Series PS]
 
Printer Driver Info 1:
     Driver Name: [HP LaserJet 4Si/4SiMX PS]

$ rpcclient pogo -U root%secret -c "enumprinters"

Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
     flags:[0x800000]
     name:[\\POGO\hp-print]
     description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
     comment:[]
				  

$ rpcclient pogo -U root%secret -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""

Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
Successfully set hp-print to driver HP LaserJet 4000 Series PS.

By default, Samba offers all printer shares defined in smb.conf in the "Printers..." folder. Also existing in this folder is the Windows NT Add Printer Wizard icon. The APW will be show only if

In order to be able to use the APW to successfully add a printer to a Samba server, the add printer command must have a defined value. The program hook must successfully add the printer to the system (i.e. /etc/printcap or appropriate files) and smb.conf if necessary.

When using the APW from a client, if the named printer share does not exist, smbd will execute the add printer command and reparse to the smb.conf to attempt to locate the new printer share. If the share is still not defined, an error of "Access Denied" is returned to the client. Note that the add printer program is executed under the context of the connected user, not necessarily a root account.

There is a complementary delete printer command for removing entries from the "Printers..." folder.

The following is an example add printer command script. It adds the appropriate entries to /etc/printcap.local (change that to what you need) and returns a line of 'Done' which is needed for the whole process to work.

#!/bin/sh

# Script to insert a new printer entry into printcap.local
#
# $1, printer name, used as the descriptive name
# $2, share name, used as the printer name for Linux
# $3, port name
# $4, driver name
# $5, location, used for the device file of the printer
# $6, win9x location

#
# Make sure we use the location that RedHat uses for local printer defs
PRINTCAP=/etc/printcap.local
DATE=`date +%Y%m%d-%H%M%S`
LP=lp
RESTART="service lpd restart"

# Keep a copy
cp $PRINTCAP $PRINTCAP.$DATE
# Add the printer to $PRINTCAP
echo ""				 			>> $PRINTCAP
echo "$2|$1:\\" 					>> $PRINTCAP
echo "  :sd=/var/spool/lpd/$2:\\" 			>> $PRINTCAP
echo "  :mx=0:ml=0:sh:\\" 				>> $PRINTCAP
echo "  :lp=/usr/local/samba/var/print/$5.prn:" 	>> $PRINTCAP

touch "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1
chown $LP "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1

mkdir /var/spool/lpd/$2
chmod 700 /var/spool/lpd/$2
chown $LP /var/spool/lpd/$2
#echo $1 >> "/usr/local/samba/var/print/$5.prn"
#echo $2 >> "/usr/local/samba/var/print/$5.prn"
#echo $3 >> "/usr/local/samba/var/print/$5.prn"
#echo $4 >> "/usr/local/samba/var/print/$5.prn"
#echo $5 >> "/usr/local/samba/var/print/$5.prn"
#echo $6 >> "/usr/local/samba/var/print/$5.prn"
$RESTART >> "/usr/local/samba/var/print/$5.prn"
# Not sure if this is needed
touch /usr/local/samba/lib/smb.conf
#
# You need to return a value, but I am not sure what it means.
#
echo "Done"
exit 0

Windows NT/2000 print servers associate a port with each printer. These normally take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the concept of ports associated with a printer. By default, only one printer port, named "Samba Printer Port", exists on a system. Samba does not really a port in order to print, rather it is a requirement of Windows clients.

Note that Samba does not support the concept of "Printer Pooling" internally either. This is when a logical printer is assigned to multiple ports as a form of load balancing or fail over.

If you require that multiple ports be defined for some reason, smb.conf possesses a enumports command which can be used to define an external program that generates a listing of ports on a system.

Imprints is a collection of tools for supporting the goals of

The process of creating printer driver packages is beyond the scope of this document (refer to Imprints.txt also included with the Samba distribution for more information). In short, an Imprints driver package is a gzipped tarball containing the driver files, related INF files, and a control file needed by the installation client.

The Imprints server is really a database server that may be queried via standard HTTP mechanisms. Each printer entry in the database has an associated URL for the actual downloading of the package. Each package is digitally signed via GnuPG which can be used to verify that package downloaded is actually the one referred in the Imprints database. It is not recommended that this security check be disabled.

More information regarding the Imprints installation client is available in the Imprints-Client-HOWTO.ps file included with the imprints source package.

The Imprints installation client comes in two forms.

The installation client (in both forms) provides a means of querying the Imprints database server for a matching list of known printer model names as well as a means to download and install the drivers on remote Samba and Windows NT print servers.

The basic installation process is in four steps and perl code is wrapped around smbclient and rpcclient.

	
foreach (supported architecture for a given driver)
{
     1.  rpcclient: Get the appropriate upload directory 
         on the remote server
     2.  smbclient: Upload the driver files
     3.  rpcclient: Issues an AddPrinterDriver() MS-RPC
}
	
4.  rpcclient: Issue an AddPrinterEx() MS-RPC to actually
    create the printer

One of the problems encountered when implementing the Imprints tool set was the name space issues between various supported client architectures. For example, Windows NT includes a driver named "Apple LaserWriter II NTX v51.8" and Windows 95 calls its version of this driver "Apple LaserWriter II NTX"

The problem is how to know what client drivers have been uploaded for a printer. As astute reader will remember that the Windows NT Printer Properties dialog only includes space for one printer driver name. A quick look in the Windows NT 4.0 system registry at

HKLM\System\CurrentControlSet\Control\Print\Environment

will reveal that Windows NT always uses the NT driver name. This is ok as Windows NT always requires that at least the Windows NT version of the printer driver is present. However, Samba does not have the requirement internally. Therefore, how can you use the NT driver name if is has not already been installed?

The way of sidestepping this limitation is to require that all Imprints printer driver packages include both the Intel Windows NT and 95/98 printer drivers and that NT driver is installed first.

This is a short description of how to debug printing problems with Samba. This describes how to debug problems with printing from a SMB client to a Samba server, not the other way around. For the reverse see the examples/printing directory.

Ok, so you want to print to a Samba server from your PC. The first thing you need to understand is that Samba does not actually do any printing itself, it just acts as a middleman between your PC client and your Unix printing subsystem. Samba receives the file from the PC then passes the file to a external "print command". What print command you use is up to you.

The whole things is controlled using options in smb.conf. The most relevant options (which you should look up in the smb.conf man page) are:

      [global]
        print command     - send a file to a spooler
        lpq command       - get spool queue status
        lprm command      - remove a job
      [printers]
        path = /var/spool/lpd/samba

The following are nice to know about:

        queuepause command   - stop a printer or print queue
        queueresume command  - start a printer or print queue

Example:

        print command = /usr/bin/lpr -r -P%p %s
        lpq command   = /usr/bin/lpq    -P%p %s
        lprm command  = /usr/bin/lprm   -P%p %j
        queuepause command = /usr/sbin/lpc -P%p stop
        queuepause command = /usr/sbin/lpc -P%p start

Samba should set reasonable defaults for these depending on your system type, but it isn't clairvoyant. It is not uncommon that you have to tweak these for local conditions. The commands should always have fully specified pathnames, as the smdb may not have the correct PATH values.

When you send a job to Samba to be printed, it will make a temporary copy of it in the directory specified in the [printers] section. and it should be periodically cleaned out. The lpr -r option requests that the temporary copy be removed after printing; If printing fails then you might find leftover files in this directory, and it should be periodically cleaned out. Samba used the lpq command to determine the "job number" assigned to your print job by the spooler.

The %>letter< are "macros" that get dynamically replaced with appropriate values when they are used. The %s gets replaced with the name of the spool file that Samba creates and the %p gets replaced with the name of the printer. The %j gets replaced with the "job number" which comes from the lpq output.

One way to debug printing problems is to start by replacing these command with shell scripts that record the arguments and the contents of the print file. A simple example of this kind of things might be:

	print command = /tmp/saveprint %p %s

    #!/bin/saveprint
    # we make sure that we are the right user
    /usr/bin/id -p >/tmp/tmp.print
    # we run the command and save the error messages
    # replace the command with the one appropriate for your system
    /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print

Then you print a file and try removing it. You may find that the print queue needs to be stopped in order to see the queue status and remove the job:

h4: {42} % echo hi >/tmp/hi
h4: {43} % smbclient //localhost/lw4
added interface ip=10.0.0.4 bcast=10.0.0.255 nmask=255.255.255.0
Password: 
Domain=[ASTART] OS=[Unix] Server=[Samba 2.0.7]
smb: \> print /tmp/hi
putting file /tmp/hi as hi-17534 (0.0 kb/s) (average 0.0 kb/s)
smb: \> queue
1049     3            hi-17534
smb: \> cancel 1049
Error cancelling job 1049 : code 0
smb: \> cancel 1049
Job 1049 cancelled
smb: \> queue
smb: \> exit

The 'code 0' indicates that the job was removed. The comment by the smbclient is a bit misleading on this. You can observe the command output and then and look at the /tmp/tmp.print file to see what the results are. You can quickly find out if the problem is with your printing system. Often people have problems with their /etc/printcap file or permissions on various print queues.

You can use the 'testprns' program to check to see if the printer name you are using is recognized by Samba. For example, you can use:

    testprns printer /etc/printcap

Samba can get its printcap information from a file or from a program. You can try the following to see the format of the extracted information:

    testprns -a printer /etc/printcap

    testprns -a printer '|/bin/cat printcap'

You may need to set up some printcaps for your Samba system to use. It is strongly recommended that you use the facilities provided by the print spooler to set up queues and printcap information.

Samba requires either a printcap or program to deliver printcap information. This printcap information has the format:

  name|alias1|alias2...:option=value:...

For almost all printing systems, the printer 'name' must be composed only of alphanumeric or underscore '_' characters. Some systems also allow hyphens ('-') as well. An alias is an alternative name for the printer, and an alias with a space in it is used as a 'comment' about the printer. The printcap format optionally uses a \ at the end of lines to extend the printcap to multiple lines.

Here are some examples of printcap files:

Samba reads the printcap information when first started. If you make changes in the printcap information, then you must do the following:

This is the most frustrating part of printing. You may have sent the job, verified that the job was forwarded, set up a wrapper around the command to send the file, but there was no output from the printer.

First, check to make sure that the job REALLY is getting to the right print queue. If you are using a BSD or LPRng print spooler, you can temporarily stop the printing of jobs. Jobs can still be submitted, but they will not be printed. Use:

  lpc -Pprinter stop

Now submit a print job and then use 'lpq -Pprinter' to see if the job is in the print queue. If it is not in the print queue then you will have to find out why it is not being accepted for printing.

Next, you may want to check to see what the format of the job really was. With the assistance of the system administrator you can view the submitted jobs files. You may be surprised to find that these are not in what you would expect to call a printable format. You can use the UNIX 'file' utitily to determine what the job format actually is:

    cd /var/spool/lpd/printer   # spool directory of print jobs
    ls                          # find job files
    file dfA001myhost

You should make sure that your printer supports this format OR that your system administrator has installed a 'print filter' that will convert the file to a format appropriate for your printer.

Once you have the job printing, you can then start worrying about making it print nicely.

The most common problem is extra pages of output: banner pages OR blank pages at the end.

If you are getting banner pages, check and make sure that the printcap option or printer option is configured for no banners. If you have a printcap, this is the :sh (suppress header or banner page) option. You should have the following in your printer.

   printer: ... :sh

If you have this option and are still getting banner pages, there is a strong chance that your printer is generating them for you automatically. You should make sure that banner printing is disabled for the printer. This usually requires using the printer setup software or procedures supplied by the printer manufacturer.

If you get an extra page of output, this could be due to problems with your job format, or if you are generating PostScript jobs, incorrect setting on your printer driver on the MicroSoft client. For example, under Win95 there is a option:

  Printers|Printer Name|(Right Click)Properties|Postscript|Advanced|

that allows you to choose if a Ctrl-D is appended to all jobs. This is a very bad thing to do, as most spooling systems will automatically add a ^D to the end of the job if it is detected as PostScript. The multiple ^D may cause an additional page of output.

This is a problem that is usually caused by either the print spooling system putting information at the start of the print job that makes the printer think the job is a text file, or your printer simply does not support PostScript. You may need to enable 'Automatic Format Detection' on your printer.

Note that you can do some pretty magic things by using your imagination with the "print command" option and some shell scripts. Doing print accounting is easy by passing the %U option to a print command shell script. You could even make the print command detect the type of output and its size and send it to an appropriate printer.

If the above debug tips don't help, then maybe you need to bring in the bug guns, system tracing. See Tracing.txt in this directory.

The cupsaddsmb command copies the needed files for convenient Windows client installations from the previously prepared CUPS data directory to your [print$] share. Additionally, the PPD associated with this printer is copied from /etc/cups/ppd/ to [print$].

root#  cupsaddsmb -U root infotec_IS2027
Password for root required to access localhost via
SAMBA: [type in password 'secret']

To share all printers and drivers, use the -a parameter instead of a printer name.

Probably you want to see what's going on. Use the -v parameter to get a more verbose output:

Probably you want to see what's going on. Use the -v parameter to get a more verbose output:

Note: The following line shave been wrapped so that information is not lost.
 
root#  cupsaddsmb -v -U root infotec_IS2027
    Password for root required to access localhost via SAMBA:
    Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir W32X86;put
       /var/spool/cups/tmp/3cd1cc66376c0 W32X86/infotec_IS2027.PPD;put
       /usr/share/cups/drivers/
       ADOBEPS5.DLL W32X86/ADOBEPS5.DLL;put /usr/share/cups/drivers/ADOBEPSU.DLLr
       W32X86/ADOBEPSU.DLL;put /usr/share/cups/drivers/ADOBEPSU.HLP W32X86/ADOBEPSU.HLP'
    added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0
    added interface ip=192.168.182.1 bcast=192.168.182.255 nmask=255.255.255.0
    added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0
    Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs]
    NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86
    putting file /var/spool/cups/tmp/3cd1cc66376c0 as
      \W32X86/infotec_IS2027.PPD (17394.6 kb/s) (average 17395.2 kb/s)
    putting file /usr/share/cups/drivers/ADOBEPS5.DLL as
      \W32X86/ADOBEPS5.DLL (10877.4 kb/s) (average 11343.0 kb/s)
    putting file /usr/share/cups/drivers/ADOBEPSU.DLL as
      \W32X86/ADOBEPSU.DLL (5095.2 kb/s) (average 9260.4 kb/s)
    putting file /usr/share/cups/drivers/ADOBEPSU.HLP as
      \W32X86/ADOBEPSU.HLP (8828.7 kb/s) (average 9247.1 kb/s)

    Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir WIN40;put
      /var/spool/cups/tmp/3cd1cc66376c0 WIN40/infotec_IS2027.PPD;put
      /usr/share/cups/drivers/ADFONTS.MFM WIN40/ADFONTS.MFM;put
      /usr/share/cups/drivers/ADOBEPS4.DRV WIN40/ADOBEPS4.DRV;put
      /usr/share/cups/drivers/ADOBEPS4.HLP WIN40/ADOBEPS4.HLP;put
      /usr/share/cups/drivers/DEFPRTR2.PPD WIN40/DEFPRTR2.PPD;put
      /usr/share/cups/drivers/ICONLIB.DLL WIN40/ICONLIB.DLL;put
      /usr/share/cups/drivers/PSMON.DLL WIN40/PSMON.DLL;'
    added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0
    added interface ip=192.168.182.1 bcast=192.168.182.255 nmask=255.255.255.0
    added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0
    Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs]
    NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40
    putting file /var/spool/cups/tmp/3cd1cc66376c0 as
      \WIN40/infotec_IS2027.PPD (26091.5 kb/s) (average 26092.8 kb/s)
    putting file /usr/share/cups/drivers/ADFONTS.MFM as
      \WIN40/ADFONTS.MFM (11241.6 kb/s) (average 11812.9 kb/s)
    putting file /usr/share/cups/drivers/ADOBEPS4.DRV as
      \WIN40/ADOBEPS4.DRV (16640.6 kb/s) (average 14679.3 kb/s)
    putting file /usr/share/cups/drivers/ADOBEPS4.HLP as
      \WIN40/ADOBEPS4.HLP (11285.6 kb/s) (average 14281.5 kb/s)
    putting file /usr/share/cups/drivers/DEFPRTR2.PPD as
      \WIN40/DEFPRTR2.PPD (823.5 kb/s) (average 12944.0 kb/s)
    putting file /usr/share/cups/drivers/ICONLIB.DLL as
      \WIN40/ICONLIB.DLL (19226.2 kb/s) (average 13169.7 kb/s)
    putting file /usr/share/cups/drivers/PSMON.DLL as
      \WIN40/PSMON.DLL (18666.1 kb/s) (average 13266.7 kb/s)

    Running command: rpcclient localhost -N -U'root%secret'
       -c 'adddriver "Windows NT x86"
       "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:
		ADOBEPSU.HLP:NULL:RAW:NULL"'
    cmd = adddriver "Windows NT x86"
       "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:
       ADOBEPSU.HLP:NULL:RAW:NULL"
    Printer Driver infotec_IS2027 successfully installed.

    Running command: rpcclient localhost -N -U'root%secret'
       -c 'adddriver "Windows 4.0"
       "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL:
		ADOBEPS4.HLP:PSMON.DLL:RAW: ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"'
    cmd = adddriver "Windows 4.0" "infotec_IS2027:ADOBEPS4.DRV:
		infotec_IS2027.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW:
		ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"
    Printer Driver infotec_IS2027 successfully installed.

    Running command: rpcclient localhost -N -U'root%secret'
       -c 'setdriver infotec_IS2027 infotec_IS2027'
    cmd = setdriver infotec_IS2027 infotec_IS2027
    Succesfully set infotec_IS2027 to driver infotec_IS2027.

    root# 

If you look closely, you'll discover your root password was transfered unencrypted over the wire, so beware! Also, if you look further her, you'll discover error messages like NT_STATUS_OBJECT_NAME_COLLISION in between. They occur, because the directories WIN40 and W32X86 already existed in the [print$] driver download share (from a previous driver installation). They are harmless here.

Now your printer is prepared for the clients to use. From a client, browse to the CUPS/Samba server, open the "Printers" share, right-click on this printer and select "Install..." or "Connect..." (depending on the Windows version you use). Now their should be a new printer in your client's local "Printers" folder, named (in my case) "infotec_IS2027 on kdebitshop"

NOTE: cupsaddsmb will only reliably work i with CUPS version 1.1.15 or higher and Samba from 2.2.4. If it doesn't work, or if the automatic printer driver download to the clients doesn't succeed, you can still manually install the CUPS printer PPD on top of the Adobe PostScript driver on clients and then point the client's printer queue to the Samba printer share for connection, should you desire to use the CUPS networked PostScript RIP functions.

Always also consult the database on linuxprinting.org for all recommendations about which driver is best used for each printer:

http://www.linuxprinting.org/printer_list.cgi

There select your model and click on "Show". You'll arrive at a page listing all drivers working with your model. There will always be *one* recommended one. Try this one first. In your case ("HP LaserJet 4 Plus"), you'll arrive here:

http://www.linuxprinting.org/show_printer.cgi?recnum=75104

The recommended driver is "ljet4". It has a link to the page for the ljet4 driver too:

http://www.linuxprinting.org/show_driver.cgi?driver=ljet4

On the driver's page, you'll find important and detailed info about how to use that driver within the various available spoolers. You can generate a PPD for CUPS. The PPD contains all the info about how to use your model and the driver; this is, once installed, working transparently for the user -- you'll only need to choose resolution, paper size etc. from the web-based menu or from the print dialog GUI or from the commandline...

On the driver's page, choose to use the "PPD-O-Matic" online PPD generator program. Select your model and click "Generate PPD file". When you safe the appearing ASCII text file, don't use "cut'n'past" (as it could possiblly corrupt line endings and tabs), but use "Save as..." in your browser's menu. Save it at "/some/path/on/your/filesystem/somewhere/my-name-for-my-printer.ppd"

Then install the printer:

    "lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E \
          -P /some/path/on/your/filesystem/somewhere/my-name-for-my-printer.ppd"

Note, that for all the "Foomatic-PPDs" from Linuxprinting.org, you also need a special "CUPS filter" named "cupsomatic". Get the latest version of "cupsomatic" from:

http://www.linuxprinting.org/cupsomatic

This needs to be copied to /usr/lib/cups/filter/cupsomatic and be made world executable. This filter is needed to read and act upon the specially encoded Foomatic comments, embedded in the printfile, which in turn are used to construct (transparently for you, the user) the complicated ghostscript command line needed for your printer/driver combo.

You can have a look at all the options for the Ghostscript commandline supported by your printer and the ljet4 driver by going to the section "Execution details", selecting your model (Laserjet 4 Plus) and clicking on "Show execution details". This will bring up this web page:

http://www.linuxprinting.org/execution.cgi?driver=ljet4&printer=75104&.submit=Show+execution+details

The ingenious thing is that the database is kept current. If there is a bug fix and an improvement somewhere in the database, you will always get the most current and stable and feature-rich driver by following the steps described above.

The latest and greatest improvement now is support for "custom page sizes" for all those printers which support it.

"cupsomatic" is documented here:

http://www.linuxprinting.org/cups-doc.html

More printing tutorial info may be found here:

http://www.linuxprinting.org/kpfeifle/LinuxKongress2002/Tutorial/

Note, that *all* the Foomatic drivers listed on Linuxprinting.org (now approaching the "all-time high" number of 1.000 for the supported models) are using a special filtering chain involving Ghostscript, as described in this document.

Summary - You need:

In the case of the "hpijs" driver, you need a Ghostscript version, which has "ijs" amongst its supported devices in "gs -h". In the case of "hpijs+foomatic", a valid ghostscript commandline would be reading like this:

       gs -q -dBATCH -dPARANOIDSAFER -dQUIET -dNOPAUSE -sDEVICE=ijs       \
             -sIjsServer=hpijsPageSize -dDuplex=Duplex Model        \
             -rResolution,PS:MediaPosition=InputSlot -dIjsUseOutputFD \
             -sOutputFile=- -

If you use "ESP Ghostscript" (also under the GPL, provided by Easy Software Products, the makers of CUPS, downloadable from http://www.cups.org/software.html, co-maintained by the developers of linuxprinting.org), you are guaranteed to have in use the most uptodate, bug-fixed, enhanced and stable version of a Free Ghostscript. It contains support for ~300 devices, whereas plain vanilla GNU Ghostscript 7.05 only has ~200.

If you print only one CUPS test page, from the web interface and when you try to print a windows test page, it acts like the job was never sent:

You can try to get a more detailed debugging info by setting "LogLevel debug" in /etc/cups/cupsd.conf, re-start cupsd and investigate /var/log/cups/error_log for the whereabouts of your Windows-originating printjobs:

Winbind is targeted at organizations that have an existing NT based domain infrastructure into which they wish to put UNIX workstations or servers. Winbind will allow these organizations to deploy UNIX workstations without having to maintain a separate account infrastructure. This greatly simplifies the administrative overhead of deploying UNIX workstations into a NT based organization.

Another interesting way in which we expect Winbind to be used is as a central part of UNIX based appliances. Appliances that provide file and print services to Microsoft based networks will be able to use Winbind to provide seamless integration of the appliance into the domain.

Over the last few years, efforts have been underway by various Samba Team members to decode various aspects of the Microsoft Remote Procedure Call (MSRPC) system. This system is used for most network related operations between Windows NT machines including remote management, user authentication and print spooling. Although initially this work was done to aid the implementation of Primary Domain Controller (PDC) functionality in Samba, it has also yielded a body of code which can be used for other purposes.

Winbind uses various MSRPC calls to enumerate domain users and groups and to obtain detailed information about individual users or groups. Other MSRPC calls can be used to authenticate NT domain users and to change user passwords. By directly querying a Windows PDC for user and group information, winbind maps the NT account information onto UNIX user and group names.

Since late 2001, Samba has gained the ability to interact with Microsoft Windows 2000 using its 'Native Mode' protocols, rather than the NT4 RPC services. Using LDAP and Kerberos, a domain member running winbind can enumerate users and groups in exactly the same way as a Win2k client would, and in so doing provide a much more efficient and effective winbind implementation.

The Name Service Switch, or NSS, is a feature that is present in many UNIX operating systems. It allows system information such as hostnames, mail aliases and user information to be resolved from different sources. For example, a standalone UNIX workstation may resolve system information from a series of flat files stored on the local filesystem. A networked workstation may first attempt to resolve system information from local files, and then consult a NIS database for user information or a DNS server for hostname information.

The NSS application programming interface allows winbind to present itself as a source of system information when resolving UNIX usernames and groups. Winbind uses this interface, and information obtained from a Windows NT server using MSRPC calls to provide a new source of account enumeration. Using standard UNIX library calls, one can enumerate the users and groups on a UNIX machine running winbind and see all users and groups in a NT domain plus any trusted domain as though they were local users and groups.

The primary control file for NSS is /etc/nsswitch.conf. When a UNIX application makes a request to do a lookup the C library looks in /etc/nsswitch.conf for a line which matches the service type being requested, for example the "passwd" service type is used when user or group names are looked up. This config line species which implementations of that service should be tried and in what order. If the passwd config line is:

passwd: files example

then the C library will first load a module called /lib/libnss_files.so followed by the module /lib/libnss_example.so. The C library will dynamically load each of these modules in turn and call resolver functions within the modules to try to resolve the request. Once the request is resolved the C library returns the result to the application.

This NSS interface provides a very easy way for Winbind to hook into the operating system. All that needs to be done is to put libnss_winbind.so in /lib/ then add "winbind" into /etc/nsswitch.conf at the appropriate place. The C library will then call Winbind to resolve user and group names.

Pluggable Authentication Modules, also known as PAM, is a system for abstracting authentication and authorization technologies. With a PAM module it is possible to specify different authentication methods for different system applications without having to recompile these applications. PAM is also useful for implementing a particular policy for authorization. For example, a system administrator may only allow console logins from users stored in the local password file but only allow users resolved from a NIS database to log in over the network.

Winbind uses the authentication management and password management PAM interface to integrate Windows NT users into a UNIX system. This allows Windows NT users to log in to a UNIX machine and be authenticated against a suitable Primary Domain Controller. These users can also change their passwords and have this change take effect directly on the Primary Domain Controller.

PAM is configured by providing control files in the directory /etc/pam.d/ for each of the services that require authentication. When an authentication request is made by an application the PAM code in the C library looks up this control file to determine what modules to load to do the authentication check and in what order. This interface makes adding a new authentication service for Winbind very easy, all that needs to be done is that the pam_winbind.so module is copied to /lib/security/ and the PAM control files for relevant services are updated to allow authentication via winbind. See the PAM documentation for more details.

When a user or group is created under Windows NT is it allocated a numerical relative identifier (RID). This is slightly different to UNIX which has a range of numbers that are used to identify users, and the same range in which to identify groups. It is winbind's job to convert RIDs to UNIX id numbers and vice versa. When winbind is configured it is given part of the UNIX user id space and a part of the UNIX group id space in which to store Windows NT users and groups. If a Windows NT user is resolved for the first time, it is allocated the next UNIX id from the range. The same process applies for Windows NT groups. Over time, winbind will have mapped all Windows NT users and groups to UNIX user ids and group ids.

The results of this mapping are stored persistently in an ID mapping database held in a tdb database). This ensures that RIDs are mapped to UNIX IDs in a consistent way.

An active system can generate a lot of user and group name lookups. To reduce the network cost of these lookups winbind uses a caching scheme based on the SAM sequence number supplied by NT domain controllers. User or group information returned by a PDC is cached by winbind along with a sequence number also returned by the PDC. This sequence number is incremented by Windows NT whenever any user or group information is modified. If a cached entry has expired, the sequence number is requested from the PDC and compared against the sequence number of the cached entry. If the sequence numbers do not match, then the cached information is discarded and up to date information is requested directly from the PDC.

This HOWTO describes the procedures used to get winbind up and running on my RedHat 7.1 system. Winbind is capable of providing access and authentication control for Windows Domain users through an NT or Win2K PDC for 'regular' services, such as telnet a nd ftp, as well for SAMBA services.

This HOWTO has been written from a 'RedHat-centric' perspective, so if you are using another distribution, you may have to modify the instructions somewhat to fit the way your distribution works.

If you have a samba configuration file that you are currently using... BACK IT UP! If your system already uses PAM, back up the /etc/pam.d directory contents! If you haven't already made a boot disk, MAKE ONE NOW!

Messing with the pam configuration files can make it nearly impossible to log in to yourmachine. That's why you want to be able to boot back into your machine in single user mode and restore your /etc/pam.d back to the original state they were in if you get frustrated with the way things are going. ;-)

The latest version of SAMBA (version 3.0 as of this writing), now includes a functioning winbindd daemon. Please refer to the main SAMBA web page or, better yet, your closest SAMBA mirror site for instructions on downloading the source code.

To allow Domain users the ability to access SAMBA shares and files, as well as potentially other services provided by your SAMBA machine, PAM (pluggable authentication modules) must be setup properly on your machine. In order to compile the winbind modules, you should have at least the pam libraries resident on your system. For recent RedHat systems (7.1, for instance), that means pam-0.74-22. For best results, it is helpful to also install the development packages in pam-devel-0.74-22.

Before starting, it is probably best to kill off all the SAMBA related daemons running on your server. Kill off all smbd, nmbd, and winbindd processes that may be running. To use PAM, you will want to make sure that you have the standard PAM package (for RedHat) which supplies the /etc/pam.d directory structure, including the pam modules are used by pam-aware services, several pam libraries, and the /usr/doc and /usr/man entries for pam. Winbind built better in SAMBA if the pam-devel package was also installed. This package includes the header files needed to compile pam-aware applications. For instance, my RedHat system has both pam-0.74-22 and pam-devel-0.74-22 RPMs installed.

root# autoconf
root# make clean
root# rm config.cache
root# ./configure
root# make
root# make install

	passwd:     files winbind
	shadow:     files 
	group:      files winbind

WINBIND:
        program = /usr/lib/security/WINBIND
        options = authonly

[global]
     <...>
     # separate domain and username with '+', like DOMAIN+username
     winbind separator = +
     # use uids from 10000 to 20000 for domain users
     winbind uid = 10000-20000
     # use gids from 10000 to 20000 for domain groups
     winbind gid = 10000-20000
     # allow enumeration of winbind users and groups
     winbind enum users = yes
     winbind enum groups = yes
     # give winbind users a real shell (only needed if they have telnet access)
     template homedir = /home/winnt/%D/%U
     template shell = /bin/bash

	CEO+Administrator
	CEO+burdell
	CEO+Guest
	CEO+jt-ad
	CEO+krbtgt
	CEO+TsInternetUser

root# /usr/local/samba/bin/wbinfo -g
	CEO+Domain Admins
	CEO+Domain Users
	CEO+Domain Guests
	CEO+Domain Computers
	CEO+Domain Controllers
	CEO+Cert Publishers
	CEO+Schema Admins
	CEO+Enterprise Admins
	CEO+Group Policy Creator Owners

start() {
        KIND="SMB"
        echo -n $"Starting $KIND services: "
        daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
        RETVAL=$?
        echo
        KIND="NMB"
        echo -n $"Starting $KIND services: "
        daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
        RETVAL2=$?
        echo
        KIND="Winbind"
        echo -n $"Starting $KIND services: "
        daemon /usr/local/samba/bin/winbindd
        RETVAL3=$?
        echo
        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
		touch /var/lock/subsys/smb || RETVAL=1
        return $RETVAL
}

        daemon /usr/local/samba/bin/winbindd

        daemon /usr/local/samba/bin/winbindd -B

stop() {
        KIND="SMB"
        echo -n $"Shutting down $KIND services: "
        killproc smbd
        RETVAL=$?
        echo
        KIND="NMB"
        echo -n $"Shutting down $KIND services: "
        killproc nmbd
        RETVAL2=$?
        echo
        KIND="Winbind"
        echo -n $"Shutting down $KIND services: "
        killproc winbindd
        RETVAL3=$?
        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
		 rm -f /var/lock/subsys/smb
        echo ""
        return $RETVAL
}

	##
	## samba.server
	##

	if [ ! -d /usr/bin ]
	then                    # /usr not mounted
		exit
	fi

	killproc() {            # kill the named process(es)
		pid=`/usr/bin/ps -e |
		     /usr/bin/grep -w $1 |
		     /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
		[ "$pid" != "" ] && kill $pid
	}
	 
	# Start/stop processes required for samba server

	case "$1" in

	'start')
	#
	# Edit these lines to suit your installation (paths, workgroup, host)
	#
	echo Starting SMBD
	   /usr/local/samba/bin/smbd -D -s \
		/usr/local/samba/smb.conf

	echo Starting NMBD
	   /usr/local/samba/bin/nmbd -D -l \
		/usr/local/samba/var/log -s /usr/local/samba/smb.conf

	echo Starting Winbind Daemon
	   /usr/local/samba/bin/winbindd
	   ;;

	'stop')
	   killproc nmbd
	   killproc smbd
	   killproc winbindd
	   ;;

	*)
	   echo "Usage: /etc/init.d/samba.server { start | stop }"
	   ;;
	esac

	/usr/local/samba/bin/winbindd

	/usr/local/samba/bin/winbindd -B

	auth    required        /lib/security/pam_stack.so service=system-auth
	account required        /lib/security/pam_stack.so service=system-auth

	enable = no

	enable = yes

	auth       required     /lib/security/pam_listfile.so item=user sense=deny \
		 file=/etc/ftpusers onerr=succeed
	auth       sufficient   /lib/security/pam_winbind.so
	auth       required     /lib/security/pam_stack.so service=system-auth
	auth       required     /lib/security/pam_shells.so
	account    sufficient   /lib/security/pam_winbind.so
	account    required     /lib/security/pam_stack.so service=system-auth
	session    required     /lib/security/pam_stack.so service=system-auth

	auth       required     /lib/security/pam_securetty.so
	auth       sufficient   /lib/security/pam_winbind.so
	auth       sufficient   /lib/security/pam_unix.so use_first_pass
	auth       required     /lib/security/pam_stack.so service=system-auth
	auth       required     /lib/security/pam_nologin.so
	account    sufficient   /lib/security/pam_winbind.so
	account    required     /lib/security/pam_stack.so service=system-auth
	password   required     /lib/security/pam_stack.so service=system-auth
	session    required     /lib/security/pam_stack.so service=system-auth
	session    optional     /lib/security/pam_console.so

	#
	#ident	"@(#)pam.conf	1.14	99/09/16 SMI"
	#
	# Copyright (c) 1996-1999, Sun Microsystems, Inc.
	# All Rights Reserved.
	#
	# PAM configuration
	#
	# Authentication management
	#
	login   auth required   /usr/lib/security/pam_winbind.so
	login	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass 
	login	auth required 	/usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass 
	#
	rlogin  auth sufficient /usr/lib/security/pam_winbind.so
	rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
	rlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
	#
	dtlogin auth sufficient /usr/lib/security/pam_winbind.so
	dtlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
	#
	rsh	auth required	/usr/lib/security/$ISA/pam_rhosts_auth.so.1
	other   auth sufficient /usr/lib/security/pam_winbind.so
	other	auth required	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
	#
	# Account management
	#
	login   account sufficient      /usr/lib/security/pam_winbind.so
	login	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
	login	account required	/usr/lib/security/$ISA/pam_unix.so.1 
	#
	dtlogin account sufficient      /usr/lib/security/pam_winbind.so
	dtlogin	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
	dtlogin	account required	/usr/lib/security/$ISA/pam_unix.so.1 
	#
	other   account sufficient      /usr/lib/security/pam_winbind.so
	other	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
	other	account required	/usr/lib/security/$ISA/pam_unix.so.1 
	#
	# Session management
	#
	other	session required	/usr/lib/security/$ISA/pam_unix.so.1 
	#
	# Password management
	#
	#other   password sufficient     /usr/lib/security/pam_winbind.so
	other	password required	/usr/lib/security/$ISA/pam_unix.so.1 
	dtsession auth required	/usr/lib/security/$ISA/pam_unix.so.1
	#
	# Support for Kerberos V5 authentication (uncomment to use Kerberos)
	#
	#rlogin	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
	#login	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
	#dtlogin	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
	#other	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
	#dtlogin	account optional /usr/lib/security/$ISA/pam_krb5.so.1
	#other	account optional /usr/lib/security/$ISA/pam_krb5.so.1
	#other	session optional /usr/lib/security/$ISA/pam_krb5.so.1
	#other	password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass

The best tool for the task is platform dependant. Choose the best tool for your environmemt.

Printers may be added automatically during logon script processing through the use of:

	rundll32 printui.dll,PrintUIEntry /?

See the documentation in the Microsoft knowledgebase article no: 189105 referred to above.

You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me. It can be found on the Original full product Win98 installation CD under tools/reskit/netadmin/poledit. Install this using the Add/Remove Programs facility and then click on the 'Have Disk' tab.

Use the Group Policy Editor to create a policy file that specifies the location of user profiles and/or the My Documents etc. stuff. Then save these settings in a file called Config.POL that needs to be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto the Samba Domain, it will automatically read this file and update the Win9x/Me registry of the machine as it logs on.

Further details are covered in the Win98 Resource Kit documentation.

If you do not take the right steps, then every so often Win9x/Me will check the integrity of the registry and will restore it's settings from the back-up copy of the registry it stores on each Win9x/Me machine. Hence, you will occasionally notice things changing back to the original settings.

Install the group policy handler for Win9x to pick up group policies. Look on the Win98 CD in \tools\reskit\netadmin\poledit. Install group policies on a Win9x client by double-clicking grouppol.inf. Log off and on again a couple of times and see if Win98 picks up group policies. Unfortunately this needs to be done on every Win9x/Me machine that uses group policies.

To create or edit ntconfig.pol you must use the NT Server Policy Editor, poledit.exe which is included with NT4 Server but not NT Workstation. There is a Policy Editor on a NT4 Workstation but it is not suitable for creating Domain Policies. Further, although the Windows 95 Policy Editor can be installed on an NT4 Workstation/Server, it will not work with NT clients. However, the files from the NT Server will run happily enough on an NT4 Workstation.

You need poledit.exe, common.adm and winnt.adm. It is convenient to put the two *.adm files in the c:\winnt\inf directory which is where the binary will look for them unless told otherwise. Note also that that directory is normally 'hidden'.

The Windows NT policy editor is also included with the Service Pack 3 (and later) for Windows NT 4.0. Extract the files using servicepackname /x, i.e. that's Nt4sp6ai.exe /x for service pack 6a. The policy editor, poledit.exe and the associated template files (*.adm) should be extracted as well. It is also possible to downloaded the policy template files for Office97 and get a copy of the policy editor. Another possible location is with the Zero Administration Kit available for download from Microsoft.

Windows NT4 System policies allows setting of registry parameters specific to users, groups and computers (client workstations) that are members of the NT4 style domain. Such policy file will work with MS Windows 2000 / XP clients also.

New to MS Windows 2000 Microsoft introduced a new style of group policy that confers a superset of capabilities compared with NT4 style policies. Obviously, the tool used to create them is different, and the mechanism for implementing them is much changed.

The older NT4 style registry based policies are known as Administrative Templates in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security configurations, enforce Internet Explorer browser settings, change and redirect aspects of the users' desktop (including: the location of My Documents files (directory), as well as intrinsics of where menu items will appear in the Start menu). An additional new feature is the ability to make available particular software Windows applications to particular users and/or groups.

Remember: NT4 policy files are named NTConfig.POL and are stored in the root of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password and selects the domain name to which the logon will attempt to take place. During the logon process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating server, modifies the local registry values according to the settings in this file.

Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of a Windows 200x policy file is stored in the Active Directory itself and the other part is stored in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active Directory domain controllers. The part that is stored in the Active Directory itself is called the group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is known as the group policy template (GPT).

With NT4 clients the policy file is read and executed upon only as each user logs onto the network. MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine startup (machine specific part) and when the user logs onto the network the user specific part is applied. In MS Windows 200x style policy management each machine and/or user may be subject to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows the administrator to also set filters over the policy settings. No such equivalent capability exists with NT4 style policy files.

The tools that may be used to configure these types of controls from the MS Windows environment are: The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe). Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate "snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.

With a Samba Domain Controller, the new tools for managing of user account and policy information includes: smbpasswd, pdbedit, net, rpcclient.. The administrator should read the man pages for these tools and become familiar with their use.

This section documents how to configure Samba for MS Windows client profile support.

	logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath

		logon path = \\%L\Profiles\%u

	logon home = \\%L\%U\.profiles

	logon home = \\%L\%u\.profiles
	logon path = \\%L\profiles\%u

Sharing of desktop profiles between Windows versions is NOT recommended. Desktop profiles are an evolving phenomenon and profiles for later versions of MS Windows clients add features that may interfere with earlier versions of MS Windows clients. Probably the more salient reason to NOT mix profiles is that when logging off an earlier version of MS Windows the older format of profile contents may overwrite information that belongs to the newer version resulting in loss of profile information content when that user logs on again with the newer version of MS Windows.

If you then want to share the same Start Menu / Desktop with W9x/Me, you will need to specify a common location for the profiles. The smb.conf parameters that need to be common are logon path and logon home.

If you have this set up correctly, you will find separate user.DAT and NTuser.DAT files in the same profile directory.

There is nothing to stop you specifying any path that you like for the location of users' profiles. Therefore, you could specify that the profile be stored on a samba server, or any other SMB server, as long as that SMB server supports encrypted passwords.

To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System Policy Editor or change the registry directly.

To enable default per user profiles in Windows 9x / Me, launch the System Policy Editor, then select File -> Open Registry, then click on the Local Computer icon, click on Windows 98 System, select User Profiles, click on the enable box. Do not forget to save the registry changes.

To modify the registry directly, launch the Registry Editor (regedit.exe), select the hive HKEY_LOCAL_MACHINE\Network\Logon. Now add a DWORD type key with the name "User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0.

On MS Windows NT4 the default user profile is obtained from the location %SystemRoot%\Profiles which in a default installation will translate to C:\WinNT\Profiles. Under this directory on a clean install there will be three (3) directories: Administrator, All Users, Default User.

The All Users directory contains menu settings that are common across all system users. The Default User directory contains menu entries that are customisable per user depending on the profile settings chosen/created.

When a new user first logs onto an MS Windows NT4 machine a new profile is created from:

When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain the following steps are followed in respect of profile handling:

MS Windows NT4 profiles may be Local or Roaming. A Local profile will stored in the %SystemRoot%\Profiles\%USERNAME% location. A roaming profile will also remain stored in the same way, unless the following registry key is created:

	HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\
	"DeleteRoamingCache"=dword:00000001

In which case, the local copy (in %SystemRoot%\Profiles\%USERNAME%) will be deleted on logout.

Under MS Windows NT4 default locations for common resources (like My Documents may be redirected to a network share by modifying the following registry keys. These changes may be affected via use of the System Policy Editor (to do so may require that you create your owns template extension for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings.

The Registry Hive key that affects the behaviour of folders that are part of the default user profile are controlled by entries on Windows NT4 is:

        HKEY_CURRENT_USER
                \Software
                        \Microsoft
                                \Windows
                                        \CurrentVersion
                                                \Explorer
                                                        \User Shell Folders\

The above hive key contains a list of automatically managed folders. The default entries are:

        Name            Default Value
        --------------  -----------------------------------------
        AppData         %USERPROFILE%\Application Data
        Desktop         %USERPROFILE%\Desktop
        Favorites       %USERPROFILE%\Favorites
        NetHood         %USERPROFILE%\NetHood
        PrintHood       %USERPROFILE%\PrintHood
        Programs        %USERPROFILE%\Start Menu\Programs
        Recent          %USERPROFILE%\Recent
        SendTo          %USERPROFILE%\SendTo
        Start Menu      %USERPROFILE%\Start Menu
        Startup         %USERPROFILE%\Start Menu\Programs\Startup
        

The registry key that contains the location of the default profile settings is:

	HKEY_LOCAL_MACHINE
		\SOFTWARE
			\Microsoft
				\Windows
					\CurrentVersion
						\Explorer
							\User Shell Folders

The default entries are:

	Common Desktop		%SystemRoot%\Profiles\All Users\Desktop
	Common Programs		%SystemRoot%\Profiles\All Users\Programs
	Common Start Menu	%SystemRoot%\Profiles\All Users\Start Menu
	Common Startup		%SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup

When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from C:\Documents and Settings\Default User. The administrator can modify (or change the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client workstation.

When MS Windows 200x/XP participate in a domain security context, and if the default user profile is not found, then the client will search for a default profile in the NETLOGON share of the authenticating server. ie: In MS Windows parlance: %LOGONSERVER%\NETLOGON\Default User and if one exits there it will copy this to the workstation to the C:\Documents and Settings\ under the Windows login name of the user.

If a default profile does not exist in this location then MS Windows 200x/XP will use the local default profile.

On loging out, the users' desktop profile will be stored to the location specified in the registry settings that pertain to the user. If no specific policies have been created, or passed to the client during the login process (as Samba does automatically), then the user's profile will be written to the local machine only under the path C:\Documents and Settings\%USERNAME%.

Those wishing to modify the default behaviour can do so through three methods:

The Registry Hive key that affects the behaviour of folders that are part of the default user profile are controlled by entries on Windows 200x/XP is:

	HKEY_CURRENT_USER
		\Software
			\Microsoft
				\Windows
					\CurrentVersion
						\Explorer
							\User Shell Folders\

The above hive key contains a list of automatically managed folders. The default entries are:

	Name		Default Value
	--------------	-----------------------------------------
	AppData		%USERPROFILE%\Application Data
	Cache		%USERPROFILE%\Local Settings\Temporary Internet Files
	Cookies		%USERPROFILE%\Cookies
	Desktop		%USERPROFILE%\Desktop
	Favorites	%USERPROFILE%\Favorites
	History		%USERPROFILE%\Local Settings\History
	Local AppData	%USERPROFILE%\Local Settings\Application Data
	Local Settings	%USERPROFILE%\Local Settings
	My Pictures	%USERPROFILE%\My Documents\My Pictures
	NetHood		%USERPROFILE%\NetHood
	Personal	%USERPROFILE%\My Documents
	PrintHood	%USERPROFILE%\PrintHood
	Programs	%USERPROFILE%\Start Menu\Programs
	Recent		%USERPROFILE%\Recent
	SendTo		%USERPROFILE%\SendTo
	Start Menu	%USERPROFILE%\Start Menu
	Startup		%USERPROFILE%\Start Menu\Programs\Startup
	Templates	%USERPROFILE%\Templates
	

There is also an entry called "Default" that has no value set. The default entry is of type REG_SZ, all the others are of type REG_EXPAND_SZ.

It makes a huge difference to the speed of handling roaming user profiles if all the folders are stored on a dedicated location on a network server. This means that it will NOT be necessary to write the Outlook PST file over the network for every login and logout.

To set this to a network location you could use the following examples:

	%LOGONSERVER%\%USERNAME%\Default Folders

This would store the folders in the user's home directory under a directory called "Default Folders" You could also use:

	\\SambaServer\FolderShare\%USERNAME%

in which case the default folders will be stored in the server named SambaServer in the share called FolderShare under a directory that has the name of the MS Windows user as seen by the Linux/Unix file system.

Please note that once you have created a default profile share, you MUST migrate a user's profile (default or custom) to it.

MS Windows 200x/XP profiles may be Local or Roaming. A roaming profile will be cached locally unless the following registry key is created:

	HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\
	"DeleteRoamingCache"=dword:00000001

In which case, the local cache copy will be deleted on logout.

For MS Windows NT4, all domain trust relationships are configured using the Domain User Manager. To affect a two way trust relationship it is necessary for each domain administrator to make available (for use by an external domain) it's security resources. This is done from the Domain User Manager Policies entry on the menu bar. From the Policy menu, select Trust Relationships, then next to the lower box that is labelled "Permitted to Trust this Domain" are two buttons, "Add" and "Remove". The "Add" button will open a panel in which needs to be entered the remote domain that will be able to assign user rights to your domain. In addition it is necessary to enter a password that is specific to this trust relationship. The password needs to be typed twice (for standard confirmation).

A trust relationship will work only when the other (trusting) domain makes the appropriate connections with the trusted domain. To consumate the trust relationship the administrator will launch the Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the "Add" button that is next to the box that is labelled "Trusted Domains". A panel will open in which must be entered the name of the remote domain as well as the password assigned to that trust.

In order to set the Samba PDC to be the trusted party of the relationship first you need to create special account for the domain that will be the trusting party. To do that, you can use the 'smbpasswd' utility. Creating the trusted domain account is very similiar to creating a trusted machine account. Suppose, your domain is called SAMBA, and the remote domain is called RUMBA. The first step will be to issue this command from your favourite shell:

deity# smbpasswd -a -i rumba
	New SMB password: XXXXXXXX
	Retype SMB password: XXXXXXXX
	Added user rumba$

where -a means to add a new account into the passdb database and -i means: ''create this account with the InterDomain trust flag''

The account name will be 'rumba$' (the name of the remote domain)

After issuing this command you'll be asked to enter the password for the account. You can use any password you want, but be aware that Windows NT will not change this password until 7 days following account creation. After the command returns successfully, you can look at the entry for the new account (in the stardard way depending on your configuration) and see that account's name is really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm the trust by establishing it from Windows NT Server.

Open 'User Manager for Domains' and from menu 'Policies' select 'Trust Relationships...'. Right beside 'Trusted domains' list box press 'Add...' button. You will be prompted for the trusted domain name and the relationship password. Type in SAMBA, as this is your domain name, and the password used at the time of account creation. Press OK and, if everything went without incident, you will see 'Trusted domain relationship successfully established' message.

This time activities are somewhat reversed. Again, we'll assume that your domain controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.

The very first thing requirement is to add an account for the SAMBA domain on RUMBA's PDC.

Launch the Domain User Manager, then from the menu select 'Policies', 'Trust Relationships'. Now, next to 'Trusted Domains' box press the 'Add' button, and type in the name of the trusted domain (SAMBA) and password securing the relationship.

The password can be arbitrarily chosen. It is easy to change the password from the Samba server whenever you want. After confirming the password your account is ready for use. Now it's Samba's turn.

Using your favourite shell while being logged in as root, issue this command:

deity# net rpc trustdom establish rumba

You will be prompted for the password you just typed on your Windows NT4 Server box. Do not worry if you see an error message that mentions a returned code of NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT. It means the password you gave is correct and the NT4 Server says the account is ready for interdomain connection and not for ordinary connection. After that, be patient it can take a while (especially in large networks), you should see the 'Success' message. Congratulations! Your trust relationship has just been established.

There is an option in smb.conf called obey pam restrictions. The following is from the on-line help for this option in SWAT;

When Samba is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or not Samba should obey PAM's account and session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption.

Default: obey pam restrictions = no

pam_smbpass is a PAM module which can be used on conforming systems to keep the smbpasswd (Samba password) database in sync with the unix password file. PAM (Pluggable Authentication Modules) is an API supported under some Unices, such as Solaris, HPUX and Linux, that provides a generic interface to authentication mechanisms.

For more information on PAM, see http://ftp.kernel.org/pub/linux/libs/pam/

This module authenticates a local smbpasswd user database. If you require support for authenticating against a remote SMB server, or if you're concerned about the presence of suid root binaries on your system, it is recommended that you use pam_winbind instead.

Options recognized by this module are as follows:

        debug           -       log more debugging info
        audit           -       like debug, but also logs unknown usernames
        use_first_pass  -       don't prompt the user for passwords;
                                take them from PAM_ items instead
        try_first_pass  -       try to get the password from a previous
                                PAM module, fall back to prompting the user
        use_authtok     -       like try_first_pass, but *fail* if the new
                                PAM_AUTHTOK has not been previously set.
                                (intended for stacking password modules only)
        not_set_pass    -       don't make passwords used by this module
                                available to other modules.
        nodelay         -       don't insert ~1 second delays on authentication
                                failure.
        nullok          -       null passwords are allowed.
        nonull          -       null passwords are not allowed. Used to
                                override the Samba configuration.
        migrate         -       only meaningful in an "auth" context;
                                used to update smbpasswd file with a
                                password used for successful authentication.
        smbconf=< file >  -     specify an alternate path to the smb.conf
                                file.

Thanks go to the following people:

	* Andrew Morgan < morgan@transmeta.com >, for providing the Linux-PAM
	framework, without which none of this would have happened

	* Christian Gafton < gafton@redhat.com > and Andrew Morgan again, for the
	pam_pwdb module upon which pam_smbpass was originally based

	* Luke Leighton < lkcl@switchboard.net > for being receptive to the idea,
	and for the occasional good-natured complaint about the project's status
	that keep me working on it :)

	* and of course, all the other members of the Samba team
	<http://www.samba.org/samba/team.html>, for creating a great product
	and for giving this project a purpose

	---------------------
	Stephen Langasek < vorlon@netexpress.net >

The following are examples of the use of pam_smbpass.so in the format of Linux /etc/pam.d/ files structure. Those wishing to implement this tool on other platforms will need to adapt this appropriately.

	#%PAM-1.0
	# password-sync
	#
	auth       requisite        pam_nologin.so
	auth       required         pam_unix.so
	account    required         pam_unix.so
	password   requisite        pam_cracklib.so retry=3
	password   requisite        pam_unix.so shadow md5 use_authtok try_first_pass
	password   required         pam_smbpass.so nullok use_authtok try_first_pass
	session    required         pam_unix.so

	#%PAM-1.0
	# password-migration
	#
	auth       requisite        pam_nologin.so
	# pam_smbpass is called IFF pam_unix succeeds.
	auth       requisite        pam_unix.so
	auth       optional         pam_smbpass.so migrate
	account    required         pam_unix.so
	password   requisite        pam_cracklib.so retry=3
	password   requisite        pam_unix.so shadow md5 use_authtok try_first_pass
	password   optional         pam_smbpass.so nullok use_authtok try_first_pass
	session    required         pam_unix.so

	#%PAM-1.0
	# password-mature
	#
	auth       requisite        pam_nologin.so
	auth       required         pam_unix.so
	account    required         pam_unix.so
	password   requisite        pam_cracklib.so retry=3
	password   requisite        pam_unix.so shadow md5 use_authtok try_first_pass
	password   required         pam_smbpass.so use_authtok use_first_pass
	session    required         pam_unix.so

	#%PAM-1.0
	# kdc-pdc
	#
	auth       requisite        pam_nologin.so
	auth       requisite        pam_krb5.so
	auth       optional         pam_smbpass.so migrate
	account    required         pam_krb5.so
	password   requisite        pam_cracklib.so retry=3
	password   optional         pam_smbpass.so nullok use_authtok try_first_pass
	password   required         pam_krb5.so use_authtok try_first_pass
	session    required         pam_krb5.so

A simple module to audit file access to the syslog facility. The following operations are logged:

This module is identical with the audit module above except that it sends audit logs to both syslog as well as the smbd log file/s. The loglevel for this module is set in the smb.conf file.

The logging information that will be written to the smbd log file is controlled by the log level parameter in smb.conf. The following information will be recorded:

A recycle-bin like module. When used any unlink call will be intercepted and files moved to the recycle directory instead of being deleted.

Supported options:

A netatalk module, that will ease co-existence of samba and netatalk file sharing services.

Advantages compared to the old netatalk module:

URL: http://www.css.tayloru.edu/~elorimer/databasefs/index.php

By Eric Lorimer.

I have created a VFS module which implements a fairly complete read-only filesystem. It presents information from a database as a filesystem in a modular and generic way to allow different databases to be used (originally designed for organizing MP3s under directories such as "Artists," "Song Keywords," etc... I have since applied it to a student roster database very easily). The directory structure is stored in the database itself and the module makes no assumptions about the database structure beyond the table it requires to run.

Any feedback would be appreciated: comments, suggestions, patches, etc... If nothing else, hopefully it might prove useful for someone else who wishes to create a virtual filesystem.

URL: http://www.openantivirus.org/

samba-vscan is a proof-of-concept module for Samba, which uses the VFS (virtual file system) features of Samba 2.2.x/3.0 alphaX. Of couse, Samba has to be compiled with VFS support. samba-vscan supports various virus scanners and is maintained by Rainer Link.

Contains a static list of IP Addresses and names. eg:

	127.0.0.1	localhost localhost.localdomain
	192.168.1.1	bigbox.caldera.com	bigbox	alias4box

The purpose of /etc/hosts is to provide a name resolution mechanism so that uses do not need to remember IP addresses.

Network packets that are sent over the physical network transport layer communicate not via IP addresses but rather using the Media Access Control address, or MAC address. IP Addresses are currently 32 bits in length and are typically presented as four (4) decimal numbers that are separated by a dot (or period). eg: 168.192.1.1

MAC Addresses use 48 bits (or 6 bytes) and are typically represented as two digit hexadecimal numbers separated by colons. eg: 40:8e:0a:12:34:56

Every network interfrace must have an MAC address. Associated with a MAC address there may be one or more IP addresses. There is NO relationship between an IP address and a MAC address, all such assignments are arbitary or discretionary in nature. At the most basic level all network communications takes place using MAC addressing. Since MAC addresses must be globally unique, and generally remains fixed for any particular interface, the assignment of an IP address makes sense from a network management perspective. More than one IP address can be assigned per MAC address. One address must be the primary IP address, this is the address that will be returned in the ARP reply.

When a user or a process wants to communicate with another machine the protocol implementation ensures that the "machine name" or "host name" is resolved to an IP address in a manner that is controlled by the TCP/IP configuration control files. The file /etc/hosts is one such file.

When the IP address of the destination interface has been determined a protocol called ARP/RARP is used to identify the MAC address of the target interface. ARP stands for Address Resolution Protocol, and is a broadcast oriented method that uses UDP (User Datagram Protocol) to send a request to all interfaces on the local network segment using the all 1's MAC address. Network interfaces are programmed to respond to two MAC addresses only; their own unique address and the address ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will contain the MAC address and the primary IP address for each interface.

The /etc/hosts file is foundational to all Unix/Linux TCP/IP installations and as a minumum will contain the localhost and local network interface IP addresses and the primary names by which they are known within the local machine. This file helps to prime the pump so that a basic level of name resolution can exist before any other method of name resolution becomes available.

This file tells the name resolution libraries:

/etc/host.conf is the primary means by which the setting in /etc/resolv.conf may be affected. It is a critical configuration file. This file controls the order by which name resolution may procede. The typical structure is:

	order hosts,bind
	multi on

then both addresses should be returned. Please refer to the man page for host.conf for further details.

This file controls the actual name resolution targets. The file typically has resolver object specifications as follows:

	# /etc/nsswitch.conf
	#
	# Name Service Switch configuration file.
	#

	passwd:		compat
	# Alternative entries for password authentication are:
	# passwd:	compat files nis ldap winbind
	shadow:		compat
	group:		compat

	hosts:		files nis dns
	# Alternative entries for host name resolution are:
	# hosts:	files dns nis nis+ hesoid db compat ldap wins
	networks:	nis files dns

	ethers:		nis files
	protocols:	nis files
	rpc:		nis files
	services:	nis files

Of course, each of these mechanisms requires that the appropriate facilities and/or services are correctly configured.

It should be noted that unless a network request/message must be sent, TCP/IP networks are silent. All TCP/IP communications assumes a principal of speaking only when necessary.

Starting with version 2.2.0 samba has Linux support for extensions to the name service switch infrastructure so that linux clients will be able to obtain resolution of MS Windows NetBIOS names to IP Addresses. To gain this functionality Samba needs to be compiled with appropriate arguments to the make command (ie: make nsswitch/libnss_wins.so). The resulting library should then be installed in the /lib directory and the "wins" parameter needs to be added to the "hosts:" line in the /etc/nsswitch.conf file. At this point it will be possible to ping any MS Windows machine by it's NetBIOS machine name, so long as that machine is within the workgroup to which both the samba machine and the MS Windows machine belong.

All MS Windows machines employ an in memory buffer in which is stored the NetBIOS names and IP addresses for all external machines that that machine has communicated with over the past 10-15 minutes. It is more efficient to obtain an IP address for a machine from the local cache than it is to go through all the configured name resolution mechanisms.

If a machine whose name is in the local name cache has been shut down before the name had been expired and flushed from the cache, then an attempt to exchange a message with that machine will be subject to time-out delays. i.e.: Its name is in the cache, so a name resolution lookup will succeed, but the machine can not respond. This can be frustrating for users - but it is a characteristic of the protocol.

The MS Windows utility that allows examination of the NetBIOS name cache is called "nbtstat". The Samba equivalent of this is called "nmblookup".

This file is usually located in MS Windows NT 4.0 or 2000 in C:\WINNT\SYSTEM32\DRIVERS\ETC and contains the IP Address and the machine name in matched pairs. The LMHOSTS file performs NetBIOS name to IP address mapping.

It typically looks like:

	# Copyright (c) 1998 Microsoft Corp.
	#
	# This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS
	# over TCP/IP) stack for Windows98
	#
	# This file contains the mappings of IP addresses to NT computernames
	# (NetBIOS) names.  Each entry should be kept on an individual line.
	# The IP address should be placed in the first column followed by the
	# corresponding computername. The address and the comptername
	# should be separated by at least one space or tab. The "#" character
	# is generally used to denote the start of a comment (see the exceptions
	# below).
	#
	# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
	# files and offers the following extensions:
	#
	#      #PRE
	#      #DOM:<domain>
	#      #INCLUDE <filename>
	#      #BEGIN_ALTERNATE
	#      #END_ALTERNATE
	#      \0xnn (non-printing character support)
	#
	# Following any entry in the file with the characters "#PRE" will cause
	# the entry to be preloaded into the name cache. By default, entries are
	# not preloaded, but are parsed only after dynamic name resolution fails.
	#
	# Following an entry with the "#DOM:<domain>" tag will associate the
	# entry with the domain specified by <domain>. This affects how the
	# browser and logon services behave in TCP/IP environments. To preload
	# the host name associated with #DOM entry, it is necessary to also add a
	# #PRE to the line. The <domain> is always preloaded although it will not
	# be shown when the name cache is viewed.
	#
	# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
	# software to seek the specified <filename> and parse it as if it were
	# local. <filename> is generally a UNC-based name, allowing a
	# centralized lmhosts file to be maintained on a server.
	# It is ALWAYS necessary to provide a mapping for the IP address of the
	# server prior to the #INCLUDE. This mapping must use the #PRE directive.
	# In addtion the share "public" in the example below must be in the
	# LanManServer list of "NullSessionShares" in order for client machines to
	# be able to read the lmhosts file successfully. This key is under
	# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
	# in the registry. Simply add "public" to the list found there.
	#
	# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
	# statements to be grouped together. Any single successful include
	# will cause the group to succeed.
	#
	# Finally, non-printing characters can be embedded in mappings by
	# first surrounding the NetBIOS name in quotations, then using the
	# \0xnn notation to specify a hex value for a non-printing character.
	#
	# The following example illustrates all of these extensions:
	#
	# 102.54.94.97     rhino         #PRE #DOM:networking  #net group's DC
	# 102.54.94.102    "appname  \0x14"                    #special app server
	# 102.54.94.123    popular            #PRE             #source server
	# 102.54.94.117    localsrv           #PRE             #needed for the include
	#
	# #BEGIN_ALTERNATE
	# #INCLUDE \\localsrv\public\lmhosts
	# #INCLUDE \\rhino\public\lmhosts
	# #END_ALTERNATE
	#
	# In the above example, the "appname" server contains a special
	# character in its name, the "popular" and "localsrv" server names are
	# preloaded, and the "rhino" server name is specified so it can be used
	# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
	# system is unavailable.
	#
	# Note that the whole file is parsed including comments on each lookup,
	# so keeping the number of comments to a minimum will improve performance.
	# Therefore it is not advisable to simply add lmhosts file entries onto the
	# end of this file.

This file is usually located in MS Windows NT 4.0 or 2000 in C:\WINNT\SYSTEM32\DRIVERS\ETC and contains the IP Address and the IP hostname in matched pairs. It can be used by the name resolution infrastructure in MS Windows, depending on how the TCP/IP environment is configured. This file is in every way the equivalent of the Unix/Linux /etc/hosts file.

This capability is configured in the TCP/IP setup area in the network configuration facility. If enabled an elaborate name resolution sequence is followed the precise nature of which is dependant on what the NetBIOS Node Type parameter is configured to. A Node Type of 0 means use NetBIOS broadcast (over UDP broadcast) is first used if the name that is the subject of a name lookup is not found in the NetBIOS name cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast lookup is used.

A WINS (Windows Internet Name Server) service is the equivaent of the rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores the names and IP addresses that are registered by a Windows client if the TCP/IP setup has been given at least one WINS Server IP Address.

To configure Samba to be a WINS server the following parameter needs to be added to the smb.conf file:

	wins support = Yes

To configure Samba to use a WINS server the following parameters are needed in the smb.conf file:

	wins support = No
	wins server = xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is the IP address of the WINS server.